Modified Silent Transactions and XML Injection lesson per Bruce's comments
git-svn-id: http://webgoat.googlecode.com/svn/trunk@55 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
		| @ -21,7 +21,7 @@ import org.owasp.webgoat.session.WebSession; | |||||||
|  |  | ||||||
| public class SilentTransactions extends LessonAdapter { | public class SilentTransactions extends LessonAdapter { | ||||||
| 	private final static Integer DEFAULT_RANKING = new Integer(40); | 	private final static Integer DEFAULT_RANKING = new Integer(40); | ||||||
|  | 	private final static Double CURRENT_BALANCE = 11987.09; | ||||||
| 	/** | 	/** | ||||||
| 	 *  Copyright (c) 2002 Free Software Foundation developed under the  | 	 *  Copyright (c) 2002 Free Software Foundation developed under the  | ||||||
| 	 *  custody of the Open Web Application Security Project  | 	 *  custody of the Open Web Application Security Project  | ||||||
| @ -54,7 +54,7 @@ public class SilentTransactions extends LessonAdapter { | |||||||
| 					s.getResponse().setContentType("text/html"); | 					s.getResponse().setContentType("text/html"); | ||||||
| 					s.getResponse().setHeader("Cache-Control", "no-cache"); | 					s.getResponse().setHeader("Cache-Control", "no-cache"); | ||||||
| 					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream()); | 					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream()); | ||||||
| 					out.print("<br><br>The transaction had been completed successfully.");	 | 					out.print("<br><br>The Transaction has Completed Successfully.");	 | ||||||
| 					out.flush(); | 					out.flush(); | ||||||
| 					out.close(); | 					out.close(); | ||||||
| 					return; | 					return; | ||||||
| @ -96,9 +96,18 @@ public class SilentTransactions extends LessonAdapter { | |||||||
| 			" alert('Please enter a valid amount to transfer.')" + lineSep + | 			" alert('Please enter a valid amount to transfer.')" + lineSep + | ||||||
| 			" return;" + lineSep + | 			" return;" + lineSep + | ||||||
| 			"}" + lineSep + | 			"}" + lineSep + | ||||||
|  | 			" var balanceValue = document.getElementById('balanceID').innerText;" + lineSep + | ||||||
|  | 			" balanceValue = balanceValue.replace( new RegExp('$') , '');" + lineSep + | ||||||
|  | 			" if ( parseFloat(amount) > parseFloat(balanceValue) ) {" + lineSep + | ||||||
|  | 			" alert('You can not transfer more funds than what is available in your balance.')" + lineSep + | ||||||
|  | 			" return;" + lineSep + | ||||||
|  | 			"}" + lineSep + | ||||||
| 			" document.getElementById('confirm').value  = 'Transferring'" + lineSep + | 			" document.getElementById('confirm').value  = 'Transferring'" + lineSep + | ||||||
| 			"submitData(accountNo, amount);" + lineSep + | 			"submitData(accountNo, amount);" + lineSep + | ||||||
| 			" document.getElementById('confirm').value  = 'Confirm'" + lineSep + | 			" document.getElementById('confirm').value  = 'Confirm'" + lineSep + | ||||||
|  | 			"balanceValue = parseFloat(balanceValue) - parseFloat(amount);" + lineSep + | ||||||
|  | 			"balanceValue = balanceValue.toFixed(2);" + lineSep + | ||||||
|  | 			"document.getElementById('balanceID').innerText = balanceValue + '$';" + lineSep + | ||||||
| 			"}" + lineSep + | 			"}" + lineSep + | ||||||
| 			"function submitData(accountNo, balance) {" + lineSep + | 			"function submitData(accountNo, balance) {" + lineSep + | ||||||
| 			"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) + | 			"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) + | ||||||
