dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved Maven multiproject setup

Browse Source
This commit is contained in:
Nanne Baars
2015-08-11 21:57:12 +02:00
parent 28a2d01ba3
commit 42f373d66a
578 changed files with 455 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-container/src/main/webapp/WEB-INF/context.xml Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/WebGoat">
<Loader delegate="true" loaderClass="org.owasp.webgoat.classloader.PluginClassLoader" searchExternalFirst="true"/>
</Context>

59
webgoat-container/src/main/webapp/WEB-INF/mvc-dispatcher-servlet.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
<context:component-scan base-package="org.owasp.webgoat" />
<!--
put custom validators here. E.g.:
<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-->
<!-- Activates various annotations to be detected in bean classes -->
<context:annotation-config />
<!-- Configures the annotation-driven Spring MVC Controller programming model. -->
<mvc:annotation-driven />
<!-- Import Tiles-related configuration -->
<!--import resource="tiles-context.xml" /-->
<!-- Declare a view resolver -->
<!-- Take note of the order. Since we're using TilesViewResolver as well
We need to define which ViewResolver is called first.
We chose this InternalResourceViewResolver to be at the bottom order -->
<bean
id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/pages/"
p:suffix=".jsp"
p:order="1"/>
<mvc:interceptors>
<bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0" />
<property name="useExpiresHeader" value="true" />
<property name="useCacheControlHeader" value="true" />
<property name="useCacheControlNoStore" value="true" />
</bean>
</mvc:interceptors>
<!-- Register the Customer.properties
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="org/owasp/webgoat/properties/Customer" />
</bean>
-->
</beans>

101
webgoat-container/src/main/webapp/WEB-INF/pages/about.jsp Normal file
View File

@ -0,0 +1,101 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<!-- This modal content is included into the main_new.jsp -->
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3>
</div>
<div class="modal-body modal-scroll">
<p>Thanks for hacking The Goat!</p>
<p>WebGoat is a demonstration of common web application flaws. The
associated exercises are intended to provide hands-on experience with
techniques aimed at demonstrating and testing application penetration.
</p>
<p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p>
<p>
Version: ${version},&nbsp;Build: ${build}
</p>
<div class="row">
<div class="col-md-6">
<p>Contact us:
<ul>
<li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: ${contactEmail}</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>WebGoat Authors
<ul>
<li>Bruce Mayhew (Project Lead)</li>
<li>Jeff Williams (Original Idea)</li>
<li>Richard Lawson (Architect)</li>
<li>Jason White (Architect)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>WebGoat Design Team
<ul>
<li>Richard Lawson</li>
<li>Bruce Mayhew</li>
<li>Jason White</li>
<li>Ali Looney (User Interface)</li>
<li>Jeff Wayman (Website and Docs)</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>Active Contributors
<ul>
<li>Nanne Baars (Developer)</li>
<li>Dave Cowden (Everything)</li>
<li>Keith Gasser (Survey/Security)</li>
<li>Devin Mayhew (Setup/Admin)</li>
<li>Li Simon (Developer)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>Past Contributors
<ul>
<li>David Anderson (Developer/Design)</li>
<li>Christopher Blum (Lessons)</li>
<li>Laurence Casey (Graphics)</li>
<li>Brian Ciomei (Bug fixes)</li>
<li>Rogan Dawes (Lessons)</li>
<li>Erwin Geirnaert (Solutions)</li>
<li>Aung Knant (Documentation)</li>
<li>Ryan Knell (Lessons)</li>
<li>Christine Koppeit (Build)</li>
<li>Sherif Kousa (Lessons/Documentation)</li>
<li>Reto Lippuner (Lessons)</li>
<li>PartNet (Lessons)</li>
<li>Yiannis Pavlosoglou (Lessons)</li>
<li>Eric Sheridan (Lessons)</li>
<li>Alex Smolen (Lessons)</li>
<li>Chuck Willis (Lessons)</li>
<li>Marcel Wirth (Lessons)</li>
</ul>
</p>
<p>Did we miss you? Our sincere apologies, as we know there have
been many contributors over the years. If your name does not
appear in any of the lists above, please send us a note. We'll
get you added with no further sacrifices required.</p>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div>

