From 575d040c2443a0062bad8e6199d7ae487f574dbb Mon Sep 17 00:00:00 2001
From: "sherif.fathy" <sherif.fathy@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Thu, 21 Dec 2006 04:39:32 +0000
Subject: [PATCH] Added XMLInjection lesson Modified DOM Injection lesson Added
 gratification to http splitting

git-svn-id: http://webgoat.googlecode.com/svn/trunk@37 4033779f-a91e-0410-96ef-6bf7bf53c507
---
 .../owasp/webgoat/lessons/DOMInjection.java   |  22 --
 .../owasp/webgoat/lessons/HttpSplitting.java  |  30 ++-
 .../owasp/webgoat/lessons/XMLInjection.java   | 205 ++++++++++++++++++
 .../WebContent/lesson_plans/XMLInjection.html |  18 ++
 4 files changed, 248 insertions(+), 27 deletions(-)
 create mode 100644  webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
 create mode 100644  webgoat/main/project/WebContent/lesson_plans/XMLInjection.html

diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
index ab89ef7e9..2de1c05e0 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java	
@@ -8,32 +8,17 @@ import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
 import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Form;
 import org.apache.ecs.html.H1;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-import org.apache.ecs.html.Button;
-import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
 public class DOMInjection extends LessonAdapter {
 
 	private final static Integer DEFAULT_RANKING = new Integer(10);
 	private final static String KEY = "key";
-	/*public void handleRequest( WebSession s )
-	{
-		//Setting a special action to be able to submit to redirect.jsp
-		Form form = new Form( "/WebGoat/lessons/AJAXSecurity/DOMInjection.jsp?" +
-				        "Screen=" + String.valueOf(getScreenId()) +
-				        "&menu=" + getDefaultCategory().getRanking().toString()
-				        , Form.POST ).setName( "form" ).setEncType( "" );
-
-		form.addElement( createContent( s ) );
-
-        setContent(form);
-	}*/
 	
 	protected Element createContent(WebSession s) {
 		
@@ -68,7 +53,6 @@ public class DOMInjection extends LessonAdapter {
 		String lineSep = System.getProperty("line.separator");
 		String script  =  "<script>" + lineSep +
 			"function validate() {" + lineSep +
-			"alert('we are here');" + lineSep +
 			"var keyField = document.getElementById('key');" + lineSep +
 			"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
 			"&menu=" + getDefaultCategory().getRanking().toString() +
@@ -126,25 +110,21 @@ public class DOMInjection extends LessonAdapter {
 		return ec ;
 	}
 
-	@Override
 	public Element getCredits() {
 
 		return new StringElement("This screen created by: Sherif Koussa");
 	}
 
-	@Override
 	protected Category getDefaultCategory() {
 		
 		return AJAX_SECURITY;
 	}
 
-	@Override
 	protected Integer getDefaultRanking() {
 		
 		return DEFAULT_RANKING;
 	}
 
-	@Override
 	protected List getHints() {
 		
 		List<String> hints = new ArrayList<String>();
@@ -154,9 +134,7 @@ public class DOMInjection extends LessonAdapter {
 		return hints;
 	}
 
-	@Override
 	public String getTitle() {
-		// TODO Auto-generated method stub
 		return "DOM Injection";
 	}
 
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
index cfc7481b2..ca612fc88 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java	
@@ -1,4 +1,6 @@
 package org.owasp.webgoat.lessons;
+import java.io.PrintWriter;
+import java.net.URLDecoder;
 import java.util.*;
 
 import org.apache.ecs.*;
@@ -42,14 +44,14 @@ public class HttpSplitting extends LessonAdapter {
 	protected Element createContent(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
-		StringBuffer lang = null;
+		String lang = null;
 		
 		try
 		{
 			//add the text
 			ec.addElement( new StringElement( "Search by country : " ) );
 
-			lang = new StringBuffer( s.getParser().getStringParameter( LANGUAGE, "" ) );
+			lang = URLDecoder.decode(s.getParser().getRawParameter( LANGUAGE, "" )) ;
 			
 			//add the search by field
 			Input input = new Input( Input.TEXT, LANGUAGE, lang.toString() );
@@ -71,13 +73,31 @@ public class HttpSplitting extends LessonAdapter {
 		if ( lang.length() != 0 && fromRedirect.length() != 0 )
 		{	
 			//Split by the line separator line.separator is platform independant
-			String[] arrTokens = lang.toString().toUpperCase().split(System.getProperty("line.separator"));
+			String lineSep = System.getProperty("line.separator");
+			String[] arrTokens = lang.toString().toUpperCase().split(lineSep);
 			
