minor bug fixes and enhancements, including proper dollar value formatting
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@364 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
brandon.devries
@ -26,6 +26,7 @@ import org.apache.ecs.html.BR;
|
||||
import org.apache.ecs.html.Center;
|
||||
import org.apache.ecs.html.H1;
|
||||
import org.apache.ecs.html.HR;
|
||||
import org.apache.ecs.html.IFrame;
|
||||
import org.apache.ecs.html.Input;
|
||||
import org.apache.ecs.html.P;
|
||||
import org.apache.ecs.html.TD;
|
||||
@ -383,18 +384,14 @@ public class Challenge2Screen extends SequentialLessonAdapter
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
// get current text and compare to the new text
|
||||
String origpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
|
||||
String defaced = getFileText(new BufferedReader(new FileReader(origpath)), false);
|
||||
String origText = getFileText(new BufferedReader(new FileReader(s.getContext()
|
||||
.getRealPath(WEBGOAT_CHALLENGE_JSP))), false);
|
||||
|
||||
// show webgoat.jsp text
|
||||
ec.addElement(new H1().addElement("Original Website Text"));
|
||||
ec.addElement(new P().addElement(origText));
|
||||
ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc("/WebGoat/" + WEBGOAT_CHALLENGE_JSP));
|
||||
ec.addElement(new HR());
|
||||
ec.addElement(new H1().addElement("Defaced Website Text"));
|
||||
ec.addElement(new P().addElement(defaced));
|
||||
ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc(
|
||||
"/WebGoat/" + WEBGOAT_CHALLENGE + "_"
|
||||
+ s.getUserName() + JSP));
|
||||
ec.addElement(new HR());
|
||||
|
||||
return ec;
|
||||
|
||||
@ -92,6 +92,7 @@ public class HttpBasics extends LessonAdapter
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("Type in your name and press 'go'");
|
||||
hints.add("Turn on Show Parameters or other features");
|
||||
hints.add("Try to intercept the request with WebScarab");
|
||||
hints.add("Press the Show Lesson Plan button to view a lesson summary");
|
||||
hints.add("Press the Show Solution button to view a lesson solution");
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import org.owasp.webgoat.session.CreateDB;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.LessonTracker;
|
||||
import org.owasp.webgoat.session.RandomLessonTracker;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
@ -14,6 +18,19 @@ public abstract class RandomLessonAdapter extends LessonAdapter
|
||||
public void setStage(WebSession s, String stage)
|
||||
{
|
||||
getLessonTracker(s).setStage(stage);
|
||||
try
|
||||
{
|
||||
Connection connection = DatabaseUtilities.getConnection(s);
|
||||
|
||||
CreateDB db = new CreateDB();
|
||||
db.makeDB(connection);
|
||||
System.out.println("Successfully refreshed the database.");
|
||||
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
System.out.println("Error refreshing the database!");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public String getStage(WebSession s)
|
||||
@ -31,8 +48,22 @@ public abstract class RandomLessonAdapter extends LessonAdapter
|
||||
}
|
||||
else
|
||||
{
|
||||
s.setMessage("You have completed " + stage + ".");
|
||||
if (!stage.equals(lt.getStage())) s.setMessage(" Welcome to " + lt.getStage());
|
||||
s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + ".");
|
||||
if (!stage.equals(lt.getStage()))
|
||||
s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage());
|
||||
}
|
||||
try
|
||||
{
|
||||
Connection connection = DatabaseUtilities.getConnection(s);
|
||||
|
||||
CreateDB db = new CreateDB();
|
||||
db.makeDB(connection);
|
||||
System.out.println("Successfully refreshed the database.");
|
||||
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
System.out.println("Error refreshing the database!");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
import java.text.DecimalFormat;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
@ -76,6 +77,8 @@ public class ReflectedXSS extends LessonAdapter
|
||||
float total = 0.0f;
|
||||
float runningTotal = 0.0f;
|
||||
|
||||
DecimalFormat money = new DecimalFormat("$0.00");
|
||||
|
||||
// test input field1
|
||||
if (!pattern1.matcher(param1).matches())
|
||||
{
|
||||
@ -110,36 +113,36 @@ public class ReflectedXSS extends LessonAdapter
|
||||
tr.addElement(new TD().addElement("69.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
"1"))
|
||||
.setSize(6)).setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
|
||||
total = quantity * 69.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
tr.addElement(new TD().addElement(money.format(total)));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