86
webgoat-container/src/main/webapp/WEB-INF/pages/login.jsp Normal file
View File

@ -0,0 +1,86 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon"/>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="plugins/bootstrap/css/bootstrap.min.css"/>
<!-- Fonts from Font Awsome -->
<link rel="stylesheet" href="css/font-awesome.min.css"/>
<!-- CSS Animate -->
<link rel="stylesheet" href="css/animate.css"/>
<!-- Custom styles for this theme -->
<link rel="stylesheet" href="css/main.css"/>
<!-- end of CSS -->
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<section id="container" ng-controller="goatLesson">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
</div><!--toggle navigation end-->
<div class="lessonTitle" >
</div><!--lesson title end-->
</header>
<section class="main-content-wrapper">
<section id="main-content" >
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<br/><br/>
<form role="form" name='loginForm' action="<c:url value='j_spring_security_check' />" method='POST' style="width: 400px;">
<div class="form-group">
<label for="exampleInputEmail1">Username</label>
<input type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'>
</div>
<div class="form-group">
<label for="exampleInputPassword1">Password</label>
<input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password" name='password'>
</div>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<button class="btn btn-large btn-primary" type="submit">Sign in</button>
</form>
<br/><br/>
<h4>The following accounts are built into Webgoat</h4>
<table class="table table-bordered" style="width:400px;">
<thead>
<tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr>
</thead>
<tbody>
<tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr>
<tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr>
</tbody>
</table>
<br/><br/>
</section>
</section>
</section>
</body>
</html>

68
webgoat-container/src/main/webapp/WEB-INF/pages/logout.jsp Normal file
View File

@ -0,0 +1,68 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Logout Page</title>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon"/>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="plugins/bootstrap/css/bootstrap.min.css"/>
<!-- Fonts from Font Awsome -->
<link rel="stylesheet" href="css/font-awesome.min.css"/>
<!-- CSS Animate -->
<link rel="stylesheet" href="css/animate.css"/>
<!-- Custom styles for this theme -->
<link rel="stylesheet" href="css/main.css"/>
<!-- end of CSS -->
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<section id="container" ng-controller="goatLesson">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
</div><!--toggle navigation end-->
<div class="lessonTitle" >
<h1 id="lessonTitle">Logout</h1>
</div><!--lesson title end-->
</header>
<section class="main-content-wrapper">
<section id="main-content" >
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<br/><br/>
<div class="alert alert-success" role="alert" style="width: 400px;">
You have logged out successfully
</div>
<hr/>
<h4>Click here if you would like to log back in: <a href="<c:url value="login.mvc" />" > Login</a></h4>
</section>
</section>
</section>
</body>
</html>

201
webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp Normal file
View File

