dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate other lessons to extending GoatHillsFinancial

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@155 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2007-07-10 11:57:54 +00:00
parent a71b6af562
commit 6abdcbf640
6 changed files with 41 additions and 402 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View File

@ -1,25 +1,17 @@
package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.A;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.lessons.LessonAction;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.ListStaff;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Login;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
@ -57,140 +49,31 @@ import org.owasp.webgoat.session.WebSession;
* For details, please see http://code.google.com/p/webgoat/
*
*/
public class CrossSiteScripting extends LessonAdapter
public class CrossSiteScripting extends GoatHillsFinancial
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
public final static String DESCRIPTION = "description";
public final static String DISCIPLINARY_DATE = "disciplinaryDate";
public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
public final static String CCN_LIMIT = "ccnLimit";
public final static String CCN = "ccn";
public final static String SALARY = "salary";
public final static String START_DATE = "startDate";
public final static String MANAGER = "manager";
public final static String ADDRESS1 = "address1";
public final static String ADDRESS2 = "address2";
public final static String PHONE_NUMBER = "phoneNumber";
public final static String TITLE = "title";
public final static String SSN = "ssn";
public final static String LAST_NAME = "lastName";
public final static String FIRST_NAME = "firstName";
public final static String PASSWORD = "password";
public final static String EMPLOYEE_ID = "employee_id";
public final static String USER_ID = "user_id";
public final static String SEARCHNAME = "search_name";
public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
public final static String STAFF_ATTRIBUTE_KEY = "Staff";
public final static String LOGIN_ACTION = "Login";
public final static String LOGOUT_ACTION = "Logout";
public final static String LISTSTAFF_ACTION = "ListStaff";
public final static String SEARCHSTAFF_ACTION = "SearchStaff";
public final static String FINDPROFILE_ACTION = "FindProfile";
public final static String VIEWPROFILE_ACTION = "ViewProfile";
public final static String EDITPROFILE_ACTION = "EditProfile";
public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
public final static String CREATEPROFILE_ACTION = "CreateProfile";
public final static String DELETEPROFILE_ACTION = "DeleteProfile";
public final static String ERROR_ACTION = "error";
private final static String LESSON_NAME = "CrossSiteScripting";
private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/";
private final static Integer DEFAULT_RANKING = new Integer(100);
private static Connection connection = null;
private Map lessonFunctions = new Hashtable();
public static synchronized Connection getConnection(WebSession s)
throws SQLException, ClassNotFoundException
protected void registerActions(String className)
{
if (connection == null)
{
connection = DatabaseUtilities.makeConnection(s);
}
return connection;
}
public CrossSiteScripting()
{
String myClassName = parseClassName(this.getClass().getName());
registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION));
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.
registerAction(new Login(this, myClassName, LOGIN_ACTION,
registerAction(new Login(this, className, LOGIN_ACTION,
getAction(LISTSTAFF_ACTION)));
registerAction(new Logout(this, myClassName, LOGOUT_ACTION,
registerAction(new Logout(this, className, LOGOUT_ACTION,
getAction(LOGIN_ACTION)));
registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION,
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
getAction(VIEWPROFILE_ACTION)));
registerAction(new UpdateProfile(this, myClassName,
registerAction(new UpdateProfile(this, className,
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
registerAction(new DeleteProfile(this, myClassName,
registerAction(new DeleteProfile(this, className,
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
}
protected static String parseClassName(String fqcn)
{
String className = fqcn;
int lastDotIndex = fqcn.lastIndexOf('.');
if (lastDotIndex > -1)
className = fqcn.substring(lastDotIndex + 1);
return className;
}
protected void registerAction(LessonAction action)
{
lessonFunctions.put(action.getActionName(), action);
}
/**
* Gets the category attribute of the CrossSiteScripting object
*
@ -201,7 +84,6 @@ public class CrossSiteScripting extends LessonAdapter
return Category.A4;
}
/**
* Gets the hints attribute of the DirectoryScreen object
*
@ -315,12 +197,6 @@ public class CrossSiteScripting extends LessonAdapter
return 6;
}
protected LessonAction getAction(String actionName)
{
return (LessonAction) lessonFunctions.get(actionName);
}
public void handleRequest(WebSession s)
{
if (s.getLessonSession(this) == null)
@ -394,47 +270,6 @@ public class CrossSiteScripting extends LessonAdapter
setContent(new ElementContainer());
}
public boolean isAuthorized(WebSession s, int userId, String functionId)
{
//System.out.println("Checking authorization from " + getCurrentAction(s));
LessonAction action = (LessonAction) lessonFunctions
.get(getCurrentAction(s));
return action.isAuthorized(s, userId, functionId);
}
public int getUserId(WebSession s) throws ParameterNotFoundException
{
LessonAction action = (LessonAction) lessonFunctions
.get(getCurrentAction(s));
return action.getUserId(s);
}
public String getUserName(WebSession s) throws ParameterNotFoundException
{
LessonAction action = (LessonAction) lessonFunctions
.get(getCurrentAction(s));
return action.getUserName(s);
}
public String getTemplatePage(WebSession s)
{
return JSP_PATH + LESSON_NAME + ".jsp";
}
public String getPage(WebSession s)
{
String page = JSP_PATH + getCurrentAction(s) + ".jsp";
//System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page);
return page;
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
@ -451,17 +286,4 @@ public class CrossSiteScripting extends LessonAdapter
return "LAB: Cross Site Scripting (XSS)";
}
public String getSourceFileName()
{
// FIXME: Need to generalize findSourceResource() and use it on the currently active
// LessonAction delegate to get its source file.
//return findSourceResource(getCurrentLessonScreen()....);
return super.getSourceFileName();
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java
View File

