diff --git a/src/main/java/org/owasp/webgoat/HammerHead.java b/src/main/java/org/owasp/webgoat/HammerHead.java index c13497c68..61587c65f 100644 --- a/src/main/java/org/owasp/webgoat/HammerHead.java +++ b/src/main/java/org/owasp/webgoat/HammerHead.java @@ -129,6 +129,7 @@ public class HammerHead extends HttpServlet { // FIXME: If a response is written by updateSession(), do not // call makeScreen() and writeScreen() mySession = updateSession(request, response, context); + if (response.isCommitted()) { logger.debug("Response already committed, exiting"); return; diff --git a/src/main/java/org/owasp/webgoat/service/CookieService.java b/src/main/java/org/owasp/webgoat/service/CookieService.java index c113763dc..4fc4362c4 100644 --- a/src/main/java/org/owasp/webgoat/service/CookieService.java +++ b/src/main/java/org/owasp/webgoat/service/CookieService.java @@ -30,13 +30,16 @@ */ package org.owasp.webgoat.service; +import java.util.Collections; import java.util.List; import javax.servlet.http.Cookie; import javax.servlet.http.HttpSession; +import org.owasp.webgoat.lessons.model.RequestParameter; import org.owasp.webgoat.session.WebSession; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.servlet.ModelAndView; /** * @@ -58,4 +61,23 @@ public class CookieService extends BaseService { List cookies = ws.getCookiesOnLastRequest(); return cookies; } + + /** + * Returns cookies and params for current lesson + * + * @param session + * @return + */ + @RequestMapping(value = "/cookies_widget.mvc", produces = "text/html") + public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) { + ModelAndView model = new ModelAndView(); + WebSession ws = getWebSession(session); + List cookies = ws.getCookiesOnLastRequest(); + List listParms = ws.getParmsOnLastRequest(); + Collections.sort(listParms); + model.addObject("wgcookies", cookies); + model.addObject("wgparams", listParms); + model.setViewName("widgets/cookies_and_params"); + return model; + } } diff --git a/src/main/java/org/owasp/webgoat/service/HintService.java b/src/main/java/org/owasp/webgoat/service/HintService.java index 0a8e0e2c2..84869fca8 100644 --- a/src/main/java/org/owasp/webgoat/service/HintService.java +++ b/src/main/java/org/owasp/webgoat/service/HintService.java @@ -14,6 +14,7 @@ import org.owasp.webgoat.session.WebSession; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.servlet.ModelAndView; /** * @@ -53,4 +54,33 @@ public class HintService extends BaseService { } return listHints; } + + @RequestMapping(value = "/hint_widget.mvc", produces = "text/html") + public + ModelAndView showHintsAsHtml(HttpSession session) { + ModelAndView model = new ModelAndView(); + List listHints = new ArrayList(); + model.addObject("hints", listHints); + WebSession ws = getWebSession(session); + AbstractLesson l = ws.getCurrentLesson(); + if (l == null) { + return model; + } + List hints; + hints = l.getHintsPublic(ws); + if (hints == null) { + return model; + } + int idx = 0; + for (String h : hints) { + Hint hint = new Hint(); + hint.setHint(h); + hint.setLesson(l.getName()); + hint.setNumber(idx); + listHints.add(hint); + idx++; + } + model.setViewName("widgets/hints"); + return model; + } } diff --git a/src/main/java/org/owasp/webgoat/service/LessonPlanService.java b/src/main/java/org/owasp/webgoat/service/LessonPlanService.java index 582ebcd95..2ef3bdde1 100644 --- a/src/main/java/org/owasp/webgoat/service/LessonPlanService.java +++ b/src/main/java/org/owasp/webgoat/service/LessonPlanService.java @@ -54,14 +54,15 @@ public class LessonPlanService extends BaseService { * @param session * @return */ - @RequestMapping(value = "/lessonplan.mvc", produces = "application/json") + @RequestMapping(value = "/lessonplan.mvc", produces = "application/html") public @ResponseBody - SourceListing showSource(HttpSession session) { + String showPlan(HttpSession session) { WebSession ws = getWebSession(session); - String source = getSource(ws); - SourceListing sl = new SourceListing(); - sl.setSource(source); - return sl; + String plan = getPlan(ws); + return plan; + //SourceListing sl = new SourceListing(); + //sl.setSource(source); + //return sl; } /** @@ -70,9 +71,9 @@ public class LessonPlanService extends BaseService { * @param s Description of the Parameter * @return Description of the Return Value */ - protected String getSource(WebSession s) { + protected String getPlan(WebSession s) { - String source = null; + String plan = null; int scr = s.getCurrentScreen(); Course course = s.getCourse(); @@ -81,14 +82,12 @@ public class LessonPlanService extends BaseService { AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); if (lesson != null) { - source = lesson.getRawSource(s); + plan = lesson.getLessonPlan(s); } } - if (source == null) { - return "Source code is not available. Contact " - + s.getWebgoatContext().getFeedbackAddressHTML(); + if (plan == null) { + plan = "Plan is not available for this lesson."; } - return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, - "Code Section Deliberately Omitted")); + return plan; } } diff --git a/src/main/java/org/owasp/webgoat/service/ParameterService.java b/src/main/java/org/owasp/webgoat/service/ParameterService.java index 26b6c597b..d1a170bca 100644 --- a/src/main/java/org/owasp/webgoat/service/ParameterService.java +++ b/src/main/java/org/owasp/webgoat/service/ParameterService.java @@ -33,7 +33,6 @@ package org.owasp.webgoat.service; import java.util.ArrayList; import java.util.Collections; import java.util.List; -import java.util.Map; import javax.servlet.http.HttpSession; import org.owasp.webgoat.lessons.model.RequestParameter; import org.owasp.webgoat.session.WebSession; @@ -61,9 +60,8 @@ public class ParameterService extends BaseService { @RequestMapping(value = "/parameter.mvc", produces = "application/json") public @ResponseBody List showParameters(HttpSession session) { - List listParms = new ArrayList(); WebSession ws = getWebSession(session); - listParms = ws.getParmsOnLastRequest(); + List listParms = ws.getParmsOnLastRequest(); Collections.sort(listParms); return listParms; } diff --git a/src/main/java/org/owasp/webgoat/service/SourceService.java b/src/main/java/org/owasp/webgoat/service/SourceService.java index 8f6b1f3f1..f5db88538 100644 --- a/src/main/java/org/owasp/webgoat/service/SourceService.java +++ b/src/main/java/org/owasp/webgoat/service/SourceService.java @@ -34,7 +34,6 @@ import javax.servlet.http.HttpSession; import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.model.SourceListing; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; import org.springframework.stereotype.Controller; @@ -54,14 +53,18 @@ public class SourceService extends BaseService { * @param session * @return */ - @RequestMapping(value = "/source.mvc", produces = "application/json") + @RequestMapping(value = "/source.mvc", produces = "application/text") public @ResponseBody - SourceListing showSource(HttpSession session) { + String showSource(HttpSession session) { WebSession ws = getWebSession(session); String source = getSource(ws); - SourceListing sl = new SourceListing(); - sl.setSource(source); - return sl; + if (source == null) { + source = "No source listing found"; + } + return source; + //SourceListing sl = new SourceListing(); + //sl.setSource(source); + //return sl; } /** @@ -85,8 +88,7 @@ public class SourceService extends BaseService { } } if (source == null) { - return "Source code is not available. Contact " - + s.getWebgoatContext().getFeedbackAddressHTML(); + return "Source code is not available for this lesson."; } return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, "Code Section Deliberately Omitted")); diff --git a/src/main/webapp/WEB-INF/pages/main_new.jsp b/src/main/webapp/WEB-INF/pages/main_new.jsp index b0d83fb34..b55894652 100644 --- a/src/main/webapp/WEB-INF/pages/main_new.jsp +++ b/src/main/webapp/WEB-INF/pages/main_new.jsp @@ -117,7 +117,55 @@ - + +
+
+

