adding XHR lesson

git-svn-id: http://webgoat.googlecode.com/svn/trunk@254 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-01-10 10:46:57 +00:00
parent 4066296d30
commit 457a868113
4 changed files with 319 additions and 0 deletions
--- a/webgoat/main/project/WebContent/javascript/sameOrigin.js
+++ b/webgoat/main/project/WebContent/javascript/sameOrigin.js
@ -0,0 +1,101 @@
+
+
+
+function submitXHR(){
+
+	document.getElementById("responseTitle").innerHTML="Response: ";
+   	
+   	document.getElementById("responseArea").innerHTML=""; 
+
+	alert("creating XHR request for: " + document.getElementById("requestedURL").value);
+	
+
+	
+	try{
+		ajaxFunction();
+	}
+	catch(err){
+		alert(err);
+		document.getElementById("requestedURL").value=""; 
+	}
+}
+
+
+
+function ajaxFunction()
+  {
+	var xmlHttp;
+  try
+    {
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+    }
+  catch (e)
+    {
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {
+      
+      var result = xmlHttp.responseText;
+      if(xmlHttp.readyState==4)
+        {
+        	
+        	
+        	document.getElementById("responseTitle").innerHTML="Response from: " 
+        		+ document.getElementById("requestedURL").value ;
+        		
+        	document.getElementById("responseArea").innerHTML=result;         	
+        	
+        	document.getElementById("requestedURL").value=""; 
+        	
+        }
+      }
+      
+    xmlHttp.open("GET",document.getElementById("requestedURL").value,true);
+    xmlHttp.send(null);
+  }
+  
+  
+
+function populate(url){
+	document.getElementById("requestedURL").value=url; 
+	submitXHR();
+	
+	
+	var webGoatURL = "lessons/Ajax/sameOrigin.jsp";
+	var googleURL = "http://www.google.com/search?q=aspect+security";
+	
+	var hiddenWGStatus = document.getElementById("hiddenWGStatus");
+
+	var hiddenGoogleStatus = document.getElementById("hiddenGoogleStatus");
+	
+	
+	if (url == webGoatURL){	
+		hiddenWGStatus.value = 1;		
+	}
+	
+	if (url == googleURL){
+		hiddenGoogleStatus.value = 1;
+	}
+	
+	if (hiddenWGStatus.value == 1 && hiddenGoogleStatus.value == 1){
+		document.form.submit();
+	}
+}
--- a/webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html
+++ b/webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html
@ -0,0 +1,13 @@
+<div align="Center">
+<p><b>Lesson Plan Title: </b>Same Origin Policy Protection</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+A key element of AJAX is the XMLHttpRequest (XHR), which allows javascript to make asynchronous 
+calls from the client side to a server.  However, as a security measure these requests may 
+only be made to the server from which the client page originated.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+This exercise demonstrates the Same Origin Policy Protection.  XHR requests 
+can only be passed back to the originating server.  Attempts to pass data to 
+a non-originating server will fail.";
--- a/webgoat/main/project/WebContent/lessons/Ajax/sameOrigin.jsp
+++ b/webgoat/main/project/WebContent/lessons/Ajax/sameOrigin.jsp
@ -0,0 +1 @@
+Good Response