@ -249,7 +249,7 @@ public class FindProfile extends DefaultLessonAction
return parameter;
}
protected static Map patterns = new HashMap();
protected static Map<String, Pattern> patterns = new HashMap<String, Pattern>();
static
{
patterns.put(CrossSiteScripting.SEARCHNAME, Pattern

219
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View File

@ -1,26 +1,17 @@
package org.owasp.webgoat.lessons.SQLInjection;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAction;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.FindProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.UpdateProfile;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
import org.owasp.webgoat.lessons.GoatHillsFinancial.UpdateProfile;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
@ -56,144 +47,35 @@ import org.owasp.webgoat.session.WebSession;
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class SQLInjection extends LessonAdapter
public class SQLInjection extends GoatHillsFinancial
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
public final static String DESCRIPTION = "description";
public final static String DISCIPLINARY_DATE = "disciplinaryDate";
public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
public final static String CCN_LIMIT = "ccnLimit";
public final static String CCN = "ccn";
public final static String SALARY = "salary";
public final static String START_DATE = "startDate";
public final static String MANAGER = "manager";
public final static String ADDRESS1 = "address1";
public final static String ADDRESS2 = "address2";
public final static String PHONE_NUMBER = "phoneNumber";
public final static String TITLE = "title";
public final static String SSN = "ssn";
public final static String LAST_NAME = "lastName";
public final static String FIRST_NAME = "firstName";
public final static String PASSWORD = "password";
public final static String EMPLOYEE_ID = "employee_id";
public final static String USER_ID = "user_id";
public final static String SEARCHNAME = "search_name";
public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
public final static String STAFF_ATTRIBUTE_KEY = "Staff";
public final static String LOGIN_ACTION = "Login";
public final static String LOGOUT_ACTION = "Logout";
public final static String LISTSTAFF_ACTION = "ListStaff";
public final static String SEARCHSTAFF_ACTION = "SearchStaff";
public final static String FINDPROFILE_ACTION = "FindProfile";
public final static String VIEWPROFILE_ACTION = "ViewProfile";
public final static String EDITPROFILE_ACTION = "EditProfile";
public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
public final static String CREATEPROFILE_ACTION = "CreateProfile";
public final static String DELETEPROFILE_ACTION = "DeleteProfile";
public final static String ERROR_ACTION = "error";
private final static String LESSON_NAME = "SQLInjection";
private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/";
private final static Integer DEFAULT_RANKING = new Integer(75);
public final static int PRIZE_EMPLOYEE_ID = 112;
public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
private static Connection connection = null;
private Map lessonFunctions = new Hashtable();
public static synchronized Connection getConnection(WebSession s)
throws SQLException, ClassNotFoundException
public void registerActions(String className)
{
if (connection == null)
{
connection = DatabaseUtilities.makeConnection(s);
}
return connection;
}
public SQLInjection()
{
String myClassName = parseClassName(this.getClass().getName());
registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION));
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.
registerAction(new Login(this, myClassName, LOGIN_ACTION,
registerAction(new Login(this, className, LOGIN_ACTION,
getAction(LISTSTAFF_ACTION)));
registerAction(new Logout(this, myClassName, LOGOUT_ACTION,
registerAction(new Logout(this, className, LOGOUT_ACTION,
getAction(LOGIN_ACTION)));
registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION,
