dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding XHR lesson

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@254 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:46:57 +00:00
parent 4066296d30
commit 457a868113
4 changed files with 319 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java Normal file
View File

@ -0,0 +1,204 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Script;
import org.apache.ecs.html.TextArea;
import org.apache.ecs.xhtml.button;
import org.apache.ecs.xhtml.link;
import org.owasp.webgoat.session.*;
public class SameOriginPolicyProtection extends LessonAdapter
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
ec.addElement(new Script()
.setSrc("javascript/sameOrigin.js"));
Input hiddenWGStatus = new Input(Input.HIDDEN,"hiddenWGStatus",0);
hiddenWGStatus.setID("hiddenWGStatus");
ec.addElement(hiddenWGStatus);
Input hiddenGoogleStatus = new Input(Input.HIDDEN,"hiddenGoogleStatus",0);
hiddenGoogleStatus.setID("hiddenGoogleStatus");
ec.addElement(hiddenGoogleStatus);
ec.addElement(new StringElement("Enter a URL: "));
ec.addElement(new BR());
TextArea urlArea = new TextArea();
urlArea.setID("requestedURL");
urlArea.setRows(1);
urlArea.setCols(60);
urlArea.setWrap("SOFT");
ec.addElement(urlArea);
button b = new button();
b.setValue("Go!");
b.setType(button.button);
b.setName("Go!");
b.setOnClick("submitXHR();");
b.addElement("Go!");
ec.addElement(b);
ec.addElement(new BR());
ec.addElement(new BR());
H3 reponseTitle = new H3("Response: ");
reponseTitle.setID("responseTitle");
ec.addElement(reponseTitle);
//ec.addElement(new BR());
TextArea ta = new TextArea();
ta.setName("responseArea");
ta.setID("responseArea");
ta.setCols(60);
ta.setRows(4);
ec.addElement(ta);
ec.addElement(new BR());
String webGoatURL = "lessons/Ajax/sameOrigin.jsp";
String googleURL = "http://www.google.com/search?q=aspect+security";
ec.addElement(new BR());
A webGoat = new A();
webGoat.setHref("javascript:populate(\"" + webGoatURL + "\")");
webGoat.addElement("Click here to try a Same Origin request:<BR/> " + webGoatURL);
ec.addElement(webGoat);
ec.addElement(new BR());
ec.addElement(new BR());
A google = new A();
google.setHref("javascript:populate(\"" + googleURL + "\")");
google.addElement("Click here to try a Different Origin request:<BR/> " + googleURL);
ec.addElement(google);
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
int hiddenWGStatusInt = s.getParser().getIntParameter("hiddenWGStatus",0);
int hiddenGoogleStatusInt = s.getParser().getIntParameter("hiddenGoogleStatus",0);
System.out.println("hiddenWGStatus:" + hiddenWGStatusInt);
System.out.println("hiddenGoogleStatusInt:" + hiddenGoogleStatusInt);
if (hiddenWGStatusInt == 1 && hiddenGoogleStatusInt == 1)
{
makeSuccess(s);
}
return (ec);
}
/**
* Gets the hints attribute of the HelloScreen object
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Enter a URL to see if it is allowed.");
hints.add("Click both of the links below to complete the lesson");
return hints;
}
/**
* Gets the ranking attribute of the HelloScreen object
*
* @return The ranking value
*/
private final static Integer DEFAULT_RANKING = new Integer(10);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
protected Category getDefaultCategory()
{
return Category.AJAX_SECURITY;
}
/**
* Gets the title attribute of the HelloScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Same Origin Policy Protection");
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
public String getInstructions(WebSession s) {
String instructions = "This exercise demonstrates the " +
"Same Origin Policy Protection. XHR requests can only be passed back to " +
" the originating server. Attempts to pass data to a non-originating server " +
" will fail.";
return (instructions);
}
}

101
webgoat/main/project/WebContent/javascript/sameOrigin.js Normal file
View File

@ -0,0 +1,101 @@
function submitXHR(){
document.getElementById("responseTitle").innerHTML="Response: ";
document.getElementById("responseArea").innerHTML="";
alert("creating XHR request for: " + document.getElementById("requestedURL").value);
try{
ajaxFunction();
}
catch(err){
alert(err);
document.getElementById("requestedURL").value="";
}
}
function ajaxFunction()
{
var xmlHttp;
try
{
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e)
{
// Internet Explorer
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
try
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
alert("Your browser does not support AJAX!");
return false;
}
}
}
xmlHttp.onreadystatechange=function()
{
var result = xmlHttp.responseText;
if(xmlHttp.readyState==4)
{
document.getElementById("responseTitle").innerHTML="Response from: "
+ document.getElementById("requestedURL").value ;
document.getElementById("responseArea").innerHTML=result;
document.getElementById("requestedURL").value="";
}
}
xmlHttp.open("GET",document.getElementById("requestedURL").value,true);
xmlHttp.send(null);
}
function populate(url){
document.getElementById("requestedURL").value=url;
submitXHR();
var webGoatURL = "lessons/Ajax/sameOrigin.jsp";
var googleURL = "http://www.google.com/search?q=aspect+security";
var hiddenWGStatus = document.getElementById("hiddenWGStatus");
var hiddenGoogleStatus = document.getElementById("hiddenGoogleStatus");
if (url == webGoatURL){
hiddenWGStatus.value = 1;
}
if (url == googleURL){
hiddenGoogleStatus.value = 1;
}
if (hiddenWGStatus.value == 1 && hiddenGoogleStatus.value == 1){
document.form.submit();
}
}

13
webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html Normal file
View File

@ -0,0 +1,13 @@
<div align="Center">
<p><b>Lesson Plan Title: </b>Same Origin Policy Protection</p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
A key element of AJAX is the XMLHttpRequest (XHR), which allows javascript to make asynchronous
calls from the client side to a server. However, as a security measure these requests may
only be made to the server from which the client page originated.
<!-- Stop Instructions -->
<p><b>General Goal(s):</b> </p>
This exercise demonstrates the Same Origin Policy Protection. XHR requests
can only be passed back to the originating server. Attempts to pass data to
a non-originating server will fail.";

1
webgoat/main/project/WebContent/lessons/Ajax/sameOrigin.jsp Normal file
View File

@ -0,0 +1 @@
Good Response