@ -0,0 +1,201 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<!-- CSS -->
<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon"/>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="plugins/bootstrap/css/bootstrap.min.css"/>
<!-- Fonts from Font Awsome -->
<link rel="stylesheet" href="css/font-awesome.min.css"/>
<!-- CSS Animate -->
<link rel="stylesheet" href="css/animate.css"/>
<!-- Custom styles for this theme -->
<link rel="stylesheet" href="css/main.css"/>
<!-- end of CSS -->
<!-- JS -->
<script src="js/modernizr-2.6.2.min.js"></script>
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="js/html5shiv.js"></script>
<script src="js/respond.min.js"></script>
<![endif]-->
<!-- Require.js used to load js asynchronously -->
<script src="js/libs/require.min.js" data-main="js/main.js"></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat</title>
</head>
<body>
<section id="container">
<header id="header">
<!--logo start-->
<div class="brand">
<a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
</div>
<!--logo end-->
<div class="toggle-navigation toggle-left">
<button type="button" class="btn btn-default" id="toggle-left" data-toggle="tooltip" data-placement="right" title="Toggle Navigation">
<i class="fa fa-bars"></i>
</button>
</div><!--toggle navigation end-->
<div id="lesson-title-wrapper" >
</div><!--lesson title end-->
<div class="user-nav pull-right" style="margin-right: 75px;">
<div class="dropdown" style="display:inline">
<button type="button" class="btn btn-default dropdown-toggle" id="dropdownMenu1" >
<i class="fa fa-user"></i> <span class="caret"></span>
</button>
<ul class="dropdown-menu dropdown-menu-left" role="menu" aria-labelledby="dropdownMenu1">
<li role="presentation"><a role="menuitem" tabindex="-1" href="<c:url value="j_spring_security_logout" />">Logout</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li>
<li role="presentation" class="divider"></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">${version}</a></li>
<li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build: ${build}</a></li>
</ul>
</div>
<button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" title="About WebGoat">
<i class="fa fa-info"></i>
</button>
<a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
<button type="button" class="btn btn-default right_nav_button"data-toggle="tooltip" title="Contact Us">
<i class="fa fa-envelope"></i>
</button>
</a>
</div>
</header>
<aside class="sidebar" >
<div id="menu-container"></div>
</aside>
<!--sidebar left end-->
<!--main content start-->
<section class="main-content-wrapper">
<section id="main-content" > <!--ng-controller="goatLesson"-->
<div class="row">
<div class="col-md-8">
<div class="col-md-12" align="left">
<div class="panel" id="help-controls">
</div>
<div class="lesson-hint" id="lesson-hint-container">
<h4>Hints</h4>
<div class="panel" >
<div class="panel-body" id="lesson-hint">
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-left" id="show-prev-hint"></span>
<span class="glyphicon-class glyphicon glyphicon-circle-arrow-right" id="show-next-hint"></span>
<br/>
<span id="lesson-hint-content"></span>
</div>
</div>
</div>
</div>
<div class="col-md-12" align="left">
<div id="lesson-content-wrapper" class="panel">
</div>
</div>
</div><!--col-md-8 end-->
<div class="col-md-4">
<div class="col-md-12">
<div class="panel">
<div class="panel-body">
<div align="left">
<h3>Cookies / Parameters</h3>
</div>
<hr />
<div id="cookies-and-params">
<div class="cookies-view">
<h4>Cookies</h4>
<!-- <div class="cookieContainer" ng-repeat="cookie in cookies">
<table class="cookieTable table-striped table-nonfluid" >
<thead>
<tr><th class="col-sm-1"></th><th class="col-sm-1"></th></tr>
</thead>
<tbody>
<tr ng-repeat="(key, value) in cookie">
<td>{{key}}</td>
<td>{{value}}</td>
</tr>
</tbody>
</table>
</div> -->
</div>
<div id="paramsView"> <!--class="paramsView"-->
<h4>Params</h4>
</div>
</div>
</div>
</div>
</div>
</div><!--col-md-4 end-->
</div>
<div id="lesson-helps-wrapper" class="panel">
<div class="lesson-help" id="lesson-plan-row">
<div class="col-md-12">
<h4>Lesson Plan</h4>
<div class="panel" >
<div class="panel-body" id="lesson-plan-content">
<!-- allowing jQuery to handle this one -->
</div>
</div>
</div>
</div>
<div class="lesson-help" id="lesson-solution-row">
<div class="col-md-12">
<h4>Lesson Solution</h4>
<div class="panel">
<div class="panel-body" id="lesson-solution-content">
</div>
</div>
</div>
</div>
<div class="lesson-help" id="lesson-source-row">
<div class="col-md-12">
<h4>Lesson Source Code</h4>
<div class="panel">
<div class="panel-body" id="lesson-source-content">
</div>
</div>
</div>
</div>
</div>
</section>
</section>
</section>
<!-- About WebGoat Modal -->
<div class="modal fade" id="aboutModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<jsp:include page="../pages/about.jsp"/>
</div>
</div>
</div>
</body>
</html>

138
webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp Normal file
View File

