dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

minor bug fixes and enhancements, including proper dollar value formatting

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@364 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
brandon.devries
2008-08-14 14:31:17 +00:00
parent 68357637bc
commit 5337ef31ff
17 changed files with 168 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat/main/project/WebContent/WEB-INF/webgoat_sqlserver.sql
View File

@ -215,7 +215,7 @@ IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\project\WebContent\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (

2
webgoat/main/project/WebContent/lesson_plans/HttpBasics.html
View File

@ -23,5 +23,5 @@ After sending the request and headers, the client may send additional data. This
Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request.
<br/><br/>
The user should become familiar with the features of WebGoat by manipulating the above
buttons to view hints and solution. You have to use WebScarab for the first time.
buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time.
<!-- Stop Instructions -->

2
webgoat/main/project/WebContent/lesson_plans/PasswordStrength.html
View File

@ -3,7 +3,7 @@
</div>
<p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
Accounts are only as secure as there passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
<!-- Stop Instructions -->
<br>
<p><b>General Goal(s):</b> </p>

2
webgoat/main/project/WebContent/lesson_solutions/SqlNumericInjection.html
View File

@ -620,7 +620,7 @@ style='font-family:"Arial","sans-serif"'>Solution:<o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The
application is taking the input from the select box and inserts it at the end of a pre-formed
application is taking the input from the select box and inserting it at the end of a pre-formed
SQL command.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Compound SQL

38
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp
View File

@ -2,9 +2,9 @@
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl"
errorPage="" %>
<%
Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY);
WebSession webSession = ((WebSession)session.getAttribute("websession"));
// int myUserId = getIntSessionAttribute(webSession, "RoleBasedAccessControl." + RoleBasedAccessControl.USER_ID);
Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY);
//int myUserId = webSession.getUserIdInLesson();
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - View Profile Page</div>
<div class="lesson_text">
@ -13,71 +13,71 @@
First Name:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getFirstName()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getFirstName())%></span>
</TD>
<TD>
Last Name:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getLastName()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getLastName())%></span>
</TD>
</TR>
<TR><TD>
Street:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getAddress1()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getAddress1())%></span>
</TD>
<TD>
City/State:
<TD>
<span class="lesson_text_db"><%=employee.getAddress2()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getAddress2())%></span>
</TD>
</TR>
<TR><TD>
Phone:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getPhoneNumber()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getPhoneNumber())%></span>
</TD>
<TD>
Start Date:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getStartDate()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getStartDate())%></span>
</TD>
</TR>
<TR><TD>
SSN:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getSsn()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getSsn())%></span>
</TD>
<TD>
Salary:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getSalary()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getSalary())%></span>
</TD>
</TR>
<TR><TD>
Credit Card:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getCcn()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getCcn())%></span>
</TD>
<TD>
Credit Card Limit:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getCcnLimit()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getCcnLimit())%></span>
</TD>
</TR>
<TR><TD>
Comments:
</TD>
<TD colspan="3">
<span class="lesson_text_db"><%=employee.getPersonalDescription()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getPersonalDescription())%></span>
</TD>
</TR>
<TR>
@ -88,11 +88,11 @@
Disc. Dates:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getDisciplinaryActionDate()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getDisciplinaryActionDate())%></span>
</TD>
<TR>
<TD colspan="4">
<span class="lesson_text_db"><%=employee.getDisciplinaryActionNotes()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getDisciplinaryActionNotes())%></span>
</TD>
</TR>
<TR>
@ -100,7 +100,7 @@
Manager:
</TD>
<TD>
<span class="lesson_text_db"><%=employee.getManager()%></span>
<span class="lesson_text_db"><%=(employee == null ? "unknown" : employee.getManager())%></span>
</TD>
</TR>
</Table>
@ -114,7 +114,7 @@
{
%>
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=(employee == null ? "unknown" : employee.getId())%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/>
</form>
<%
@ -126,7 +126,7 @@
{
%>
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=(employee == null ? "unknown" : employee.getId())%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/>
</form>
<%
@ -139,7 +139,7 @@
{
%>
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=(employee == null ? "unknown" : employee.getId())%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/>
</form>
<%

13
webgoat/main/project/WebContent/main.jsp
View File

@ -98,6 +98,7 @@ StringBuffer buildList = new StringBuffer();
<% if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null)
for (int i=0; i<stages.length; i++) {
%>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
@ -216,7 +217,17 @@ StringBuffer buildList = new StringBuffer();
<br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
</div>
<div id="lessonContent"><%=webSession.getInstructions()%></div>
<div id="lessonContent">
<%
AbstractLesson lesson = webSession.getCurrentLesson();
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1 %></div>
<%
}
%>
<%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%