dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add stage parameter in the session to keep track of current stage so that we do not reset the stage and recreate the database in the middle of a lesson. To do this a small refactor of WebSession was made which simply extracts some methods from the previously large update method. Ref #176.

Browse Source
This commit is contained in:
Daniel Kvist 2016-02-04 23:21:12 +01:00
parent 724c084abf
commit 59549e3b21
2 changed files with 272 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

@ -33,32 +33,27 @@ import org.slf4j.LoggerFactory;
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
* http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
* License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
* Security</a>
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @since October 28, 2003
* @version $Id: $Id
@ -96,7 +91,7 @@ public class WebSession {
public final static String COURSE = "course";
/**
* Description of the Field
* Error screen number
*/
public final static int ERROR = 0;
@ -104,27 +99,27 @@ public class WebSession {
public static final String STAGE = "stage";
/**
* Description of the Field
* session id string
*/
public final static String JSESSION_ID = "jsessionid";
/**
* Description of the Field
* Logout parameter name
*/
public final static String LOGOUT = "Logout";
/**
* Description of the Field
* Restart parameter name
*/
public final static String RESTART = "Restart";
/**
* Description of the Field
* menu parameter name
*/
public final static String MENU = "menu";
/**
* Description of the Field
* Screen parameter name
*/
public final static String SCREEN = "Screen";
@ -184,6 +179,8 @@ public class WebSession {
private int previousScreen = ERROR;
private int previousStage = -1;
private int hintNum = -1;
private boolean isAdmin = false;
@ -289,7 +286,7 @@ public class WebSession {
}
/**
* Description of the Method
* Marks all cookies but the JSESSIONID for deletion and adds them to the response.
*/
public void eatCookies() {
Cookie[] cookies = request.getCookies();
@ -338,11 +335,9 @@ public class WebSession {
}
/**
* Sets the admin flag - this routine is ONLY here to allow someone a
* backdoor to setting the user up as an admin.
* Sets the admin flag - this routine is ONLY here to allow someone a backdoor to setting the user up as an admin.
*
* This is also used by the WebSession to set the admin, but the method
* should be private
* This is also used by the WebSession to set the admin, but the method should be private
*
* @param state a boolean.
*/
@ -539,11 +534,10 @@ public class WebSession {
}
/*
* List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies
* = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI(
* "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie =
* cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
* cookie.getValue() ) ); }
* List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies =
* request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); } for ( int i =
* 0; i < cookies.length; i++ ) { Cookie cookie = cookies[i]; cookies.add(cookie); //list.addElement( new LI(
* cookie.getName() + " -> " + cookie.getValue() ) ); }
*/
return cookies;
}
@ -918,8 +912,8 @@ public class WebSession {
}
/**
* Parse parameters from the given request, handle any servlet commands, and
* update this session based on the parameters.
* Parse parameters from the given request, handle any servlet commands, and update this session based on the
* parameters.
*
* @param request Description of the Parameter
* @param response Description of the Parameter
@ -929,22 +923,13 @@ public class WebSession {
public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException {
String content = null;
clearMessage();
this.request = request;
this.response = response;
this.servletName = name;
if (myParser == null) {
myParser = new ParameterParser(request);
} else {
myParser.update(request);
}
Locale locale = request.getLocale();
if(locale != null) {
LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
labelManager.setLocale(locale);
}
clearMessage();
updateParser(request);
updateLocale(request);
// System.out.println("Current Screen 1: " + currentScreen );
// System.out.println("Previous Screen 1: " + previousScreen );
@ -952,78 +937,72 @@ public class WebSession {
// FIXME: doesn't work right -- no reauthentication
// REMOVED - we have explicit logout now via spriing security
/*
if (myParser.getRawParameter(LOGOUT, null) != null) {
System.out.println("Logout " + request.getUserPrincipal());
eatCookies();
request.getSession().invalidate();
currentScreen = WELCOME;
previousScreen = ERROR;
}
* if (myParser.getRawParameter(LOGOUT, null) != null) { System.out.println("Logout " +
* request.getUserPrincipal()); eatCookies(); request.getSession().invalidate(); currentScreen = WELCOME;
* previousScreen = ERROR; }
*/
// There are several scenarios where we want the first lesson to be loaded
// 1) Previous screen is Welcome - Start of the course
// 2) After a logout and after the session has been reinitialized
if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null
&& // getRequest().getSession(false).isNew() &&
this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR)) {
currentScreen = course.getFirstLesson().getScreenId();
hintNum = -1;
}
updateScreenProperties(request);
// System.out.println("Current Screen 2: " + currentScreen );
// System.out.println("Previous Screen 2: " + previousScreen );
// update the screen variables
previousScreen = currentScreen;
try {
// If the request is new there should be no parameters.
// This can occur from a session timeout or a the starting of a new course.
if (!request.getSession().isNew()) {
currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
} else {
if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) {
this.setMessage("Session Timeout - Starting new Session.");
}
}
} catch (Exception e) {
}
// clear variables when switching screens
if (this.getCurrentScreen() != this.getPreviousScreen()) {
if (webgoatContext.isDebug()) {
setMessage("Changed to a new screen, clearing cookies and hints");
}
eatCookies();
hintNum = -1;
clearScreenProperties();
} else if (myParser.getRawParameter(STAGE, null) != null) {
AbstractLesson al = getCurrentLesson();
if (al instanceof SequentialLessonAdapter) {
SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
if (stage > 0 && stage <= sla.getStageCount()) {
sla.setStage(this, stage);
}
} else if (al instanceof RandomLessonAdapter) {
try {
RandomLessonAdapter rla = (RandomLessonAdapter) al;
if (!myParser.getRawParameter(STAGE).equals("null")) {
int stage = myParser.getIntParameter(STAGE) - 1;
String[] stages = rla.getStages();
if (stages == null) {
stages = new String[0];
}
if (stage >= 0 && stage < stages.length) {
rla.setStage(this, stages[stage]);
}
updateCurrentScreenStage();
} else {
rla.setStage(this, null);
content = updateCurrentScreen(content);
}
} catch (ParameterNotFoundException pnfe) {
updateParameters(request);
updateContent(response, content);
}
/**
* Updates parameters isAdmin, isHackedAdmin, hasHackedHackableAdmin, isColor and isDebug
*
* @param request
*/
private void updateParameters(HttpServletRequest request) {
isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
if (isHackedAdmin) {
System.out.println("Hacked admin");
hasHackedHackableAdmin = true;
}
isColor = myParser.getBooleanParameter(COLOR, isColor);
isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
}
/**
* If the content is not already set we get the response and sends it on its way
*
* @param response
* @param content to send
* @throws IOException
*/
private void updateContent(HttpServletResponse response, String content) throws IOException {
// System.out.println( "showParams:" + showParams );
// System.out.println( "showSource:" + showSource );
// System.out.println( "showSolution:" + showSolution );
// System.out.println( "showCookies:" + showCookies );
// System.out.println( "showRequest:" + showRequest );
if (content != null) {
response.setContentType("text/html");
PrintWriter out = new PrintWriter(response.getOutputStream());
out.print(content);
out.flush();
out.close();
}
}
} // else update global variables for the current screen
else {
/**
* Checks to see if the lesson should be restarted. Also handles parsing of "show" commands for getting hints,
* params, cookies, source and solution.
*
* @param content
* @return the updated content
*/
private String updateCurrentScreen(String content) {
// else update global variables for the current screen
// Handle "restart" commands
int lessonId = myParser.getIntParameter(RESTART, -1);
if (lessonId != -1) {
@ -1054,29 +1033,134 @@ public class WebSession {
getPreviousHint();
}
}
return content;
}
isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
if (isHackedAdmin) {
System.out.println("Hacked admin");
hasHackedHackableAdmin = true;
/**
* Checks to see what kind of lesson we are viewing and parses the "stage" parameter accordingly. Sets the stage for
* the lesson using setStage on the lesson object.
*/
private void updateCurrentScreenStage() {
AbstractLesson al = getCurrentLesson();
if (al instanceof SequentialLessonAdapter) {
updateSlaStage((SequentialLessonAdapter) al);
} else if (al instanceof RandomLessonAdapter) {
updateRlaStage((RandomLessonAdapter) al);
}
}
isColor = myParser.getBooleanParameter(COLOR, isColor);
isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
// System.out.println( "showParams:" + showParams );
// System.out.println( "showSource:" + showSource );
// System.out.println( "showSolution:" + showSolution );
// System.out.println( "showCookies:" + showCookies );
// System.out.println( "showRequest:" + showRequest );
if (content != null) {
response.setContentType("text/html");
PrintWriter out = new PrintWriter(response.getOutputStream());
out.print(content);
out.flush();
out.close();
/**
* Updates the stage for a RandomLessonAdapter
*
* @param al
*/
private void updateRlaStage(RandomLessonAdapter rla) {
try {
if (!myParser.getRawParameter(STAGE).equals("null")) {
int currentStage = myParser.getIntParameter(STAGE) - 1;
if (previousStage != currentStage) {
previousStage = currentStage;
String[] stages = rla.getStages();
if (stages == null) {
stages = new String[0];
}
if (currentStage >= 0 && currentStage < stages.length) {
rla.setStage(this, stages[currentStage]);
}
}
} else {
rla.setStage(this, null);
}
} catch (ParameterNotFoundException pnfe) {
logger.warn("ParameterNotFoundException when updating stage for RandomLessonAdapter: " + pnfe.getMessage() + " " + pnfe.getCause());
}
}
/**
* Updates the stage for a SequentialLessonAdapter
*
* @param al
*/
private void updateSlaStage(SequentialLessonAdapter sla) {
int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
if (stage > 0 && stage <= sla.getStageCount()) {
sla.setStage(this, stage);
}
}
/**
* Eats all the cookies and resets hintNum and previousStage
*/
private void clearScreenProperties() {
if (webgoatContext.isDebug()) {
setMessage("Changed to a new screen, clearing cookies and hints");
}
eatCookies();
hintNum = -1;
previousStage = -1;
}
/**
* Updates the properties currentScreen, previousScreen and hintNum depending on which scenario is being handled.
*
* @param request
*/
private void updateScreenProperties(HttpServletRequest request) {
// There are several scenarios where we want the first lesson to be loaded
// 1) Previous screen is Welcome - Start of the course
// 2) After a logout and after the session has been reinitialized
if ((this.getPreviousScreen() == WebSession.WELCOME) ||
(getRequest().getSession(false) != null &&
// getRequest().getSession(false).isNew() &&
this.getCurrentScreen() == WebSession.WELCOME &&
this.getPreviousScreen() == WebSession.ERROR)) {
currentScreen = course.getFirstLesson().getScreenId();
hintNum = -1;
}
// System.out.println("Current Screen 2: " + currentScreen );
// System.out.println("Previous Screen 2: " + previousScreen );
// update the screen variables
previousScreen = currentScreen;
try {
// If the request is new there should be no parameters.
// This can occur from a session timeout or a the starting of a new course.
if (!request.getSession().isNew()) {
currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
} else {
if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) {
this.setMessage("Session Timeout - Starting new Session.");
}
}
} catch (Exception e) {
logger.warn("Exception when updating properties in updateScreenProperties: " + e.getMessage() + " " + e.getCause());
}
}
/**
* Updates the labelmanager local based on the labelManager bean
*
* @param request
*/
private void updateLocale(HttpServletRequest request) {
Locale locale = request.getLocale();
if (locale != null) {
LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
labelManager.setLocale(locale);
}
}
/**
* Creates a new parser if not created yet. Sets the request on the parser for later use.
*
* @param request
*/
private void updateParser(HttpServletRequest request) {
if (myParser == null) {
myParser = new ParameterParser(request);
} else {
myParser.update(request);
}
}

1
webgoat-container/src/main/webapp/WEB-INF/webgoat.properties
View File

@ -16,7 +16,6 @@ lesson.SilentTransactions.hidden=true
lesson.WeakAuthenticationCookie.hidden=true
lesson.TraceXSS.hidden=true
lesson.DBSQLInjection.hidden=true
lesson.CrossSiteScripting.hidden=true
lesson.DBCrossSiteScripting.hidden=true
lesson.XPATHInjection.hidden=true
lesson.ForcedBrowsing.hidden=true