@ -0,0 +1,138 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
//WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.4</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p>
<p>The WebGoat project is led
by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div>
</td>
<td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style1">
WebGoat Authors </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Bruce Mayhew </span></div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center"><span class="style2">
Jeff Williams </span></div>
</td>
</tr>
<tr>
<td width="50%">
<div align="center"><span class="style1"><br />
WebGoat Design Team </span></div>
</td>
<td width="50%">
<div align="center"><span class="style1"><br />
V5.4 Lesson Contributers </span></div>
</td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div>
<div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Bruce Mayhew</div>
</td>
<td valign="top">
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Yiannis Pavlosoglou</div>
<div align="center" class="style2"></div>
</td>
</tr>
<tr>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks
for V5.4</span></div>
</td>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation
Contributers</span></div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">Brian Ciomei (Multitude of bug fixes)</div>
<div align="center" class="style2">To all who have sent comments</div>
</td>
<td>
<div align="center" class="style2">
<a href="http://www.zionsecurity.com/" target="_blank">Erwin Geirnaert</a></div>
<div align="center" class="style2">
<a href="http://yehg.org/" target="_blank">Aung Khant</a></div>
<div align="center" class="style2">
<a href="http://www.softwaresecured.com" target="blank">Sherif Koussa</a>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="style2">
<form id="form" name="form" method="get" action="start.mvc"><input
type="submit" name="start" value="Start WebGoat" /></form>
</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</html>

39
webgoat-container/src/main/webapp/WEB-INF/pages/widgets/cookies_and_params.jsp Normal file
View File

@ -0,0 +1,39 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%--
Document : hints
Created on : Aug 27, 2014, 3:41:46 PM
Author : rlawson
--%>
<%@page contentType="text/html" pageEncoding="windows-1252"%>
<div class="col-md-6">
<table class="table table-condensed table-striped">
<caption><span class="label label-default">Parameters</span></caption>
<thead>
<tr><th>Name</th><th>Value</th></tr>
</thead>
<tbody>
<c:forEach var="wgparam" items="${wgparams}" varStatus="status">
<tr><td><span class="label label-info">${wgparam.name}</span></td><td>${wgparam.value}</td></tr>
</c:forEach>
</tbody>
</table>
</div>
<div class="col-md-6">
<table class="table table-condensed table-striped">
<caption><span class="label label-default">Cookies</span></caption>
<thead>
<tr><th>Name</th><th>Value</th></tr>
</thead>
<tbody>
<c:forEach var="wgcookie" items="${wgcookies}" varStatus="status">
<tr><td><span class="label label-info">${wgcookie.name}</span></td><td>${wgcookie.value}</td></tr>
</c:forEach>
</tbody>
</table>
</div>

27
webgoat-container/src/main/webapp/WEB-INF/pages/widgets/hints.jsp Normal file
View File

@ -0,0 +1,27 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%--
Document : hints
Created on : Aug 27, 2014, 3:41:46 PM
Author : rlawson
--%>
<%@page contentType="text/html" pageEncoding="windows-1252"%>
<div class="panel-group" id="accordion">
<c:forEach var="hint" items="${hints}" varStatus="status">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">
<a data-toggle="collapse" data-parent="#accordion" href="#collapse_${hint.number}">
Hint-${hint.number}
</a>
</h3>
</div>
<div id="collapse_${hint.number}" class="panel-collapse collapse">
<div class="panel-body">
${hint.hint}
</div>
</div>
</div>
</c:forEach>
</div>

69
webgoat-container/src/main/webapp/WEB-INF/server-config.wsdd Normal file
View File

@ -0,0 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<!--
<parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/>
-->
<parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="true"/>
<parameter name="sendXMLDeclaration" value="true"/>
<!--
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
-->
<parameter name="sendXsiTypes" value="true"/>
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
<handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<service name="WSDLScanning" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.lessons.WSDLScanning"/>
</service>
<service name="SoapRequest" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.lessons.SoapRequest"/>
</service>
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService"/>
<parameter name="enableRemoteAdmin" value="false"/>
<parameter name="className" value="org.apache.axis.utils.Admin"/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion"/>
<parameter name="className" value="org.apache.axis.Version"/>
</service>
<service name="WsSqlInjection" provider="java:RPC">
<parameter name="allowedMethods" value="getCreditCard"/>
<parameter name="className" value="org.owasp.webgoat.lessons.WsSqlInjection"/>
</service>
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>

52
webgoat-container/src/main/webapp/WEB-INF/spring-security.xml Normal file
View File

