#272 Fix lesson client side filtering

2016-11-15 12:46:00 +01:00 · 2016-11-15 12:46:00 +01:00 · 44f5c60e78
commit 44f5c60e78
parent 00f0ee8942
3 changed files with 13 additions and 94 deletions
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java
@ -39,7 +39,7 @@ public class ClientSideFiltering extends NewLesson {
    @Override
    public Category getDefaultCategory() {
-        return Category.ACCESS_CONTROL;
+        return Category.AJAX_SECURITY;
    }
    @Override
--- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js
+++ b/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js
@ -1,92 +1,23 @@
 var dataFetched = false;
 var json;
 //TODO: reimplement this
 function selectUser() {
-   var newEmployeeID = document.getElementById("UserSelect").options[document.getElementById("UserSelect").selectedIndex].value;
+    var newEmployeeID = $("#UserSelect").val();
-
+    document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
   if (navigator.userAgent.indexOf("MSIE ") == -1) {
       document.getElementById("employeeRecord").innerHTML = document.getElementById(newEmployeeID).innerHTML;
   }
   else {
       //IE is a buggy ....
       var TR = document.createElement("tr");
       var TD0 = document.createElement("td");
       var TD1 = document.createElement("td");
       var TD2 = document.createElement("td");
       var TD3 = document.createElement("td");
       var TD4 = document.createElement("td");
       var text0 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[0].firstChild.nodeValue);
       var text1 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[1].firstChild.nodeValue);
       var text2 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[2].firstChild.nodeValue);
       var text3 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[3].firstChild.nodeValue);
       var text4 = document.createTextNode(document.getElementById(newEmployeeID).childNodes[4].firstChild.nodeValue);
       TD0.appendChild(text0);
       TD1.appendChild(text1);
       TD2.appendChild(text2);
       TD3.appendChild(text3);
       TD4.appendChild(text4);
       TR.appendChild(TD0);
       TR.appendChild(TD1);
       TR.appendChild(TD2);
       TR.appendChild(TD3);
       TR.appendChild(TD4);
       document.getElementById("employeeRecord").appendChild(TR);
   }
 }
 function fetchUserData() {
-   if (!dataFetched) {
+    if (!dataFetched) {
-       dataFetched = true;
+        dataFetched = true;
-       ajaxFunction(document.getElementById("userID").value);
+        ajaxFunction(document.getElementById("userID").value);
-   }
+    }
 }
 function ajaxFunction(userId) {
-
+    $.get("clientSideFiltering/salaries?userId=" + userId, function (result, status) {
-   var xmlHttp;
+        var newdiv = document.createElement("div");
-   try {
+        newdiv.innerHTML = result;
-
+        var container = document.getElementById("hiddenEmployeeRecords");
-       // Firefox, Opera 8.0+, Safari
+        container.appendChild(newdiv);
-       xmlHttp = new XMLHttpRequest();
+    });
   }
   catch (e) {
       // Internet Explorer
       try {
           xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
       }
       catch (e) {
           try {
               xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
           }
           catch (e) {
               alert("Your browser does not support AJAX!");
               return false;
           }
       }
   }
   xmlHttp.onreadystatechange = function () {
       var result = xmlHttp.responseText;
       if (xmlHttp.readyState == 4) {
           //We need to do this because IE is buggy
           var newdiv = document.createElement("div");
           newdiv.innerHTML = result;
           var container = document.getElementById("hiddenEmployeeRecords");
           container.appendChild(newdiv);
       }
   }
   xmlHttp.open("GET", "/WebGoat/clientSideFiltering/salaries?userId=" + userId, true);
   xmlHttp.send(null);
 }
--- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/en/ClientSideFiltering.html
+++ b/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/lessonPlans/en/ClientSideFiltering.html
@ -1,12 +0,0 @@
 <div align="Center">
 <p><b>Lesson Plan Title: </b>Client Side Filtering</p>
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
 It is always a good practice to send to the client only information which they are supposed
 to have access to.  In this lesson, too much information is being sent to the client, creating
 a serious access control problem.
 <!-- Stop Instructions -->
 <p><b>General Goal(s):</b> </p>
 For this exercise, your mission is exploit the extraneous information being returned by the
 server to discover information to which you should not have access.