|
||||
tr.addElement(new TD().addElement("27.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
"1"))
|
||||
.setSize(6)).setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
|
||||
total = quantity * 27.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
tr.addElement(new TD().addElement(money.format(total)));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
|
||||
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
"1"))
|
||||
.setSize(6)).setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
|
||||
total = quantity * 1599.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
tr.addElement(new TD().addElement(money.format(total)));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
|
||||
@ -147,12 +150,12 @@ public class ReflectedXSS extends LessonAdapter
|
||||
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
"1"))
|
||||
.setSize(6)).setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
|
||||
total = quantity * 299.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
tr.addElement(new TD().addElement(money.format(total)));
|
||||
t.addElement(tr);
|
||||
|
||||
ec.addElement(t);
|
||||
@ -168,7 +171,7 @@ public class ReflectedXSS extends LessonAdapter
|
||||
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("The total charged to your credit card:"));
|
||||
tr.addElement(new TD().addElement("$" + runningTotal));
|
||||
tr.addElement(new TD().addElement(money.format(runningTotal)));
|
||||
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
|
||||
@ -7,11 +7,6 @@ import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
import org.apache.ecs.html.Body;
|
||||
import org.apache.ecs.html.Head;
|
||||
import org.apache.ecs.html.Html;
|
||||
import org.apache.ecs.html.Title;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
|
||||
@ -100,23 +95,24 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
*/
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
String stage = getStage(s);
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("Many sites attempt to restrict access to resources by role.");
|
||||
hints.add("Developers frequently make mistakes implementing this scheme.");
|
||||
hints.add("Attempt combinations of users, roles, and resources.");
|
||||
|
||||
// Stage 1
|
||||
|
||||
hints.add("Stage1: How does the application know that the user selected the delete function?");
|
||||
|
||||
hints.add("Stage2: You have to code to check the authorization of the user for the action.");
|
||||
// Stage 2
|
||||
hints.add("Stage2: You have to code to check the authorization of the user for the action.");
|
||||
|
||||
|
||||
// Stage 3
|
||||
hints.add("Stage3: How does the application know that the user selected any particular employee to view?");
|
||||
|
||||
// Stage 4
|
||||
hints.add("Note that the contents of the staff listing change depending on who is logged in.");
|
||||
|
||||
hints
|
||||
.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
|
||||
|
||||
@ -147,7 +143,7 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
instructions = "Stage 1: Bypass Presentational Layer Access Control.<br>"
|
||||
+ "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. "
|
||||
+ "Verify that Tom's profile can be deleted."
|
||||
+ "The password for a user is always his prename.";
|
||||
+ "The password for a user is always their first name.";
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
|
||||
@ -245,7 +245,7 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
+ "During the last week we had a few problems with our database. "
|
||||
+ "We have received many complaints regarding incorrect account details. "
|
||||
+ "Please use the following link to verify your account "
|
||||
+ "data:<br><br><center><a href=http://localhost/WebGoat/"
|
||||
+ "data:<br><br><center><a href=/WebGoat/"
|
||||
+ link
|
||||
+ "> Goat Hills Financial</a></center><br><br>"
|
||||
+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"
|
||||
|
||||
@ -300,8 +300,8 @@ public class SoapRequest extends SequentialLessonAdapter
|
||||
{
|
||||
getLessonTracker(s).setStage(3);
|
||||
s.setMessage("Stage 2 completed. ");
|
||||
// s.setMessage("Now, you'll craft a SOAP envelope for invoking a web service
|
||||
// directly.");
|
||||
// s.setMessage(
|
||||
// "Now, you'll craft a SOAP envelope for invoking a web service directly.");
|
||||
|
||||
// Redirect user to Stage2 content.
|
||||
ec.addElement(doStage3(s));
|
||||
@ -347,7 +347,7 @@ public class SoapRequest extends SequentialLessonAdapter
|
||||
// before completing the lesson.