 			//Check if the user ended the first request and wrote the second malacious reply
+			
 			if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
 					Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )	
 			{	
-				ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "test");
+				try
+				{
+					//ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "<html>test</html>");
+					//s.getResponse().setContentType("text/html");
+					//s.getResponse().setHeader("Cache-Control", "no-cache");
+					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+					out.print(lang.substring(lang.indexOf("HTTP/1.1")));	
+					out.flush();
+					out.close();
+					
+					//we gotta set it manually here so that we don't throw an exception
+					getLessonTracker(s).setCompleted(true);
+				}
+				catch(Exception e)
+				{
+					e.printStackTrace();
+				}
 				makeSuccess( s );
 			}
 		}
@@ -101,7 +121,7 @@ public class HttpSplitting extends LessonAdapter {
 	
 	}
 
-	private final static Integer DEFAULT_RANKING = new Integer(10);
+	private final static Integer DEFAULT_RANKING = new Integer(20);
 
 	protected Integer getDefaultRanking()
 	{
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
new file mode 100644
index 000000000..60e031a8f
--- /dev/null
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java	
@@ -0,0 +1,205 @@
+package org.owasp.webgoat.lessons;
+
+import java.io.PrintWriter;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.Form;
+import org.apache.ecs.html.H1;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TH;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
+import org.apache.ecs.html.Div;
+import org.apache.ecs.StringElement;
+
+import org.owasp.webgoat.session.WebSession;
+
+public class XMLInjection extends LessonAdapter {
+
+	private final static Integer DEFAULT_RANKING = new Integer(20);
+	private final static String ACCOUNTID = "accountID";
+
+
+	public void handleRequest(WebSession s) {
+		
+		try 
+		{
+			if(s.getParser().getRawParameter("from", "").equals("ajax"))
+			{
+				if(s.getParser().getRawParameter(ACCOUNTID, "").equals("836239"))
+				{
+					String lineSep = System.getProperty("line.separator");
+					String xmlStr = "<root>" + lineSep +
+					"<reward>WebGoat t-shirt 20 Pts</reward>" + lineSep +
+					"<reward>WebGoat Secure Kettle 50 Pts</reward>" + lineSep +
+					"<reward>WebGoat Mug 30 Pts</reward>" + lineSep + 
+					"</root>";
+					s.getResponse().setContentType("text/xml");
+					s.getResponse().setHeader("Cache-Control", "no-cache");
+					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+					out.print(xmlStr);	
+					out.flush();
+					out.close();
+					return;
+				}
+			}
+		}
+		catch (Exception ex)
+		{
+			ex.printStackTrace();
+		}
+		
+		Form form = new Form( getFormAction(), Form.POST ).setName( "form" ).setEncType( "" );
+
+		form.addElement( createContent( s ) );
+
+        setContent(form);
+
+	}
+
+	protected Element createContent(WebSession s) {
+		ElementContainer ec = new ElementContainer();
+		boolean isDone = false;
+		
+		if (s.getParser().getRawParameter("done", "").equals("yes"))
+		{
+			isDone = true;
+		}
+		String lineSep = System.getProperty("line.separator");
+		String script  =  "<script>" + lineSep +
+			"function getRewards() {" + lineSep +
+			"var accountIDField = document.getElementById('" + ACCOUNTID + "');" + lineSep +
+			"if (accountIDField.value.length < 6 ) { return; }" + lineSep +
+			"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
+			"&menu=" + getDefaultCategory().getRanking().toString() +
+			"&from=ajax&" + ACCOUNTID + "=' + encodeURIComponent(accountIDField.value);" + lineSep +	        
+			"if (typeof XMLHttpRequest != 'undefined') {" + lineSep +
+			"req = new XMLHttpRequest();" + lineSep +
+			"} else if (window.ActiveXObject) {" + lineSep +
+			"req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep +
+			"   }" + lineSep +
+			"   req.open('GET', url, true);" + lineSep +
+			"   req.onreadystatechange = callback;" + lineSep +
+			"   req.send(null);" + lineSep +
+			"}" + lineSep +
+			"function callback() {" + lineSep +
+			"    if (req.readyState == 4) { " + lineSep +
+			"        if (req.status == 200) { " + lineSep +
