dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replaced the tabs with spaces so we do not mess up the formatting, used the expand command from linux

Browse Source
This commit is contained in:
nbaars
2014-09-15 16:40:51 +02:00
parent 9bb1cb8d9c
commit 3ae898784f
118 changed files with 21208 additions and 21214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

514
src/main/java/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
View File

@ -53,310 +53,310 @@ import org.owasp.webgoat.util.WebGoatI18N;
*/
public class WeakAuthenticationCookie extends LessonAdapter
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
.addElement(
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
.setVspace(0));
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
.addElement(
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
.setVspace(0));
/**
* Description of the Field
*/
protected final static String AUTHCOOKIE = "AuthCookie";
/**
* Description of the Field
*/
protected final static String AUTHCOOKIE = "AuthCookie";
/**
* Description of the Field
*/
protected final static String LOGOUT = "WACLogout";
/**
* Description of the Field
*/
protected final static String LOGOUT = "WACLogout";
/**
* Description of the Field
*/
protected final static String PASSWORD = "Password";
/**
* Description of the Field
*/
protected final static String PASSWORD = "Password";
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected String checkCookie(WebSession s) throws Exception
{
String cookie = getCookie(s);
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected String checkCookie(WebSession s) throws Exception
{
String cookie = getCookie(s);
if (cookie != null)
{
if (cookie.equals(encode("webgoat12345"))) { return ("webgoat"); }
if (cookie != null)
{
if (cookie.equals(encode("webgoat12345"))) { return ("webgoat"); }
if (cookie.equals(encode("aspect12345"))) { return ("aspect"); }
if (cookie.equals(encode("aspect12345"))) { return ("aspect"); }
if (cookie.equals(encode("alice12345")))
{
makeSuccess(s);
return ("alice");
}
else
{
s.setMessage(WebGoatI18N.get("InvalidCookie"));
s.eatCookies();
}
}
if (cookie.equals(encode("alice12345")))
{
makeSuccess(s);
return ("alice");
}
else
{
s.setMessage(WebGoatI18N.get("InvalidCookie"));
s.eatCookies();
}
}
return (null);
}
return (null);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected String checkParams(WebSession s) throws Exception
{
String username = s.getParser().getStringParameter(USERNAME, "");
String password = s.getParser().getStringParameter(PASSWORD, "");
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected String checkParams(WebSession s) throws Exception
{
String username = s.getParser().getStringParameter(USERNAME, "");
String password = s.getParser().getStringParameter(PASSWORD, "");
if ((username.length() > 0) && (password.length() > 0))
{
String loginID = "";
if ((username.length() > 0) && (password.length() > 0))
{
String loginID = "";
if (username.equals("webgoat") && password.equals("webgoat"))
{
loginID = encode("webgoat12345");
}
else if (username.equals("aspect") && password.equals("aspect"))
{
loginID = encode("aspect12345");
}
if (username.equals("webgoat") && password.equals("webgoat"))
{
loginID = encode("webgoat12345");
}
else if (username.equals("aspect") && password.equals("aspect"))
{
loginID = encode("aspect12345");
}
if (loginID != "")
{
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage(WebGoatI18N.get("IdentityRemembered"));
s.getResponse().addCookie(newCookie);
if (loginID != "")
{
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage(WebGoatI18N.get("IdentityRemembered"));
s.getResponse().addCookie(newCookie);
return (username);
}
else
{
s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword"));
}
}
return (username);
}
else
{
s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword"));
}
}
return (null);
}
return (null);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
if (logout)
{
s.setMessage(WebGoatI18N.get("PasswordForgotten"));
s.eatCookies();
if (logout)
{
s.setMessage(WebGoatI18N.get("PasswordForgotten"));
s.eatCookies();
return (makeLogin(s));
}
return (makeLogin(s));
}
try
{
String user = checkCookie(s);
try
{
String user = checkCookie(s);
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "COOKIE")); }
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "COOKIE")); }
user = checkParams(s);
user = checkParams(s);
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); }
} catch (Exception e)
{
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); }
} catch (Exception e)
{
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (makeLogin(s));
}
return (makeLogin(s));
}
/**
* Description of the Method
*
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
private String encode(String value)
{
// <START_OMIT_SOURCE>
StringBuffer encoded = new StringBuffer();
/**
* Description of the Method
*
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
private String encode(String value)
{
// <START_OMIT_SOURCE>
StringBuffer encoded = new StringBuffer();
for (int i = 0; i < value.length(); i++)
{
encoded.append(String.valueOf((char) (value.charAt(i) + 1)));
}
for (int i = 0; i < value.length(); i++)
{
encoded.append(String.valueOf((char) (value.charAt(i) + 1)));
}
return encoded.reverse().toString();
// <END_OMIT_SOURCE>
}
return encoded.reverse().toString();
// <END_OMIT_SOURCE>
}
/**
* Gets the category attribute of the WeakAuthenticationCookie object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.SESSION_MANAGEMENT;
}
/**
* Gets the category attribute of the WeakAuthenticationCookie object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.SESSION_MANAGEMENT;
}
/**
* Gets the cookie attribute of the CookieScreen object
*
* @param s
* Description of the Parameter
* @return The cookie value
*/
protected String getCookie(WebSession s)
{
Cookie[] cookies = s.getRequest().getCookies();
/**
* Gets the cookie attribute of the CookieScreen object
*
* @param s
* Description of the Parameter
* @return The cookie value
*/
protected String getCookie(WebSession s)
{
Cookie[] cookies = s.getRequest().getCookies();
for (int i = 0; i < cookies.length; i++)
{
if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE)) { return (cookies[i].getValue()); }
}
for (int i = 0; i < cookies.length; i++)
{
if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE)) { return (cookies[i].getValue()); }
}
return (null);
}
return (null);
}
/**
* Gets the hints attribute of the CookieScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4"));
return hints;
}
/**
* Gets the hints attribute of the CookieScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4"));
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(90);
private final static Integer DEFAULT_RANKING = new Integer(90);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the CookieScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Spoof an Authentication Cookie");
}
/**
* Gets the title attribute of the CookieScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Spoof an Authentication Cookie");
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeLogin(WebSession s)
{
ElementContainer ec = new ElementContainer();
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeLogin(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn")));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn")));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH()
.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left"));
t.addElement(tr);
TR tr = new TR();
tr.addElement(new TH()
.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")))));
row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")))));
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")))));
row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")))));
Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
row1.addElement(new TD(input1));
row2.addElement(new TD(input2));
t.addElement(row1);
t.addElement(row2);
Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
row1.addElement(new TD(input1));
row2.addElement(new TD(input2));
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
t.addElement(new TR(new TD(b)));
ec.addElement(t);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login"));
t.addElement(new TR(new TD(b)));
ec.addElement(t);
return (ec);
}
return (ec);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @param method
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected Element makeUser(WebSession s, String user, String method) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user));
ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", "")));
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @param method
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected Element makeUser(WebSession s, String user, String method) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user));
ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", "")));
return (ec);
}
return (ec);
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}