Restructured the baseline to remove extra src/main directory structure. Added eclipes project file
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
@ -0,0 +1,57 @@
|
||||
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
|
||||
|
||||
import java.util.regex.Pattern;
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
// STAGE 5 FIXES
|
||||
// Solution Summary: Edit FindProfile.java and change getRequestParameter().
|
||||
// Modify getRequestParameter() with lines denoted by // STAGE 5 - FIX.
|
||||
// Solution Steps:
|
||||
// 1. Talk about the different parser methods. We could have used the parser method that takes a
|
||||
// regular expression.
|
||||
// 2. Call validate on the request parameter.
|
||||
// return validate(s.getParser().getRawParameter(name), (Pattern) patterns.get(name));
|
||||
//
|
||||
// Note: patterns.get(name) is used to fetch the XSS validation pattern that is defined
|
||||
// in FindProfile.Java
|
||||
//
|
||||
// protected static Map patterns = new HashMap();
|
||||
// static
|
||||
// {
|
||||
// patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
|
||||
// }
|
||||
|
||||
|
||||
|
||||
public class FindProfile_i extends FindProfile
|
||||
{
|
||||
public FindProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName, chainedAction);
|
||||
}
|
||||
|
||||
protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
// NOTE:
|
||||
//
|
||||
// In order for this to work generically, the name of the parameter and the name
|
||||
// of the regular expression validation patter must be the same.
|
||||
//
|
||||
// Another way this could be done is to use the reguler expression method in the
|
||||
// ParameterParser class
|
||||
|
||||
// STAGE 5 - FIX
|
||||
return validate(s.getParser().getRawParameter(name), (Pattern) patterns.get(name));
|
||||
|
||||
// Note the design goal here...
|
||||
// return s.getParser().getStringParameter(name), (Pattern) patterns.get(name));
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,112 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
|
||||
|
||||
import java.util.regex.Pattern;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.CrossSiteScripting;
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.ParameterParser;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
// STAGE 2 FIXES
|
||||
// Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile().
|
||||
// Modify parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX.
|
||||
// Solution Steps:
|
||||
// 1. Talk about the different parser methods.
|
||||
// a. parseEmployeeProfile(subjectId, s.getRequest())
|
||||
// - uses the request object directly.
|
||||
// - calling validate() on the appropriate parameter
|
||||
// b. parseEmployeeProfile(subjectId, s.getParser())
|
||||
// - uses the parser object to pull request data (centralized mechanism)
|
||||
//
|
||||
// 2. Fix the request object version of the call // STAGE 2 - FIX
|
||||
// Replace the call to:
|
||||
// String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
|
||||
//
|
||||
// With:
|
||||
// final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
|
||||
// String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1);
|
||||
// // STAGE 2 - FIX
|
||||
//
|
||||
//
|
||||
// 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX
|
||||
// Change all calls in parseEmployeeProfile(subjectId, s.getParser()) to use
|
||||
// the appropriate parser.method() call
|
||||
//
|
||||
|
||||
public class UpdateProfile_i extends UpdateProfile
|
||||
{
|
||||
public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName, chainedAction);
|
||||
}
|
||||
|
||||
protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
HttpServletRequest request = s.getRequest();
|
||||
String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
|
||||
String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
|
||||
String ssn = request.getParameter(CrossSiteScripting.SSN);
|
||||
String title = request.getParameter(CrossSiteScripting.TITLE);
|
||||
String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
|
||||
|
||||
// Validate this parameter against a regular expression pattern designed for street
|
||||
// addresses.
|
||||
|
||||
// STAGE 2 - FIX
|
||||
final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}");
|
||||
String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1);
|
||||
|
||||
|
||||
String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
|
||||
int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
|
||||
String startDate = request.getParameter(CrossSiteScripting.START_DATE);
|
||||
int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
|
||||
String ccn = request.getParameter(CrossSiteScripting.CCN);
|
||||
int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
|
||||
String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
|
||||
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
|
||||
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
|
||||
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
return employee;
|
||||
}
|
||||
|
||||
protected Employee parseEmployeeProfile(int subjectId, ParameterParser parser) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
// STAGE 2 - ALTERNATE FIX
|
||||
String firstName = parser.getStrictAlphaParameter(CrossSiteScripting.FIRST_NAME, 20);
|
||||
String lastName = parser.getStrictAlphaParameter(CrossSiteScripting.LAST_NAME, 20);
|
||||
String ssn = parser.getSsnParameter(CrossSiteScripting.SSN);
|
||||
String title = parser.getStrictAlphaParameter(CrossSiteScripting.TITLE, 20);
|
||||
String phone = parser.getPhoneParameter(CrossSiteScripting.PHONE_NUMBER);
|
||||
String address1 = parser.getStringParameter(CrossSiteScripting.ADDRESS1);
|
||||
String address2 = parser.getStringParameter(CrossSiteScripting.ADDRESS2);
|
||||
int manager = parser.getIntParameter(CrossSiteScripting.MANAGER);
|
||||
String startDate = parser.getDateParameter(CrossSiteScripting.START_DATE);
|
||||
int salary = parser.getIntParameter(CrossSiteScripting.SALARY);
|
||||
String ccn = parser.getCcnParameter(CrossSiteScripting.CCN);
|
||||
int ccnLimit = parser.getIntParameter(CrossSiteScripting.CCN_LIMIT);
|
||||
String disciplinaryActionDate = parser.getDateParameter(CrossSiteScripting.DISCIPLINARY_DATE);
|
||||
String disciplinaryActionNotes = parser.getStrictAlphaParameter(CrossSiteScripting.DISCIPLINARY_NOTES, 60);
|
||||
String personalDescription = parser.getStrictAlphaParameter(CrossSiteScripting.DESCRIPTION, 60);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
|
||||
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
return employee;
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,22 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
|
||||
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
|
||||
|
||||
// STAGE 4 FIXES
|
||||
//
|
||||
//Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
|
||||
//
|
||||
//Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
|
||||
//
|
||||
//
|
||||
|
||||
public class ViewProfile_i extends ViewProfile
|
||||
{
|
||||
public ViewProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user