| @ -131,26 +140,12 @@ public class SilentTransactions extends LessonAdapter { | |||||||
| 		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("70%").setAlign("left"); | 		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("70%").setAlign("left"); | ||||||
| 		ec.addElement( new BR() ); | 		ec.addElement( new BR() ); | ||||||
| 		TR tr = new TR();			 | 		TR tr = new TR();			 | ||||||
| 		tr.addElement( new TD( new StringElement( "Account Number" ) )); | 		tr.addElement( new TD( new StringElement( "Account Balance:" ) )); | ||||||
| 		tr.addElement( new TD( new StringElement( "Account Balance" ) )); | 		tr.addElement( new TD( new StringElement( "<div id='balanceID'>" + CURRENT_BALANCE.toString() + "$</div>") )); | ||||||
| 		t1.addElement( tr ); | 		t1.addElement( tr ); | ||||||
| 		 | 		 | ||||||
| 		tr = new TR(); | 		tr = new TR(); | ||||||
| 		tr.addElement( new TD( new StringElement( "007-872108-023" ))); | 		tr.addElement( new TD( new StringElement( "Transfer to Account:" ))); | ||||||
| 		tr.addElement( new TD( new StringElement( "11983" ))); |  | ||||||
| 		t1.addElement( tr ); |  | ||||||
| 		 |  | ||||||
| 		ec.addElement( t1 ); |  | ||||||
| 		ec.addElement( new BR() ); |  | ||||||
| 		ec.addElement( new BR() ); |  | ||||||
| 		 |  | ||||||
| 		ec.addElement( new H3("<br><br>Transfer Information:<br>")); |  | ||||||
| 		ec.addElement( new BR() ); |  | ||||||
|  |  | ||||||
| 		t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("70%").setAlign("left"); |  | ||||||
| 		 |  | ||||||
| 		tr = new TR();			 |  | ||||||
| 		tr.addElement( new TD( new StringElement( "Transfer to Account:" ) )); |  | ||||||
| 		Input newAccount = new Input(); | 		Input newAccount = new Input(); | ||||||
| 		newAccount.setType( Input.TEXT ); | 		newAccount.setType( Input.TEXT ); | ||||||
| 		newAccount.setName( "newAccount" ); | 		newAccount.setName( "newAccount" ); | ||||||
| @ -168,6 +163,8 @@ public class SilentTransactions extends LessonAdapter { | |||||||
| 		t1.addElement( tr ); | 		t1.addElement( tr ); | ||||||
| 		 | 		 | ||||||
| 		ec.addElement( t1 ); | 		ec.addElement( t1 ); | ||||||
|  | 		ec.addElement( new BR() ); | ||||||
|  | 		ec.addElement( new BR() ); | ||||||
| 		 | 		 | ||||||
| 		ec.addElement( new PRE() ); | 		ec.addElement( new PRE() ); | ||||||
| 		Input b = new Input(); | 		Input b = new Input(); | ||||||
| @ -197,6 +194,9 @@ public class SilentTransactions extends LessonAdapter { | |||||||
| 		List<String> hints = new ArrayList<String>(); | 		List<String> hints = new ArrayList<String>(); | ||||||
| 		hints.add("Check the javascript in the HTML source."); | 		hints.add("Check the javascript in the HTML source."); | ||||||
| 		hints.add("Check how the application calls a specific javascript function to execute the transaction."); | 		hints.add("Check how the application calls a specific javascript function to execute the transaction."); | ||||||
|  | 		hints.add("Check the javascript functions processData and submitData()"); | ||||||
|  | 		hints.add("Function submitData() is the one responsible for actually ececuting the transaction."); | ||||||
|  | 		hints.add("Check if your browser supports running javascript from the address bar."); | ||||||
| 		hints.add("Try to navigate to 'javascript:submitData(1234556,11000);'"); | 		hints.add("Try to navigate to 'javascript:submitData(1234556,11000);'"); | ||||||
