dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modified Silent Transactions and XML Injection lesson per Bruce's comments

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@55 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy
2006-12-30 08:07:48 +00:00
parent ba38b57a44
commit 63043b0f34
3 changed files with 118 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
View File

@ -21,7 +21,7 @@ import org.owasp.webgoat.session.WebSession;
public class SilentTransactions extends LessonAdapter {
private final static Integer DEFAULT_RANKING = new Integer(40);
private final static Double CURRENT_BALANCE = 11987.09;
/**
* Copyright (c) 2002 Free Software Foundation developed under the
* custody of the Open Web Application Security Project
@ -54,7 +54,7 @@ public class SilentTransactions extends LessonAdapter {
s.getResponse().setContentType("text/html");
s.getResponse().setHeader("Cache-Control", "no-cache");
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print("<br><br>The transaction had been completed successfully.");
out.print("<br><br>The Transaction has Completed Successfully.");
out.flush();
out.close();
return;
@ -96,9 +96,18 @@ public class SilentTransactions extends LessonAdapter {
" alert('Please enter a valid amount to transfer.')" + lineSep +
" return;" + lineSep +
"}" + lineSep +
" var balanceValue = document.getElementById('balanceID').innerText;" + lineSep +
" balanceValue = balanceValue.replace( new RegExp('$') , '');" + lineSep +
" if ( parseFloat(amount) > parseFloat(balanceValue) ) {" + lineSep +
" alert('You can not transfer more funds than what is available in your balance.')" + lineSep +
" return;" + lineSep +
"}" + lineSep +
" document.getElementById('confirm').value = 'Transferring'" + lineSep +
"submitData(accountNo, amount);" + lineSep +
" document.getElementById('confirm').value = 'Confirm'" + lineSep +
"balanceValue = parseFloat(balanceValue) - parseFloat(amount);" + lineSep +
"balanceValue = balanceValue.toFixed(2);" + lineSep +
"document.getElementById('balanceID').innerText = balanceValue + '$';" + lineSep +
"}" + lineSep +
"function submitData(accountNo, balance) {" + lineSep +
"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
@ -131,26 +140,12 @@ public class SilentTransactions extends LessonAdapter {
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("70%").setAlign("left");
ec.addElement( new BR() );
TR tr = new TR();
tr.addElement( new TD( new StringElement( "Account Number" ) ));
tr.addElement( new TD( new StringElement( "Account Balance" ) ));
tr.addElement( new TD( new StringElement( "Account Balance:" ) ));
tr.addElement( new TD( new StringElement( "<div id='balanceID'>" + CURRENT_BALANCE.toString() + "$</div>") ));
t1.addElement( tr );
tr = new TR();
tr.addElement( new TD( new StringElement( "007-872108-023" )));
tr.addElement( new TD( new StringElement( "11983" )));
t1.addElement( tr );
ec.addElement( t1 );
ec.addElement( new BR() );
ec.addElement( new BR() );
ec.addElement( new H3("<br><br>Transfer Information:<br>"));
ec.addElement( new BR() );
t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("70%").setAlign("left");
tr = new TR();
tr.addElement( new TD( new StringElement( "Transfer to Account:" ) ));
tr.addElement( new TD( new StringElement( "Transfer to Account:" )));
Input newAccount = new Input();
newAccount.setType( Input.TEXT );
newAccount.setName( "newAccount" );
@ -168,6 +163,8 @@ public class SilentTransactions extends LessonAdapter {
t1.addElement( tr );
ec.addElement( t1 );
ec.addElement( new BR() );
ec.addElement( new BR() );
ec.addElement( new PRE() );
Input b = new Input();
@ -197,6 +194,9 @@ public class SilentTransactions extends LessonAdapter {
List<String> hints = new ArrayList<String>();
hints.add("Check the javascript in the HTML source.");
hints.add("Check how the application calls a specific javascript function to execute the transaction.");
hints.add("Check the javascript functions processData and submitData()");
hints.add("Function submitData() is the one responsible for actually ececuting the transaction.");
hints.add("Check if your browser supports running javascript from the address bar.");
hints.add("Try to navigate to 'javascript:submitData(1234556,11000);'");
return hints;