+			"            var rewards = req.responseXML.getElementsByTagName('root')[0];" + lineSep +
+			"			 var rewardsDiv = document.getElementById('rewardsDiv');" + lineSep +
+			"				rewardsDiv.innerHTML = '';" + lineSep +
+			"				var strHTML='';"+ lineSep +
+			"				strHTML = '<tr><td>&nbsp;</td><td>Rewards</td></tr>';" + lineSep +
+			"			 for(var i=0; i<rewards.childNodes.length; i++){" + lineSep +
+			"				var node = rewards.childNodes[i];" + lineSep +
+			"				strHTML = strHTML + '<tr><td><input name=\"check' + i +'\" type=\"checkbox\"></td><td>';" + lineSep +
+			"			    strHTML = strHTML + node.childNodes[0].nodeValue + '</td></tr>';" + lineSep +
+			"			 }" + lineSep +
+			"				strHTML = '<table>' + strHTML + '</table>';" + lineSep +
+			"               rewardsDiv.innerHTML = strHTML;"+ lineSep +
+			//"				if (rewards.childNodes.length>3){" + lineSep +
+			//"   				makeSuccess();" + lineSep +
+			//"				}" + lineSep +
+			"        }}}" + lineSep +
+			//"function makeSuccess(){" + lineSep +
+			//"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
+			//"&menu=" + getDefaultCategory().getRanking().toString() +
+			//"&from=ajax&done=yes';" + lineSep +	        
+			//"   req.open('GET', url, true);" + lineSep +
+			//"   req.send(null);" + lineSep +
+			//"}" + lineSep +
+			"</script>" + lineSep;
+		
+		if (!isDone)
+		{
+			ec.addElement( new StringElement(script));
+		}
+		ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat-Miles Reward Miles Program.")));
+		ec.addElement( new BR());
+		
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
+		
+		
+		TR tr = new TR();			
+		
+		tr = new TR();
+		
+		tr.addElement( new TD("Please enter your account ID:") );
+		
+		Input input1 = new Input( Input.TEXT, ACCOUNTID, "" );
+		input1.addAttribute("onkeyup", "getRewards();");
+		
+		tr.addElement( new TD(input1));
+		t1.addElement( tr );
+
+		ec.addElement(t1);
+		ec.addElement(new BR());
+		ec.addElement(new BR());
+		ec.addElement(new BR());
+		
+		Div div = new Div();
+		div.addAttribute("name", "rewardsDiv");
+		div.addAttribute("id", "rewardsDiv");
+		ec.addElement(div);
+		
+		Input b = new Input();
+		b.setType( Input.SUBMIT );
+		b.setValue( "Submit" );
+		b.setName("SUBMIT");
+		ec.addElement(b);
+		
+		if (s.getParser().getRawParameter("SUBMIT", "")!= "")
+		{
+			if(s.getParser().getRawParameter("check3", "") != "")
+			{
+				makeSuccess(s);	
+			}
+			
+		}
+		
+		return ec;
+	}
+
+	protected Element makeSuccess(WebSession s) 
+	{	    
+	    getLessonTracker( s ).setCompleted( true );
+	    
+	    s.setMessage("Congratulations. You have successfully completed this lesson.");
+	    
+	    return ( null );
+	}
+	
+	public Element getCredits() {
+		
+		return new StringElement("Created by Sherif Koussa");
+	}
+
+	protected Category getDefaultCategory() {
+		
+		return AJAX_SECURITY;
+	}
+
+	protected Integer getDefaultRanking() {
+
+		return DEFAULT_RANKING;
+	}
+
+	protected List getHints() {
+		
+		List<String> hints = new ArrayList<String>();
+		hints.add( "This page is using XMLHTTP to comunicate with the server." );
+		hints.add( "Try to intercept the reply and check the reply." );
+		hints.add( "Intercept the reply and try to inject some XML to add more rewards to yourself." );
+		return hints;
+	}
+
+	public String getTitle() {
+		return "XML Injection";
+	}
+
+}
diff --git a/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html b/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html
new file mode 100644
index 000000000..ab272d1b7
--- /dev/null
+++ b/ webgoat/main/project/WebContent/lesson_plans/XMLInjection.html	
@@ -0,0 +1,18 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> XML Injection Attacks. </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+ This lesson teaches how to perform XML Injection attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+AJAX applications use XML to exchange information with the server. This XML can be easily intercepted and altered by a malacious attacker.
+
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+The form below takes your WebGoat Rewards Mile account and returns back the kind of rewards you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239.
+<!-- Stop Instructions -->