@ -0,0 +1,52 @@
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security pre-post-annotations="enabled" />
<!--
PCS 8/27/2012
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
-->
<http pattern="/css/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http pattern="/javascript/**" security="none"/>
<http pattern="/js/**" security="none"/>
<http pattern="/fonts/**" security="none"/>
<http pattern="/plugins/**" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/login.mvc" access="permitAll" />
<intercept-url pattern="/logout.mvc" access="permitAll" />
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_WEBGOAT_USER','ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
<form-login
login-page="/login.mvc"
default-target-url="/welcome.mvc"
authentication-failure-url="/login.mvc?error"
username-parameter="username"
password-parameter="password"
always-use-default-target="true"/>
<logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
<!-- enable csrf protection -->
<!--csrf/-->
</http>
<!-- Authentication Manager -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP -->
<user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
<user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
<user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

294
webgoat-container/src/main/webapp/WEB-INF/web.xml Normal file
View File

@ -0,0 +1,294 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- General description of your web application -->
<display-name>WebGoat</display-name>
<description>
This web application is designed to demonstrate web
application security flaws for the purpose of educating
developers and security professionals about web
application security problems. Please contact Bruce Mayhew
(webgoat@owasp.org) if you have any questions.
</description>
<!-- Context initialization parameters that define shared
String constants used within your application, which
can be customized by the system administrator who is
installing your application. The values actually
assigned to these parameters can be retrieved in a
servlet or JSP page by calling:
String value =
getServletContext().getInitParameter("name");
where "name" matches the <param-name> element of
one of these initialization parameters.
You can define any number of context initialization
parameters, including zero.
-->
<context-param>
<param-name>email</param-name>
<param-value>webgoat@owasp.org</param-value>
<description>
The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
</context-param>
<context-param>
<param-name>emaillist</param-name>
<param-value>owasp-webgoat@lists.owasp.org</param-value>
<description>
The EMAIL address of the webgoat email list
</description>
</context-param>
<!-- spring MVC -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Servlet definitions for the servlets that make up
your web application, including initialization
parameters. With Tomcat, you can also send requests
to servlets not listed here with a request like this:
http://localhost:8080/{context-path}/servlet/{classname}
but this usage is not guaranteed to be portable. It also
makes relative references to images and other resources
required by your servlet more complicated, so defining
all of your servlets (and defining a mapping to them with
a servlet-mapping element) is recommended.
Servlet initialization parameters can be retrieved in a
servlet or JSP page by calling:
String value =
getServletConfig().getInitParameter("name");
where "name" matches the <param-name> element of
one of these initialization parameters.
You can define any number of servlets, including zero.
-->
<servlet>
<servlet-name>AxisServlet</servlet-name>
<display-name>Apache-Axis Servlet</display-name>
<servlet-class>
org.apache.axis.transport.http.AxisServlet
</servlet-class>
</servlet>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<display-name>Axis Admin Servlet</display-name>
<servlet-class>
org.apache.axis.transport.http.AdminServlet
</servlet-class>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<servlet-name>SOAPMonitorService</servlet-name>
<display-name>SOAPMonitorService</display-name>
<servlet-class>
org.apache.axis.monitor.SOAPMonitorService
</servlet-class>
<init-param>
<param-name>SOAPMonitorPort</param-name>
<param-value>5001</param-value>
</init-param>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<servlet-name>WebGoat</servlet-name>
<description>
This servlet plays the "controller" role in the MVC architecture
used in this application.
The initialization parameter namess for this servlet are the
"servlet path" that will be received by this servlet (after the
filename extension is removed). The corresponding value is the
name of the action class that will be used to process this request.
</description>
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<init-param>
<param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value>
<description>The EMAIL address of the administrator to whom questions
and comments about this application should be addressed.
</description>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>CookieDebug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>DefuseOSCommands</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>Enterprise</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>CodingExercises</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For
example, replace "<" with "&lt;" and ">" with "&gt;". -->
<param-name>FeedbackAddress</param-name>
<param-value>
&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
</param-value>
</init-param>
<init-param>
<param-name>DatabaseDriver</param-name>
<param-value>
org.hsqldb.jdbcDriver
</param-value>
</init-param>
<init-param>
<param-name>DatabaseConnectionString</param-name>
<!--
The string "${USER}" in the connection string will be replaced by the active username
when making a connection.
-->
<param-value>jdbc:hsqldb:mem:${USER}</param-value>
</init-param>
<!--
<init-param>
<param-name>DefaultLanguage</param-name>
<param-value>en</param-value>
</init-param>
-->
<!-- Load this servlet at server startup time -->
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<servlet-name>LessonSource</servlet-name>
<description>
This servlet returns the Java source of the current lesson.
</description>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet>
<servlet>
<servlet-name>Catcher</servlet-name>
<description>
This servlet catches any posts and marks the appropriate lesson property.
</description>
<servlet-class>org.owasp.webgoat.Catcher</servlet-class>
</servlet>
<servlet>
<servlet-name>conf</servlet-name>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
</servlet>
<!-- spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.mvc</url-pattern>
</servlet-mapping>
<listener>
<description>Spring context init</description>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<description>Spring context init</description>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
<description>WebGoat application init</description>
<listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class>
</listener>
<!-- end spring MVC -->
<!-- spring security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- end spring security -->
<!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the
servlet descriptions above. Thus, a request URI like:
http://localhost:8080/{contextpath}/graph
will be mapped to the "graph" servlet, while a request like:
http://localhost:8080/{contextpath}/saveCustomer.mvc
will be mapped to the "controller" servlet.
You may define any number of servlet mappings, including zero.
It is also legal to define more than one mapping for the same
servlet, if you wish to.
-->
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping>
<!-- uncomment this if you want the admin servlet -->
<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WebGoat</servlet-name>
<url-pattern>/attack</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LessonSource</servlet-name>
<url-pattern>/source</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Catcher</servlet-name>
<url-pattern>/catcher</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>conf</servlet-name>
<url-pattern>/conf</url-pattern>
</servlet-mapping>
<!-- Define the default session timeout for your application,
in minutes. From a servlet or JSP page, you can modify
the timeout for a particular session dynamically by using
HttpSession.getMaxInactiveInterval(). -->
<session-config>
<!-- 2 days -->
<session-timeout>2880</session-timeout>
</session-config>
<mime-mapping>
<extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