Lesson Parameters and Cookies

+
+
+ +
+
+
+
+
+
+

Lesson Hints

+
+
+ +
+
+
+
+
+
+

Lesson Plan

+
+
+ +
+
+
+
+
+
+

Lesson Solution

+
+
+
+
+
+
+
+
+

Lesson Source Code

+
+
+
+
+
+
@@ -140,6 +188,7 @@ event.preventDefault(); $.get(this.href, {}, function(reply) { $("#lesson_content").html(reply); + goat.utils.showLessonSource(); }, "html"); }); app.init(); @@ -196,40 +245,13 @@ alert('status: ' + statusText + '\n\nresponseText: \n' + responseText + '\n\nThe output div should have already been updated with the responseText.'); } + // JASON - SEE THIS HOOK + // update lesson cookies and params + // make any embedded forms ajaxy + goat.utils.showLessonCookiesAndParams(); goat.utils.makeFormsAjax(); } - - - - - - - diff --git a/src/main/webapp/WEB-INF/pages/widgets/cookies_and_params.jsp b/src/main/webapp/WEB-INF/pages/widgets/cookies_and_params.jsp new file mode 100644 index 000000000..d89410105 --- /dev/null +++ b/src/main/webapp/WEB-INF/pages/widgets/cookies_and_params.jsp @@ -0,0 +1,39 @@ +<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> +<%-- + Document : hints + Created on : Aug 27, 2014, 3:41:46 PM + Author : rlawson +--%> + +<%@page contentType="text/html" pageEncoding="windows-1252"%> +
+ + + + + + + + + + +
Parameters
NameValue
${wgparam.name}${wgparam.value}
+
+
+ + + + + + + + + + +
Cookies
NameValue
${wgcookie.name}${wgcookie.value}
+
+ + + + + diff --git a/src/main/webapp/WEB-INF/pages/widgets/hints.jsp b/src/main/webapp/WEB-INF/pages/widgets/hints.jsp new file mode 100644 index 000000000..2c0aeeea6 --- /dev/null +++ b/src/main/webapp/WEB-INF/pages/widgets/hints.jsp @@ -0,0 +1,27 @@ +<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> +<%-- + Document : hints + Created on : Aug 27, 2014, 3:41:46 PM + Author : rlawson +--%> + +<%@page contentType="text/html" pageEncoding="windows-1252"%> +
+ +
+
+

+ + Hint-${hint.number} + +

+
+
+
+ ${hint.hint} +
+
+
+ +
+ diff --git a/src/main/webapp/js/goatControllers.js b/src/main/webapp/js/goatControllers.js index 6bdf03860..1df4719c5 100644 --- a/src/main/webapp/js/goatControllers.js +++ b/src/main/webapp/js/goatControllers.js @@ -31,65 +31,21 @@ goat.controller('goatLesson', function($scope, $http, $modal, $log, $templateCac if ($('div.panel-body').height() > 400) { $('#leftside-navigation').height($(window).height()); } + // hook into our pseudo service calls + // @TODO make these real services during phase 2 + // show cookies and params + goat.utils.showLessonCookiesAndParams(); + // show hints + goat.utils.showLessonHint(); + // show plan + goat.utils.showLessonPlan(); + // show solution + goat.utils.showLessonSolution(); + // show source + goat.utils.showLessonSource(); } ); }; - //TODO: Move show Source into it's own angular controller - /* - * Function to load lesson source - * @returns {undefined} - */ - $scope.showSource = function(size) { - // fetch source from web service - $http.get('service/source.mvc').success(function(data) { - $scope.lessonSource = data.source; - $scope.openSourceModal(size); - }).error(function(data) { - $scope.lessonSource = data.message; - console.log("LessonSource = '" + data.message + "'"); - $scope.openSourceModal(size); - }); - }; - - $scope.openSourceModal = function(size) { - var modalInstance = $modal.open({ - templateUrl: 'showSource.html', - controller: showSourceController, - size: size, - resolve: { - lessonSource: function() { - return $scope.lessonSource; - } - } - }); - modalInstance.result.then(function() { - $log.info('Modal dismissed at: ' + new Date()); - }); - }; - - /* - * Function to load lesson solution - * @returns {undefined} - */ - $scope.showSolution = function(size) { - $scope.lessonSolutionUrl = "service/solution.mvc"; - // clear the template cache otherwise we display stale lesson solutions - $templateCache.remove($scope.lessonSolutionUrl); - var modalInstance = $modal.open({ - templateUrl: 'showSolution.html', - controller: showSolutionController, - size: size, - resolve: { - lessonSolutionUrl: function() { - return $scope.lessonSolutionUrl; - } - } - }); - modalInstance.result.then(function() { - $log.info('Modal dismissed at: ' + new Date()); - }); - }; - }).animation('.slideDown', function() { var NgHideClassName = 'ng-hide'; return { diff --git a/src/main/webapp/js/goatUtil.js b/src/main/webapp/js/goatUtil.js index 115c8eaf4..638b0c149 100644 --- a/src/main/webapp/js/goatUtil.js +++ b/src/main/webapp/js/goatUtil.js @@ -18,11 +18,36 @@ goat.utils = { /**goatApp.extractLessonTitle *pulls lesson title from html fragment returned (looks for it in h1 element) *@param - html rendered to object passed in - */ - extractLessonTitle:function (el) { - var title = $('h1',el).text(); + */ + extractLessonTitle: function(el) { + var title = $('h1', el).text(); return title; }, + showLessonCookiesAndParams: function() { + $.get("service/cookies_widget.mvc", {}, function(reply) { + $("#lesson_cookies").html(reply); + }, "html"); + }, + showLessonHint: function() { + $.get("service/hint_widget.mvc", {}, function(reply) { + $("#lesson_hint").html(reply); + }, "html"); + }, + showLessonSource: function() { + $.get("service/source.mvc", {}, function(reply) { + $("#lesson_source").html(reply); + }, "html"); + }, + showLessonSolution: function() { + $.get("service/solution.mvc", {}, function(reply) { + $("#lesson_solution").html(reply); + }, "html"); + }, + showLessonPlan: function() { + $.get("service/lessonplan.mvc", {}, function(reply) { + $("#lesson_plan").html(reply); + }, "html"); + } }; // ### GLOBAL FUNCTIONS ## // diff --git a/src/main/webapp/lesson_content.jsp b/src/main/webapp/lesson_content.jsp index 771cccca5..7052f7b52 100644 --- a/src/main/webapp/lesson_content.jsp +++ b/src/main/webapp/lesson_content.jsp @@ -1,6 +1,7 @@ <%@ page contentType="text/html; charset=ISO-8859-1" language="java" import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" errorPage="" %> +<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <% WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION)); Course course = webSession.getCourse(); @@ -11,19 +12,6 @@ <%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%> - - -
<% AbstractLesson lesson = webSession.getCurrentLesson();