| 		return hints; | 		return hints; | ||||||
| 	 | 	 | ||||||
|  | |||||||
| @ -2,20 +2,26 @@ package org.owasp.webgoat.lessons; | |||||||
|  |  | ||||||
| import java.io.PrintWriter; | import java.io.PrintWriter; | ||||||
| import java.util.ArrayList; | import java.util.ArrayList; | ||||||
|  | import java.util.Hashtable; | ||||||
| import java.util.List; | import java.util.List; | ||||||
|  | import java.util.HashMap; | ||||||
|  | import java.util.Map; | ||||||
|  |  | ||||||
| import org.apache.ecs.Element; | import org.apache.ecs.Element; | ||||||
| import org.apache.ecs.ElementContainer; | import org.apache.ecs.ElementContainer; | ||||||
| import org.apache.ecs.html.BR; | import org.apache.ecs.html.BR; | ||||||
| import org.apache.ecs.html.Form; | import org.apache.ecs.html.Form; | ||||||
| import org.apache.ecs.html.H1; | import org.apache.ecs.html.H1; | ||||||
|  | import org.apache.ecs.html.H3; | ||||||
| import org.apache.ecs.html.Input; | import org.apache.ecs.html.Input; | ||||||
| import org.apache.ecs.html.TD; | import org.apache.ecs.html.TD; | ||||||
| import org.apache.ecs.html.TR; | import org.apache.ecs.html.TR; | ||||||
| import org.apache.ecs.html.Table; | import org.apache.ecs.html.Table; | ||||||
| import org.apache.ecs.html.Div; | import org.apache.ecs.html.Div; | ||||||
|  | import org.apache.ecs.vxml.Initial; | ||||||
| import org.apache.ecs.StringElement; | import org.apache.ecs.StringElement; | ||||||
|  |  | ||||||
|  |  | ||||||
| import org.owasp.webgoat.session.WebSession; | import org.owasp.webgoat.session.WebSession; | ||||||
|  |  | ||||||
| public class XMLInjection extends LessonAdapter { | public class XMLInjection extends LessonAdapter { | ||||||
| @ -23,7 +29,39 @@ public class XMLInjection extends LessonAdapter { | |||||||
| 	private final static Integer DEFAULT_RANKING = new Integer(20); | 	private final static Integer DEFAULT_RANKING = new Integer(20); | ||||||
| 	private final static String ACCOUNTID = "accountID"; | 	private final static String ACCOUNTID = "accountID"; | ||||||
|  |  | ||||||
|  | 	public static HashMap rewardsMap = new HashMap(); | ||||||
|  | 	 | ||||||
|  | 	protected static HashMap init() | ||||||
|  | 	{ | ||||||
|  | 		Reward r = new Reward(); | ||||||
|  | 		 | ||||||
|  | 		r.setName("WebGoat t-shirt"); | ||||||
|  | 		r.setPoints(50); | ||||||
|  | 		rewardsMap.put( 1001 , r); | ||||||
|  |  | ||||||
|  | 		r = new Reward(); | ||||||
|  | 		r.setName("WebGoat Secure Kettle"); | ||||||
|  | 		r.setPoints(30); | ||||||
|  | 		rewardsMap.put( 1002 , r); | ||||||
|  |  | ||||||
|  | 		r = new Reward(); | ||||||
|  | 		r.setName("WebGoat Mug"); | ||||||
|  | 		r.setPoints(20); | ||||||
|  | 		rewardsMap.put( 1003 , r); | ||||||
|  |  | ||||||
|  | 		r = new Reward(); | ||||||
|  | 		r.setName("WebGoat Core Duo Laptop"); | ||||||
|  | 		r.setPoints(2000); | ||||||
|  | 		rewardsMap.put( 1004 , r); | ||||||
|  |  | ||||||
|  | 		r = new Reward(); | ||||||
|  | 		r.setName("WebGoat Hawaii Cruise"); | ||||||
|  | 		r.setPoints(3000); | ||||||
|  | 		rewardsMap.put( 1005 , r); | ||||||
|  | 		 | ||||||
|  | 		return rewardsMap; | ||||||
|  | } | ||||||
|  | 	 | ||||||
| 	public void handleRequest(WebSession s) { | 	public void handleRequest(WebSession s) { | ||||||
| 		 | 		 | ||||||
| 		try  | 		try  | ||||||
| @ -64,6 +102,7 @@ public class XMLInjection extends LessonAdapter { | |||||||
| 	protected Element createContent(WebSession s) { | 	protected Element createContent(WebSession s) { | ||||||
