From 5854b66614c449f61173f96420794f892a51106f Mon Sep 17 00:00:00 2001 From: "brandon.devries" Date: Thu, 14 Aug 2008 14:31:17 +0000 Subject: [PATCH] minor bug fixes and enhancements, including proper dollar value formatting git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@364 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../webgoat/lessons/Challenge2Screen.java | 13 ++-- .../org/owasp/webgoat/lessons/HttpBasics.java | 1 + .../webgoat/lessons/RandomLessonAdapter.java | 35 ++++++++++- .../owasp/webgoat/lessons/ReflectedXSS.java | 29 +++++---- .../RoleBasedAccessControl.java | 14 ++--- .../webgoat/lessons/SessionFixation.java | 2 +- .../owasp/webgoat/lessons/SoapRequest.java | 6 +- .../webgoat/lessons/SqlNumericInjection.java | 2 +- .../owasp/webgoat/lessons/UncheckedEmail.java | 4 +- .../org/owasp/webgoat/session/CreateDB.java | 60 ++++++++++++++++++- .../owasp/webgoat/session/LessonTracker.java | 14 ++--- .../WebContent/WEB-INF/webgoat_sqlserver.sql | 2 +- .../WebContent/lesson_plans/HttpBasics.html | 2 +- .../lesson_plans/PasswordStrength.html | 2 +- .../lesson_solutions/SqlNumericInjection.html | 2 +- .../RoleBasedAccessControl/ViewProfile.jsp | 38 ++++++------ main/project/WebContent/main.jsp | 13 +++- 17 files changed, 168 insertions(+), 71 deletions(-) diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java index 2b06a26ab..8a6dd3673 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java @@ -26,6 +26,7 @@ import org.apache.ecs.html.BR; import org.apache.ecs.html.Center; import org.apache.ecs.html.H1; import org.apache.ecs.html.HR; +import org.apache.ecs.html.IFrame; import org.apache.ecs.html.Input; import org.apache.ecs.html.P; import org.apache.ecs.html.TD; @@ -383,18 +384,14 @@ public class Challenge2Screen extends SequentialLessonAdapter { ElementContainer ec = new ElementContainer(); - // get current text and compare to the new text - String origpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP); - String defaced = getFileText(new BufferedReader(new FileReader(origpath)), false); - String origText = getFileText(new BufferedReader(new FileReader(s.getContext() - .getRealPath(WEBGOAT_CHALLENGE_JSP))), false); - // show webgoat.jsp text ec.addElement(new H1().addElement("Original Website Text")); - ec.addElement(new P().addElement(origText)); + ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc("/WebGoat/" + WEBGOAT_CHALLENGE_JSP)); ec.addElement(new HR()); ec.addElement(new H1().addElement("Defaced Website Text")); - ec.addElement(new P().addElement(defaced)); + ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc( + "/WebGoat/" + WEBGOAT_CHALLENGE + "_" + + s.getUserName() + JSP)); ec.addElement(new HR()); return ec; diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java index f5406f37f..60b9c2c3a 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java @@ -92,6 +92,7 @@ public class HttpBasics extends LessonAdapter { List hints = new ArrayList(); hints.add("Type in your name and press 'go'"); + hints.add("Turn on Show Parameters or other features"); hints.add("Try to intercept the request with WebScarab"); hints.add("Press the Show Lesson Plan button to view a lesson summary"); hints.add("Press the Show Solution button to view a lesson solution"); diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java index f45d1951e..6efc78dd6 100755 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java @@ -1,6 +1,10 @@ package org.owasp.webgoat.lessons; +import java.sql.Connection; +import java.sql.SQLException; +import org.owasp.webgoat.session.CreateDB; +import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.LessonTracker; import org.owasp.webgoat.session.RandomLessonTracker; import org.owasp.webgoat.session.WebSession; @@ -14,6 +18,19 @@ public abstract class RandomLessonAdapter extends LessonAdapter public void setStage(WebSession s, String stage) { getLessonTracker(s).setStage(stage); + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + CreateDB db = new CreateDB(); + db.makeDB(connection); + System.out.println("Successfully refreshed the database."); + + } catch (SQLException sqle) + { + System.out.println("Error refreshing the database!"); + sqle.printStackTrace(); + } } public String getStage(WebSession s) @@ -31,8 +48,22 @@ public abstract class RandomLessonAdapter extends LessonAdapter } else { - s.setMessage("You have completed " + stage + "."); - if (!stage.equals(lt.getStage())) s.setMessage(" Welcome to " + lt.getStage()); + s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + "."); + if (!stage.equals(lt.getStage())) + s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage()); + } + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + CreateDB db = new CreateDB(); + db.makeDB(connection); + System.out.println("Successfully refreshed the database."); + + } catch (SQLException sqle) + { + System.out.println("Error refreshing the database!"); + sqle.printStackTrace(); } } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java index ec3d1b06f..f0634fe19 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java @@ -1,6 +1,7 @@ package org.owasp.webgoat.lessons; +import java.text.DecimalFormat; import