dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Startup scripts, changes to make offbyone more sequential

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@446 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64@gmail.com
2012-04-21 17:18:08 +00:00
parent 5f786e77a6
commit 40329271eb
9 changed files with 230 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/main/java/org/owasp/webgoat/lessons/OffByOne.java
View File

@ -130,6 +130,8 @@ public class OffByOne extends LessonAdapter
hints.add("See which fields during the registration process, allow for really long input to be submitted.");
hints.add("Check for hidden form fields during registration");
hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
hints.add("Overflow the room number field with 4096+1 characters and look for hidden fields");
hints.add("Enter the VIP name in the first and last naem fields");
return hints;
}
@ -405,7 +407,9 @@ public class OffByOne extends LessonAdapter
private Element makeThirdStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
String param1 = "";
String param2 = "";
String param3 = "";
// Header
ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
@ -453,23 +457,23 @@ public class OffByOne extends LessonAdapter
ec.addElement("\r\n");
// Hidden Form Fields
param = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, "a", param);
param1 = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, "a", param1);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, "b", param);
param2 = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, "b", param2);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, "c", param);
param3 = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, "c", param3);
ec.addElement(input);
ec.addElement("\r\n");
// And finally the check...
if(param.length() > 4096)
if(param3.length() > 4096)
{
ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
ec.addElement("\r\n");
@ -498,9 +502,18 @@ public class OffByOne extends LessonAdapter
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "o", "9901"));
ec.addElement("\r\n");
// :)
makeSuccess(s);
s.setMessage("To complete the lesson, restart lesson and enter VIP first/last name");
}
if (("Johnathan".equalsIgnoreCase(param2) || "John".equalsIgnoreCase(param2)
|| "Ana".equalsIgnoreCase(param2) ||"Lewis".equalsIgnoreCase(param2))
&& ("Ravern".equalsIgnoreCase(param1) || "Smith".equalsIgnoreCase(param1)
|| "Arneta".equalsIgnoreCase(param1) ||"Hamilton".equalsIgnoreCase(param1)))
{
// :)
// Allows for mixed VIP names, but that's not really the point
makeSuccess(s);
}
// Footer
@ -510,7 +523,6 @@ public class OffByOne extends LessonAdapter
ec.addElement(new br());
ec.addElement(new br());
return ec;
}