| 		ElementContainer ec = new ElementContainer(); | 		ElementContainer ec = new ElementContainer(); | ||||||
| 		boolean isDone = false; | 		boolean isDone = false; | ||||||
|  | 		init(); | ||||||
| 		 | 		 | ||||||
| 		if (s.getParser().getRawParameter("done", "").equals("yes")) | 		if (s.getParser().getRawParameter("done", "").equals("yes")) | ||||||
| 		{ | 		{ | ||||||
| @ -93,13 +132,14 @@ public class XMLInjection extends LessonAdapter { | |||||||
| 			"			 var rewardsDiv = document.getElementById('rewardsDiv');" + lineSep + | 			"			 var rewardsDiv = document.getElementById('rewardsDiv');" + lineSep + | ||||||
| 			"				rewardsDiv.innerHTML = '';" + lineSep + | 			"				rewardsDiv.innerHTML = '';" + lineSep + | ||||||
| 			"				var strHTML='';"+ lineSep + | 			"				var strHTML='';"+ lineSep + | ||||||
| 			"				strHTML = '<tr><td> </td><td>Rewards</td></tr>';" + lineSep + | 			"				strHTML = '<tr><td> </td><td><b>Rewards</b></td></tr>';" + lineSep + | ||||||
| 			"			 for(var i=0; i<rewards.childNodes.length; i++){" + lineSep + | 			"			 for(var i=0; i< rewards.childNodes.length; i++){" + lineSep + | ||||||
| 			"				var node = rewards.childNodes[i];" + lineSep + | 			"				var node = rewards.childNodes[i];" + lineSep + | ||||||
| 			"				strHTML = strHTML + '<tr><td><input name=\"check' + i +'\" type=\"checkbox\"></td><td>';" + lineSep + | 			"				strHTML = strHTML + '<tr><td><input name=\"check' + (i+1001) +'\" type=\"checkbox\"></td><td>';" + lineSep + | ||||||
| 			"			    strHTML = strHTML + node.childNodes[0].nodeValue + '</td></tr>';" + lineSep + | 			"			    strHTML = strHTML + node.childNodes[0].nodeValue + '</td></tr>';" + lineSep + | ||||||
| 			"			 }" + lineSep + | 			"			 }" + lineSep + | ||||||
| 			"				strHTML = '<table>' + strHTML + '</table>';" + lineSep + | 			"				strHTML = '<table>' + strHTML + '</table>';" + lineSep + | ||||||
|  | 			"				strHTML = 'Your account balance is now 100 points<br><br>' + strHTML;" + lineSep +  | ||||||
| 			"               rewardsDiv.innerHTML = strHTML;"+ lineSep + | 			"               rewardsDiv.innerHTML = strHTML;"+ lineSep + | ||||||
| 			"        }}}" + lineSep + | 			"        }}}" + lineSep + | ||||||
| 			"</script>" + lineSep; | 			"</script>" + lineSep; | ||||||
| @ -111,13 +151,30 @@ public class XMLInjection extends LessonAdapter { | |||||||
| 		ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat-Miles Reward Miles Program."))); | 		ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat-Miles Reward Miles Program."))); | ||||||
| 		ec.addElement( new BR()); | 		ec.addElement( new BR()); | ||||||
| 		 | 		 | ||||||
| 		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center"); | 		ec.addElement( new BR().addElement (new H3().addElement( "Rewards available through the program:"))); | ||||||
|  | 		ec.addElement( new BR()); | ||||||
|  | 		Table t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center"); | ||||||
|  | 		TR trRewards = null; | ||||||
| 		 | 		 | ||||||
|  | 		for (int i=1001; i< 1001 + rewardsMap.size() ; i++) | ||||||
|  | 		{ | ||||||
|  | 			trRewards = new TR(); | ||||||
|  | 			Reward r = (Reward)rewardsMap.get(i); | ||||||
|  | 			trRewards.addElement( new TD("-" + r.getName() + r.getPoints() + " Pts") ); | ||||||
|  | 			t2.addElement( trRewards); | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		ec.addElement( t2 ); | ||||||
|  | 		 | ||||||