java.util.ArrayList; import java.util.List; import java.util.regex.Pattern; @@ -76,6 +77,8 @@ public class ReflectedXSS extends LessonAdapter float total = 0.0f; float runningTotal = 0.0f; + DecimalFormat money = new DecimalFormat("$0.00"); + // test input field1 if (!pattern1.matcher(param1).matches()) { @@ -110,36 +113,36 @@ public class ReflectedXSS extends LessonAdapter tr.addElement(new TD().addElement("69.99").setAlign("right")); tr.addElement(new TD().addElement( new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", - "1"))) - .setAlign("right")); + "1")) + .setSize(6)).setAlign("right")); quantity = s.getParser().getFloatParameter("QTY1", 0.0f); total = quantity * 69.99f; runningTotal += total; - tr.addElement(new TD().addElement("$" + total)); + tr.addElement(new TD().addElement(money.format(total))); t.addElement(tr); tr = new TR(); tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case")); tr.addElement(new TD().addElement("27.99").setAlign("right")); tr.addElement(new TD().addElement( new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", - "1"))) - .setAlign("right")); + "1")) + .setSize(6)).setAlign("right")); quantity = s.getParser().getFloatParameter("QTY2", 0.0f); total = quantity * 27.99f; runningTotal += total; - tr.addElement(new TD().addElement("$" + total)); + tr.addElement(new TD().addElement(money.format(total))); t.addElement(tr); tr = new TR(); tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino")); tr.addElement(new TD().addElement("1599.99").setAlign("right")); tr.addElement(new TD().addElement( new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", - "1"))) - .setAlign("right")); + "1")) + .setSize(6)).setAlign("right")); quantity = s.getParser().getFloatParameter("QTY3", 0.0f); total = quantity * 1599.99f; runningTotal += total; - tr.addElement(new TD().addElement("$" + total)); + tr.addElement(new TD().addElement(money.format(total))); t.addElement(tr); tr = new TR(); tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over ")); @@ -147,12 +150,12 @@ public class ReflectedXSS extends LessonAdapter tr.addElement(new TD().addElement( new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", - "1"))) - .setAlign("right")); + "1")) + .setSize(6)).setAlign("right")); quantity = s.getParser().getFloatParameter("QTY4", 0.0f); total = quantity * 299.99f; runningTotal += total; - tr.addElement(new TD().addElement("$" + total)); + tr.addElement(new TD().addElement(money.format(total))); t.addElement(tr); ec.addElement(t); @@ -168,7 +171,7 @@ public class ReflectedXSS extends LessonAdapter tr = new TR(); tr.addElement(new TD().addElement("The total charged to your credit card:")); - tr.addElement(new TD().addElement("$" + runningTotal)); + tr.addElement(new TD().addElement(money.format(runningTotal))); tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart"))); t.addElement(tr); tr = new TR(); diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index dc0d23294..af60b8677 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -7,11 +7,6 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Body; -import org.apache.ecs.html.Head; -import org.apache.ecs.html.Html; -import org.apache.ecs.html.Title; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; @@ -100,23 +95,24 @@ public class RoleBasedAccessControl extends GoatHillsFinancial */ protected List getHints(WebSession s) { - String stage = getStage(s); List hints = new ArrayList(); hints.add("Many sites attempt to restrict access to resources by role."); hints.add("Developers frequently make mistakes implementing this scheme."); hints.add("Attempt combinations of users, roles, and resources."); // Stage 1 - hints.add("Stage1: How does the application know that the user selected the delete function?"); - hints.add("Stage2: You have to code to check the authorization of the user for the action."); // Stage 2 + hints.add("Stage2: You have to code to check the authorization of the user for the action."); + // Stage 3 hints.add("Stage3: How does the application know that the user selected any particular employee to view?"); // Stage 4 + hints.add("Note that the contents of the staff listing change depending on who is logged in."); + hints .add("Stage4: You have to code to check the authorization of the user for the action on a certain employee."); @@ -147,7 +143,7 @@ public class RoleBasedAccessControl extends GoatHillsFinancial instructions = "Stage 1: Bypass Presentational Layer Access Control.
" + "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. " + "Verify that Tom's profile can be deleted." - + "The password for a user is always his prename."; + + "The password for a user is always their first name."; } else if (STAGE2.equals(stage)) { diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java index 991abfe62..18fcc4680 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java @@ -245,7 +245,7 @@ public class SessionFixation extends SequentialLessonAdapter + "During the last week we had a few problems with our database. " + "We have received many complaints regarding incorrect account details. " + "Please use the following link to verify your account " - + "data:


Goat Hills Financial


" + "We are sorry for the any inconvenience and thank you for your cooparation.

" diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java index f82b3b92e..f284814a2 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java @@ -300,8 +300,8 @@ public class SoapRequest extends SequentialLessonAdapter { getLessonTracker(s).setStage(3); s.setMessage("Stage 2 completed. "); - // s.setMessage("Now, you'll craft a SOAP envelope for invoking a web service - // directly."); + // s.setMessage( + // "Now, you'll craft a SOAP envelope for invoking a web service directly."); // Redirect user to Stage2 content. ec.addElement(doStage3(s)); @@ -347,7 +347,7 @@ public class SoapRequest extends SequentialLessonAdapter // before completing the lesson. if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) >= 2) { - /** Reset function access counters * */ + /** Reset function access counters **/ accessFirstName = accessLastName = accessCreditCard = accessLoginCount = 0; // SoapRequest.completed = true; makeSuccess(s); diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java index 7d5e4bd67..3ddaaed41 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java @@ -316,7 +316,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter + "\"SELECT * FROM weather_data WHERE station = \" + station "); hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. " + "Try appending a SQL statement that always resolves to true."); - hints.add("Try to intercept the post request with WebScarab and replace the station " + "with 101 OR 1 = 1"); + hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ]."); return hints; } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java b/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java index 3be3cc432..9264dd482 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java @@ -131,8 +131,8 @@ public class UncheckedEmail extends LessonAdapter s.setMessage("The attack worked! Now try to attack another person than the admin."); } - // only complete the lesson if they changed the "to" hidden field and they sen a - // scripttag in the message + // only complete the lesson if they changed the "to" hidden field and they send a + // script tag in the message if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to) && message.contains("
The user should become familiar with the features of WebGoat by manipulating the above -buttons to view hints and solution. You have to use WebScarab for the first time. +buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time. \ No newline at end of file diff --git a/main/project/WebContent/lesson_plans/PasswordStrength.html b/main/project/WebContent/lesson_plans/PasswordStrength.html index 83900f200..d5025216d 100644 --- a/main/project/WebContent/lesson_plans/PasswordStrength.html +++ b/main/project/WebContent/lesson_plans/PasswordStrength.html @@ -3,7 +3,7 @@

Concept / Topic To Teach:

-Accounts are only as secure as there passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better. +Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.

General Goal(s):

diff --git a/main/project/WebContent/lesson_solutions/SqlNumericInjection.html b/main/project/WebContent/lesson_solutions/SqlNumericInjection.html index 2d61caad5..eb5c210ac 100644 --- a/main/project/WebContent/lesson_solutions/SqlNumericInjection.html +++ b/main/project/WebContent/lesson_solutions/SqlNumericInjection.html @@ -620,7 +620,7 @@ style='font-family:"Arial","sans-serif"'>Solution:

 

The -application is taking the input from the select box and inserts it at the end of a pre-formed +application is taking the input from the select box and inserting it at the end of a pre-formed SQL command.

Compound SQL diff --git a/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp b/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp index 896eec8f3..6b5ecab0d 100644 --- a/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp +++ b/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp @@ -2,9 +2,9 @@ import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" errorPage="" %> <% - Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY); WebSession webSession = ((WebSession)session.getAttribute("websession")); -// int myUserId = getIntSessionAttribute(webSession, "RoleBasedAccessControl." + RoleBasedAccessControl.USER_ID); + Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY); + //int myUserId = webSession.getUserIdInLesson(); %>

Welcome Back <%=webSession.getUserNameInLesson()%> - View Profile Page
@@ -13,71 +13,71 @@ First Name: - <%=employee.getFirstName()%> + <%=(employee == null ? "unknown" : employee.getFirstName())%> Last Name: - <%=employee.getLastName()%> + <%=(employee == null ? "unknown" : employee.getLastName())%> Street: - <%=employee.getAddress1()%> + <%=(employee == null ? "unknown" : employee.getAddress1())%> City/State: - <%=employee.getAddress2()%> + <%=(employee == null ? "unknown" : employee.getAddress2())%> Phone: - <%=employee.getPhoneNumber()%> + <%=(employee == null ? "unknown" : employee.getPhoneNumber())%> Start Date: - <%=employee.getStartDate()%> + <%=(employee == null ? "unknown" : employee.getStartDate())%> SSN: - <%=employee.getSsn()%> + <%=(employee == null ? "unknown" : employee.getSsn())%> Salary: - <%=employee.getSalary()%> + <%=(employee == null ? "unknown" : employee.getSalary())%> Credit Card: - <%=employee.getCcn()%> + <%=(employee == null ? "unknown" : employee.getCcn())%> Credit Card Limit: - <%=employee.getCcnLimit()%> + <%=(employee == null ? "unknown" : employee.getCcnLimit())%> Comments: - <%=employee.getPersonalDescription()%> + <%=(employee == null ? "unknown" : employee.getPersonalDescription())%> @@ -88,11 +88,11 @@ Disc. Dates: - <%=employee.getDisciplinaryActionDate()%> + <%=(employee == null ? "unknown" : employee.getDisciplinaryActionDate())%> - <%=employee.getDisciplinaryActionNotes()%> + <%=(employee == null ? "unknown" : employee.getDisciplinaryActionNotes())%> @@ -100,7 +100,7 @@ Manager: - <%=employee.getManager()%> + <%=(employee == null ? "unknown" : employee.getManager())%> @@ -114,7 +114,7 @@ { %>
- + ">
<% @@ -126,7 +126,7 @@ { %>
- + ">
<% @@ -139,7 +139,7 @@ { %>
- + ">
<% diff --git a/main/project/WebContent/main.jsp b/main/project/WebContent/main.jsp index 55cc9dcfc..451258783 100644 --- a/main/project/WebContent/main.jsp +++ b/main/project/WebContent/main.jsp @@ -98,6 +98,7 @@ StringBuffer buildList = new StringBuffer(); <% if (lesson instanceof RandomLessonAdapter) { RandomLessonAdapter rla = (RandomLessonAdapter) lesson; String[] stages = rla.getStages(); + if (stages != null) for (int i=0; i <%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%>Stage <%=i+1%>: <%=stages[i] %> @@ -216,7 +217,17 @@ StringBuffer buildList = new StringBuffer();
Close this Window
-
<%=webSession.getInstructions()%>
+
+ <% + AbstractLesson lesson = webSession.getCurrentLesson(); + if (lesson instanceof RandomLessonAdapter) { + RandomLessonAdapter rla = (RandomLessonAdapter) lesson; + %> +
Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1 %>
+ <% + } + %> + <%=webSession.getInstructions()%>
<%=webSession.getMessage()%>
<%