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
getAction(VIEWPROFILE_ACTION)));
registerAction(new UpdateProfile(this, myClassName,
registerAction(new UpdateProfile(this, className,
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
registerAction(new DeleteProfile(this, myClassName,
registerAction(new DeleteProfile(this, className,
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
}
protected static String parseClassName(String fqcn)
{
String className = fqcn;
int lastDotIndex = fqcn.lastIndexOf('.');
if (lastDotIndex > -1)
className = fqcn.substring(lastDotIndex + 1);
return className;
}
protected void registerAction(LessonAction action)
{
lessonFunctions.put(action.getActionName(), action);
}
/**
* Gets the category attribute of the CrossSiteScripting object
*
@ -204,7 +86,6 @@ public class SQLInjection extends LessonAdapter
return Category.A6;
}
/**
* Gets the hints attribute of the DirectoryScreen object
*
@ -298,13 +179,6 @@ public class SQLInjection extends LessonAdapter
return instructions;
}
protected LessonAction getAction(String actionName)
{
return (LessonAction) lessonFunctions.get(actionName);
}
public void handleRequest(WebSession s)
{
if (s.getLessonSession(this) == null)
@ -376,47 +250,6 @@ public class SQLInjection extends LessonAdapter
setContent(new ElementContainer());
}
public boolean isAuthorized(WebSession s, int userId, String functionId)
{
//System.out.println("Checking authorization from " + getCurrentAction(s));
LessonAction action = (LessonAction) lessonFunctions
.get(getCurrentAction(s));
return action.isAuthorized(s, userId, functionId);
}
public int getUserId(WebSession s) throws ParameterNotFoundException
{
LessonAction action = (LessonAction) lessonFunctions
.get(getCurrentAction(s));
return action.getUserId(s);
}
public String getUserName(WebSession s) throws ParameterNotFoundException
{
LessonAction action = (LessonAction) lessonFunctions
.get(getCurrentAction(s));
return action.getUserName(s);
}
public String getTemplatePage(WebSession s)
{
return JSP_PATH + LESSON_NAME + ".jsp";
}
public String getPage(WebSession s)
{
String page = JSP_PATH + getCurrentAction(s) + ".jsp";
//System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page);
return page;
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
@ -432,18 +265,4 @@ public class SQLInjection extends LessonAdapter
{
return "LAB: SQL Injection";
}
public String getSourceFileName()
{
// FIXME: Need to generalize findSourceResource() and use it on the currently active
// LessonAction delegate to get its source file.
//return findSourceResource(getCurrentLessonScreen()....);
return super.getSourceFileName();
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}

3
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java
View File

@ -7,7 +7,6 @@ import java.sql.SQLException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;
@ -50,7 +49,7 @@ public class EditProfile_i extends EditProfile
try
{
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query,
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.setInt(1, subjectUserId);
ResultSet answer_results = answer_statement.executeQuery();

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java
View File

@ -48,7 +48,7 @@ public class Login_i extends Login
try
{
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query,
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 2 - FIX
answer_statement.setString(1, userId); // STAGE 2 - FIX
answer_statement.setString(2, password); // STAGE 2 - FIX

3
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java
View File

@ -5,7 +5,6 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
import org.owasp.webgoat.lessons.SQLInjection.ViewProfile;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.UnauthorizedException;
@ -52,7 +51,7 @@ public class ViewProfile_i extends ViewProfile
try
{
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query,
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX
answer_statement.setInt(1, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX