git-svn-id: http://webgoat.googlecode.com/svn/trunk@28 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy
@ -307,6 +307,9 @@ public class HammerHead extends HttpServlet
|
||||
|
||||
s.setHasHackableAdmin( screen.getRole() );
|
||||
|
||||
//More bookkeeping here to see if the user was able to force browse to the
|
||||
//config URL.
|
||||
s.setHasHackableConfig( s.getRequest().getRequestURI());
|
||||
lesson.handleRequest( s );
|
||||
s.setCurrentMenu( lesson.getCategory().getRanking() );
|
||||
}
|
||||
@ -346,7 +349,7 @@ public class HammerHead extends HttpServlet
|
||||
// in order to satisfy the remote admin lesson.
|
||||
|
||||
s.setHasHackableAdmin( screen.getRole() );
|
||||
|
||||
|
||||
lesson.handleRequest( s );
|
||||
s.setCurrentMenu( lesson.getCategory().getRanking() );
|
||||
}
|
||||
|
||||
@ -4,6 +4,7 @@ import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
@ -14,8 +15,8 @@ import org.owasp.webgoat.session.WebSession;
|
||||
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
||||
* this software.
|
||||
*
|
||||
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
|
||||
* @created October 28, 2003
|
||||
* @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
|
||||
* @created November 02, 2006
|
||||
*/
|
||||
public class ForcedBrowsing extends LessonAdapter
|
||||
{
|
||||
@ -28,8 +29,18 @@ public class ForcedBrowsing extends LessonAdapter
|
||||
*/
|
||||
protected Element createContent( WebSession s )
|
||||
{
|
||||
// just to get the generic how to text.
|
||||
return super.createContent(s);
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
if ( s.completedHackableConfig() )
|
||||
{
|
||||
makeSuccess( s );
|
||||
}
|
||||
else
|
||||
{
|
||||
ec.addElement( "Can you try to force browse to the config page which "
|
||||
+ "should only be accessed by maintenance personnel.");
|
||||
}
|
||||
return ec;
|
||||
}
|
||||
|
||||
|
||||
@ -53,15 +64,14 @@ public class ForcedBrowsing extends LessonAdapter
|
||||
public List getHints()
|
||||
{
|
||||
List hints = new ArrayList();
|
||||
hints.add( "Lesson Hint 1" );
|
||||
hints.add( "Lesson Hint 2" );
|
||||
|
||||
hints.add( "Try to guess the URL for the config page" );
|
||||
hints.add( "The config page is guessable and hackable" );
|
||||
hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." );
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(15);
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
@ -80,7 +90,7 @@ public class ForcedBrowsing extends LessonAdapter
|
||||
|
||||
public Element getCredits()
|
||||
{
|
||||
return new StringElement("This screen created by: Your name could go here");
|
||||
return new StringElement("This screen created by: Sherif Koussa");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -19,6 +19,16 @@ import org.apache.ecs.html.Table;
|
||||
import org.apache.ecs.html.PRE;
|
||||
import org.apache.ecs.HtmlColor;
|
||||
|
||||
/**
|
||||
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
||||
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
||||
* this software.
|
||||
*
|
||||
* @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies</a>
|
||||
* @created October 28, 2006
|
||||
*/
|
||||
|
||||
public class LogSpoofing extends LessonAdapter {
|
||||
|
||||
private static final String USERNAME = "username";
|
||||
|
||||
@ -225,6 +225,8 @@ public class WebSession
|
||||
private String feedbackAddress = "<A HREF=mailto:webgoat@aspectsecurity.com>webgoat@aspectsecurity.com</A>";
|
||||
|
||||
private boolean completedHackableAdmin = false;
|
||||
|
||||
private boolean completedHackableConfig = false;
|
||||
|
||||
private int currentMenu;
|
||||
|
||||
@ -724,6 +726,16 @@ public class WebSession
|
||||
return ( completedHackableAdmin );
|
||||
}
|
||||
|
||||
/**
|
||||
* Has the user ever hacked the hackable config URL
|
||||
*
|
||||
* @return The hackable config value
|
||||
*/
|
||||
public boolean completedHackableConfig()
|
||||
{
|
||||
return ( completedHackableConfig );
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the authenticated attribute of the WebSession object
|
||||
*
|
||||
@ -1103,6 +1115,14 @@ public class WebSession
|
||||
}
|
||||
}
|
||||
|
||||
public void setHasHackableConfig ( String url)
|
||||
{
|
||||
if ( config.indexOf("config") >= 0)
|
||||
{
|
||||
completedHackableConfig = true;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @return Returns the isDebug.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user