107
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
View File

@ -2,20 +2,26 @@ package org.owasp.webgoat.lessons;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import java.util.HashMap;
import java.util.Map;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.Div;
import org.apache.ecs.vxml.Initial;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.WebSession;
public class XMLInjection extends LessonAdapter {
@ -23,7 +29,39 @@ public class XMLInjection extends LessonAdapter {
private final static Integer DEFAULT_RANKING = new Integer(20);
private final static String ACCOUNTID = "accountID";
public static HashMap rewardsMap = new HashMap();
protected static HashMap init()
{
Reward r = new Reward();
r.setName("WebGoat t-shirt");
r.setPoints(50);
rewardsMap.put( 1001 , r);
r = new Reward();
r.setName("WebGoat Secure Kettle");
r.setPoints(30);
rewardsMap.put( 1002 , r);
r = new Reward();
r.setName("WebGoat Mug");
r.setPoints(20);
rewardsMap.put( 1003 , r);
r = new Reward();
r.setName("WebGoat Core Duo Laptop");
r.setPoints(2000);
rewardsMap.put( 1004 , r);
r = new Reward();
r.setName("WebGoat Hawaii Cruise");
r.setPoints(3000);
rewardsMap.put( 1005 , r);
return rewardsMap;
}
public void handleRequest(WebSession s) {
try
@ -64,6 +102,7 @@ public class XMLInjection extends LessonAdapter {
protected Element createContent(WebSession s) {
ElementContainer ec = new ElementContainer();
boolean isDone = false;
init();
if (s.getParser().getRawParameter("done", "").equals("yes"))
{
@ -93,13 +132,14 @@ public class XMLInjection extends LessonAdapter {
" var rewardsDiv = document.getElementById('rewardsDiv');" + lineSep +
" rewardsDiv.innerHTML = '';" + lineSep +
" var strHTML='';"+ lineSep +
" strHTML = '<tr><td>&nbsp;</td><td>Rewards</td></tr>';" + lineSep +
" for(var i=0; i<rewards.childNodes.length; i++){" + lineSep +
" strHTML = '<tr><td>&nbsp;</td><td><b>Rewards</b></td></tr>';" + lineSep +
" for(var i=0; i< rewards.childNodes.length; i++){" + lineSep +
" var node = rewards.childNodes[i];" + lineSep +
" strHTML = strHTML + '<tr><td><input name=\"check' + i +'\" type=\"checkbox\"></td><td>';" + lineSep +
" strHTML = strHTML + '<tr><td><input name=\"check' + (i+1001) +'\" type=\"checkbox\"></td><td>';" + lineSep +
" strHTML = strHTML + node.childNodes[0].nodeValue + '</td></tr>';" + lineSep +
" }" + lineSep +
" strHTML = '<table>' + strHTML + '</table>';" + lineSep +
" strHTML = 'Your account balance is now 100 points<br><br>' + strHTML;" + lineSep +
" rewardsDiv.innerHTML = strHTML;"+ lineSep +
" }}}" + lineSep +
"</script>" + lineSep;
@ -111,13 +151,30 @@ public class XMLInjection extends LessonAdapter {
ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat-Miles Reward Miles Program.")));
ec.addElement( new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
ec.addElement( new BR().addElement (new H3().addElement( "Rewards available through the program:")));
ec.addElement( new BR());
Table t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
TR trRewards = null;
for (int i=1001; i< 1001 + rewardsMap.size() ; i++)
{
trRewards = new TR();
Reward r = (Reward)rewardsMap.get(i);
trRewards.addElement( new TD("-" + r.getName() + r.getPoints() + " Pts") );
t2.addElement( trRewards);
}
ec.addElement( t2 );
ec.addElement( new BR());
ec.addElement( new H3().addElement( "Redeem your points:"));
ec.addElement( new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
TR tr = new TR();
tr = new TR();
tr.addElement( new TD("Please enter your account ID:") );
Input input1 = new Input( Input.TEXT, ACCOUNTID, "" );
@ -144,10 +201,24 @@ public class XMLInjection extends LessonAdapter {
if (s.getParser().getRawParameter("SUBMIT", "")!= "")
{
if(s.getParser().getRawParameter("check3", "") != "")
if(s.getParser().getRawParameter("check1004", "") != "")
{
makeSuccess(s);
}
else
{
StringBuffer shipment = new StringBuffer();
for (int i=1001; i< 1001 + rewardsMap.size() ; i++)
{
if (s.getParser().getRawParameter("check" + i, "") != "")
{
shipment.append( ((Reward)rewardsMap.get(i)).getName() + "<br>" );
}
}
shipment.insert(0, "<br><br><b>The following items will be shipped to your address:</b><br>");
ec.addElement( new StringElement(shipment.toString()));
}
}
@ -190,5 +261,23 @@ public class XMLInjection extends LessonAdapter {
public String getTitle() {
return "XML Injection";
}
static class Reward
{
private String name;
private int points;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getPoints() {
return points;
}
public void setPoints(int points) {
this.points = points;
}
}
}