|  | 		ec.addElement( new BR()); | ||||||
|  |  | ||||||
|  | 		ec.addElement( new H3().addElement( "Redeem your points:")); | ||||||
|  | 		ec.addElement( new BR()); | ||||||
|  | 		 | ||||||
|  | 		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");		 | ||||||
| 		 | 		 | ||||||
| 		TR tr = new TR();			 | 		TR tr = new TR();			 | ||||||
| 		 | 			 | ||||||
| 		tr = new TR(); |  | ||||||
| 		 |  | ||||||
| 		tr.addElement( new TD("Please enter your account ID:") ); | 		tr.addElement( new TD("Please enter your account ID:") ); | ||||||
| 		 | 		 | ||||||
| 		Input input1 = new Input( Input.TEXT, ACCOUNTID, "" ); | 		Input input1 = new Input( Input.TEXT, ACCOUNTID, "" ); | ||||||
| @ -144,10 +201,24 @@ public class XMLInjection extends LessonAdapter { | |||||||
| 		 | 		 | ||||||
| 		if (s.getParser().getRawParameter("SUBMIT", "")!= "") | 		if (s.getParser().getRawParameter("SUBMIT", "")!= "") | ||||||
| 		{ | 		{ | ||||||
| 			if(s.getParser().getRawParameter("check3", "") != "") | 			if(s.getParser().getRawParameter("check1004", "") != "") | ||||||
| 			{ | 			{ | ||||||
| 				makeSuccess(s);	 | 				makeSuccess(s);	 | ||||||
| 			} | 			} | ||||||
|  | 			else | ||||||
|  | 			{ | ||||||
|  | 				StringBuffer shipment = new StringBuffer(); | ||||||
|  | 				for (int i=1001; i< 1001 + rewardsMap.size() ; i++) | ||||||
|  | 				{ | ||||||
|  | 					 | ||||||
|  | 					if (s.getParser().getRawParameter("check" + i, "") != "") | ||||||
|  | 					{ | ||||||
|  | 						shipment.append( ((Reward)rewardsMap.get(i)).getName() + "<br>" ); | ||||||
|  | 					} | ||||||
|  | 				} | ||||||
|  | 				shipment.insert(0, "<br><br><b>The following items will be shipped to your address:</b><br>"); | ||||||
|  | 				ec.addElement( new StringElement(shipment.toString())); | ||||||
|  | 			} | ||||||
| 			 | 			 | ||||||
| 		} | 		} | ||||||
| 		 | 		 | ||||||
| @ -190,5 +261,23 @@ public class XMLInjection extends LessonAdapter { | |||||||
| 	public String getTitle() { | 	public String getTitle() { | ||||||
| 		return "XML Injection"; | 		return "XML Injection"; | ||||||
| 	} | 	} | ||||||
|  | 	 | ||||||
|  | 	static class Reward | ||||||
|  | 	{ | ||||||
|  | 		private String name; | ||||||
|  | 		private int points; | ||||||
|  | 		public String getName() { | ||||||
|  | 			return name; | ||||||
|  | 		} | ||||||
|  | 		public void setName(String name) { | ||||||
|  | 			this.name = name; | ||||||
|  | 		} | ||||||
|  | 		public int getPoints() { | ||||||
|  | 			return points; | ||||||
|  | 		} | ||||||
|  | 		public void setPoints(int points) { | ||||||
|  | 			this.points = points; | ||||||
|  | 		} | ||||||
|  | 		 | ||||||
|  | 	} | ||||||
| } | } | ||||||
|  | |||||||
| @ -14,5 +14,5 @@ AJAX applications use XML to exchange information with the server. This XML can | |||||||
| </div> | </div> | ||||||
| <p><b>General Goal(s):</b> </p> | <p><b>General Goal(s):</b> </p> | ||||||
| <!-- Start Instructions --> | <!-- Start Instructions --> | ||||||
| The form below takes your WebGoat Rewards Mile account and returns back the kind of rewards you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239. | WebGoat-Miles Reward Miles shows all the rewards available. Once, you enter your account ID, it will show you your balance and the ones that you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239. | ||||||
| <!-- Stop Instructions --> | <!-- Stop Instructions --> | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user