|
||||
if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) >= 2)
|
||||
{
|
||||
/** Reset function access counters * */
|
||||
/** Reset function access counters **/
|
||||
accessFirstName = accessLastName = accessCreditCard = accessLoginCount = 0;
|
||||
// SoapRequest.completed = true;
|
||||
makeSuccess(s);
|
||||
|
||||
@ -316,7 +316,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
|
||||
+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
|
||||
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
|
||||
+ "Try appending a SQL statement that always resolves to true.");
|
||||
hints.add("Try to intercept the post request with WebScarab and replace the station " + "with 101 OR 1 = 1");
|
||||
hints.add("Try to intercept the post request with WebScarab and replace the station " + "with [ 101 OR 1 = 1 ].");
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
@ -131,8 +131,8 @@ public class UncheckedEmail extends LessonAdapter
|
||||
s.setMessage("The attack worked! Now try to attack another person than the admin.");
|
||||
}
|
||||
|
||||
// only complete the lesson if they changed the "to" hidden field and they sen a
|
||||
// scripttag in the message
|
||||
// only complete the lesson if they changed the "to" hidden field and they send a
|
||||
// script tag in the message
|
||||
if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to) && message.contains("<script"))
|
||||
{
|
||||
makeSuccess(s);
|
||||
|
||||
@ -319,7 +319,7 @@ public class CreateDB
|
||||
}
|
||||
|
||||
/**
|
||||
* Create users whith tans
|
||||
* Create users with tans
|
||||
*
|
||||
* @param connection
|
||||
* @throws SQLException
|
||||
@ -826,6 +826,63 @@ public class CreateDB
|
||||
//
|
||||
// --------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
* Start creation of data for WebServices labs
|
||||
*/
|
||||
|
||||
private void createTransactionTable(Connection connection) throws SQLException
|
||||
{
|
||||
Statement statement = connection.createStatement();
|
||||
|
||||
try
|
||||
{
|
||||
String dropTable = "DROP TABLE transactions";
|
||||
statement.executeUpdate(dropTable);
|
||||
} catch (SQLException e)
|
||||
{
|
||||
System.out.println("Warning: unable to drop Transactions");
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, "
|
||||
+ "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, "
|
||||
+ "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, "
|
||||
+ "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")";
|
||||
|
||||
statement.executeUpdate(createTable);
|
||||
} catch (SQLException e)
|
||||
{
|
||||
System.out.println("Error: unable to create Transactions: " + e.getLocalizedMessage());
|
||||
throw e;
|
||||
}
|
||||
|
||||
String[] data = new String[] {
|
||||
"'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'",
|
||||
"'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'",
|
||||
"'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'",
|
||||
"'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'",
|
||||
"'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'",
|
||||
"'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'",
|
||||
"'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'",
|
||||
"'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'",
|
||||
"'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'", };
|
||||
try
|
||||
{
|
||||
for (int i = 0; i < data.length; i++)
|
||||
{
|
||||
statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");");
|
||||
}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
System.out.println("Error: Unable to insert data: " + sqle);
|
||||
int errorCode = sqle.getErrorCode();
|
||||
System.out.println("Error Code: " + errorCode);
|
||||
// ignore exceptions for Oracle and SQL Server
|
||||
if (errorCode != 911 && errorCode != 273) { throw sqle; }
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Description of the Method
|
||||
*
|
||||
@ -848,6 +905,7 @@ public class CreateDB
|
||||
createAuthTable(connection);
|
||||
createOwnershipTable(connection);
|
||||
createWeatherDataTable(connection);
|
||||
createTransactionTable(connection);
|
||||
createTanUserDataTable(connection);
|
||||
createTanTable(connection);
|
||||
System.out.println("Success: creating tables.");
|
||||
|
||||
@ -162,13 +162,13 @@ public class LessonTracker
|
||||
protected void setProperties(Properties props, Screen screen)
|
||||
{
|
||||
completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
|
||||
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel"));
|
||||
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits"));
|
||||
viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies")).booleanValue();
|
||||
viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml")).booleanValue();
|
||||
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan")).booleanValue();
|
||||
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters")).booleanValue();
|
||||
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource")).booleanValue();
|
||||
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel", "0"));
|
||||
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits", "0"));
|
||||
viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies", "false")).booleanValue();
|
||||
viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml", "false")).booleanValue();
|
||||
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan", "false")).booleanValue();
|
||||
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters", "false")).booleanValue();
|
||||
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource", "false")).booleanValue();
|
||||
}
|
||||
|
||||
public static String getUserDir(WebSession s)
|
||||
|
||||
Reference in New Issue
Block a user