60
webgoat-container/src/main/webapp/WEB-INF/webgoat-class.properties Normal file
View File

@ -0,0 +1,60 @@
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
lesson.RoleBasedAccessControl.hidden=true
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
lesson.CrossSiteScripting.hidden=true
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
lesson.SQLInjection.hidden=true
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true

57
webgoat-container/src/main/webapp/WEB-INF/webgoat-lab.properties Normal file
View File

@ -0,0 +1,57 @@
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true

2
webgoat-container/src/main/webapp/WEB-INF/webgoat-owasp.properties Normal file
View File

@ -0,0 +1,2 @@
#lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true

7
webgoat-container/src/main/webapp/WEB-INF/webgoat.properties Normal file
View File

@ -0,0 +1,7 @@
#lesson.BufferOverflow.hidden=true
#
# These lesson need to be refactored
lesson.BlindScript.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.HttpSplitting.hidden=true
lesson.BasicAuthentication.hidden=true

132
webgoat-container/src/main/webapp/WEB-INF/webgoat_oracle.sql Normal file
View File

@ -0,0 +1,132 @@
DROP USER webgoat_guest CASCADE;
CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users;
GRANT CONNECT, RESOURCE TO webgoat_guest;
GRANT CREATE PROCEDURE TO webgoat_guest;
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
exit;

226
webgoat-container/src/main/webapp/WEB-INF/webgoat_sqlserver.sql Normal file
View File

@ -0,0 +1,226 @@
EXEC sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
USE master;
go
DROP LOGIN webgoat_guest;
go
DROP database webgoat;
go
CREATE database webgoat;
go
USE webgoat;
go
CREATE SCHEMA webgoat_guest;
go
CREATE LOGIN webgoat_guest with password = '_webgoat';
go
CREATE USER webgoat_guest with default_schema = webgoat_guest;
go
GRANT CONTROL TO webgoat_guest;
go
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE'
)
BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.RegexMatch
END
GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX),
@pattern NVARCHAR(MAX)
) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO