* Hints added
* Solutions added * Bugfixes * Introduction added (including how to start with webgoat and useful tools) * New lesson: Password strength * New lessons: Multi Level Login * Not yet working new lesson: Session fixation (inital release) git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel
@ -1,9 +1,17 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.CrossSiteScripting;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.FileReader;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
import org.apache.ecs.html.Body;
|
||||
import org.apache.ecs.html.Head;
|
||||
import org.apache.ecs.html.Html;
|
||||
import org.apache.ecs.html.Title;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
@ -90,7 +98,32 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
{
|
||||
return Category.XSS;
|
||||
}
|
||||
|
||||
|
||||
public String getLessonSolutionFileName(WebSession s) {
|
||||
String solutionFileName = null;
|
||||
String stage = getStage(s);
|
||||
solutionFileName = "/lesson_solutions/Lab XSS/Lab " + stage + ".html";
|
||||
return solutionFileName;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSolution(WebSession s) {
|
||||
String src = null;
|
||||
|
||||
try
|
||||
{
|
||||
System.out.println("Solution: " + getLessonSolutionFileName(s));
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
|
||||
} catch (IOException e)
|
||||
{
|
||||
s.setMessage("Could not find the solution file");
|
||||
src = ("Could not find the solution file");
|
||||
}
|
||||
|
||||
return src;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the DirectoryScreen object
|
||||
*
|
||||
@ -101,29 +134,27 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
List<String> hints = new ArrayList<String>();
|
||||
|
||||
// Stage 1
|
||||
hints.add("You can put HTML tags in form input fields.");
|
||||
hints.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
|
||||
hints.add("Stage1: You can put HTML tags in form input fields.");
|
||||
hints.add("Stage1: Bury a SCRIPT tag in the field to attack anyone who reads it.");
|
||||
hints
|
||||
.add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields.");
|
||||
hints.add("Enter this: <script>alert(\"document.cookie\");</script> in message fields.");
|
||||
.add("Stage1: Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields.");
|
||||
hints.add("Stage1: Enter this: <script>alert(\"document.cookie\");</script> in message fields.");
|
||||
|
||||
// Stage 2
|
||||
hints.add("Many scripts rely on the use of special characters such as: <");
|
||||
hints.add("Stage2: Many scripts rely on the use of special characters such as: <");
|
||||
hints
|
||||
.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
|
||||
hints.add("The java.util.regex package is useful for filtering string values.");
|
||||
.add("Stage2: Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
|
||||
hints.add("Stage2: The java.util.regex package is useful for filtering string values.");
|
||||
|
||||
// Stage 3
|
||||
hints
|
||||
.add("Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags.");
|
||||
hints.add("An HTML entity encoder is provided in the ParameterParser class.");
|
||||
|
||||
|
||||
// Stage 4
|
||||
hints.add("Examine content served in response to form submissions looking for data taken from the form.");
|
||||
|
||||
hints.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
|
||||
hints.add("Stage4: There is a class called HtmlEncoder in org.owasp.webgoat.util");
|
||||
// Stage 5
|
||||
hints
|
||||
.add("Validate early. Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");");
|
||||
.add("Stage5: Validate early. Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");");
|
||||
|
||||
return hints;
|
||||
}
|
||||
@ -144,11 +175,12 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
{
|
||||
instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
|
||||
+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. "
|
||||
+ "Verify that 'Jerry' is affected by the attack.";
|
||||
+ "Verify that 'Jerry' is affected by the attack. <br/>The passwords for the accounts are the prenames.";
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
|
||||
instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to block the stored XSS before it can be written to the database. "
|
||||
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
|
||||
}
|
||||
@ -160,7 +192,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE4.equals(stage))
|
||||
{
|
||||
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br>"
|
||||
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to block XSS after it is read from the database. "
|
||||
+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
|
||||
}
|
||||
@ -172,7 +205,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE6.equals(stage))
|
||||
{
|
||||
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br>"
|
||||
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to block this reflected XSS attack. "
|
||||
+ "Repeat step 5. Verify that the attack URL is no longer effective.";
|
||||
}
|
||||
|
||||
@ -17,6 +17,7 @@ import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.util.HtmlEncoder;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
@ -128,6 +129,7 @@ public class FindProfile extends DefaultLessonAction
|
||||
protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
|
||||
return s.getParser().getRawParameter(name);
|
||||
}
|
||||
|
||||
|
||||
@ -111,8 +111,8 @@ public class UpdateProfile extends DefaultLessonAction
|
||||
{
|
||||
// The input validation can be added using a parsing component
|
||||
// or by using an inline regular expression. The parsing component
|
||||
// is the better solution.
|
||||
|
||||
// is the better solution.
|
||||
|
||||
HttpServletRequest request = s.getRequest();
|
||||
String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
|
||||
String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
|
||||
@ -129,6 +129,7 @@ public class UpdateProfile extends DefaultLessonAction
|
||||
String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
|
||||
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
|
||||
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
|
||||
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
|
||||
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
|
||||
@ -4,14 +4,20 @@ package org.owasp.webgoat.lessons.CrossSiteScripting;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.apache.ecs.xhtml.html;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.ParameterParser;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.util.HtmlEncoder;
|
||||
|
||||
import com.sun.corba.se.spi.activation.Server;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
@ -86,11 +92,11 @@ public class ViewProfile extends DefaultLessonAction
|
||||
{
|
||||
Employee profile = null;
|
||||
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
|
||||
|
||||
try
|
||||
{
|
||||
Statement answer_statement = WebSession.getConnection(s)
|
||||
@ -98,11 +104,12 @@ public class ViewProfile extends DefaultLessonAction
|
||||
ResultSet answer_results = answer_statement.executeQuery(query);
|
||||
if (answer_results.next())
|
||||
{
|
||||
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"),
|
||||
answer_results.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
@ -124,13 +131,14 @@ public class ViewProfile extends DefaultLessonAction
|
||||
|
||||
return profile;
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if this employee has access to this function
|
||||
// Query the database for the profile data of the given employee if "owned" by the given
|
||||
// user
|
||||
|
||||
|
||||
Employee profile = null;
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
@ -154,6 +162,8 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
|
||||
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
|
||||
Reference in New Issue
Block a user