From 6abdcbf640997561ed23b4b44c20623de3651ac8 Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Tue, 10 Jul 2007 11:57:54 +0000 Subject: [PATCH] Migrate other lessons to extending GoatHillsFinancial git-svn-id: http://webgoat.googlecode.com/svn/trunk@155 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../CrossSiteScripting.java | 214 ++--------------- .../CrossSiteScripting/FindProfile.java | 2 +- .../lessons/SQLInjection/SQLInjection.java | 219 ++---------------- .../RoleBasedAccessControl/EditProfile_i.java | 3 +- .../instructor/SQLInjection/Login_i.java | 2 +- .../SQLInjection/ViewProfile_i.java | 3 +- 6 files changed, 41 insertions(+), 402 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java index f03c54586..4311beaec 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java @@ -1,25 +1,17 @@ package org.owasp.webgoat.lessons.CrossSiteScripting; -import java.sql.Connection; -import java.sql.SQLException; import java.util.ArrayList; -import java.util.Hashtable; import java.util.List; -import java.util.Map; -import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; -import org.apache.ecs.html.IMG; -import org.apache.ecs.html.A; import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.ListStaff; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.Login; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff; -import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; +import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -57,140 +49,31 @@ import org.owasp.webgoat.session.WebSession; * For details, please see http://code.google.com/p/webgoat/ * */ -public class CrossSiteScripting extends LessonAdapter +public class CrossSiteScripting extends GoatHillsFinancial { - public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); - - public final static String DESCRIPTION = "description"; - - public final static String DISCIPLINARY_DATE = "disciplinaryDate"; - - public final static String DISCIPLINARY_NOTES = "disciplinaryNotes"; - - public final static String CCN_LIMIT = "ccnLimit"; - - public final static String CCN = "ccn"; - - public final static String SALARY = "salary"; - - public final static String START_DATE = "startDate"; - - public final static String MANAGER = "manager"; - - public final static String ADDRESS1 = "address1"; - - public final static String ADDRESS2 = "address2"; - - public final static String PHONE_NUMBER = "phoneNumber"; - - public final static String TITLE = "title"; - - public final static String SSN = "ssn"; - - public final static String LAST_NAME = "lastName"; - - public final static String FIRST_NAME = "firstName"; - - public final static String PASSWORD = "password"; - - public final static String EMPLOYEE_ID = "employee_id"; - - public final static String USER_ID = "user_id"; - - public final static String SEARCHNAME = "search_name"; - - public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult"; - - public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee"; - - public final static String STAFF_ATTRIBUTE_KEY = "Staff"; - - public final static String LOGIN_ACTION = "Login"; - - public final static String LOGOUT_ACTION = "Logout"; - - public final static String LISTSTAFF_ACTION = "ListStaff"; - - public final static String SEARCHSTAFF_ACTION = "SearchStaff"; - - public final static String FINDPROFILE_ACTION = "FindProfile"; - - public final static String VIEWPROFILE_ACTION = "ViewProfile"; - - public final static String EDITPROFILE_ACTION = "EditProfile"; - - public final static String UPDATEPROFILE_ACTION = "UpdateProfile"; - - public final static String CREATEPROFILE_ACTION = "CreateProfile"; - - public final static String DELETEPROFILE_ACTION = "DeleteProfile"; - - public final static String ERROR_ACTION = "error"; - - private final static String LESSON_NAME = "CrossSiteScripting"; - - private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/"; - private final static Integer DEFAULT_RANKING = new Integer(100); - private static Connection connection = null; - - private Map lessonFunctions = new Hashtable(); - - - public static synchronized Connection getConnection(WebSession s) - throws SQLException, ClassNotFoundException + protected void registerActions(String className) { - if (connection == null) - { - connection = DatabaseUtilities.makeConnection(s); - } - - return connection; - } - - - public CrossSiteScripting() - { - String myClassName = parseClassName(this.getClass().getName()); - registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); - registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); - registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); // These actions are special in that they chain to other actions. - registerAction(new Login(this, myClassName, LOGIN_ACTION, + registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION))); - registerAction(new Logout(this, myClassName, LOGOUT_ACTION, + registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION))); - registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new UpdateProfile(this, myClassName, + registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new DeleteProfile(this, myClassName, + registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); } - - protected static String parseClassName(String fqcn) - { - String className = fqcn; - - int lastDotIndex = fqcn.lastIndexOf('.'); - if (lastDotIndex > -1) - className = fqcn.substring(lastDotIndex + 1); - - return className; - } - - - protected void registerAction(LessonAction action) - { - lessonFunctions.put(action.getActionName(), action); - } - - /** * Gets the category attribute of the CrossSiteScripting object * @@ -201,7 +84,6 @@ public class CrossSiteScripting extends LessonAdapter return Category.A4; } - /** * Gets the hints attribute of the DirectoryScreen object * @@ -315,12 +197,6 @@ public class CrossSiteScripting extends LessonAdapter return 6; } - protected LessonAction getAction(String actionName) - { - return (LessonAction) lessonFunctions.get(actionName); - } - - public void handleRequest(WebSession s) { if (s.getLessonSession(this) == null) @@ -394,47 +270,6 @@ public class CrossSiteScripting extends LessonAdapter setContent(new ElementContainer()); } - - public boolean isAuthorized(WebSession s, int userId, String functionId) - { - //System.out.println("Checking authorization from " + getCurrentAction(s)); - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.isAuthorized(s, userId, functionId); - } - - - public int getUserId(WebSession s) throws ParameterNotFoundException - { - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.getUserId(s); - } - - - public String getUserName(WebSession s) throws ParameterNotFoundException - { - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.getUserName(s); - } - - - public String getTemplatePage(WebSession s) - { - return JSP_PATH + LESSON_NAME + ".jsp"; - } - - - public String getPage(WebSession s) - { - String page = JSP_PATH + getCurrentAction(s) + ".jsp"; - //System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page); - - return page; - } - - protected Integer getDefaultRanking() { return DEFAULT_RANKING; @@ -451,17 +286,4 @@ public class CrossSiteScripting extends LessonAdapter return "LAB: Cross Site Scripting (XSS)"; } - - public String getSourceFileName() - { - // FIXME: Need to generalize findSourceResource() and use it on the currently active - // LessonAction delegate to get its source file. - //return findSourceResource(getCurrentLessonScreen()....); - return super.getSourceFileName(); - } - - public Element getCredits() - { - return super.getCustomCredits("", ASPECT_LOGO); - } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java index 04309c64d..9a2d00b85 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java @@ -249,7 +249,7 @@ public class FindProfile extends DefaultLessonAction return parameter; } - protected static Map patterns = new HashMap(); + protected static Map patterns = new HashMap(); static { patterns.put(CrossSiteScripting.SEARCHNAME, Pattern diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java index 54251b5a3..1b77a9800 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java @@ -1,26 +1,17 @@ package org.owasp.webgoat.lessons.SQLInjection; -import java.sql.Connection; -import java.sql.SQLException; import java.util.ArrayList; -import java.util.Hashtable; import java.util.List; -import java.util.Map; - -import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; -import org.apache.ecs.html.A; -import org.apache.ecs.html.IMG; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.lessons.LessonAdapter; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.FindProfile; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff; -import org.owasp.webgoat.lessons.RoleBasedAccessControl.UpdateProfile; -import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; +import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.UpdateProfile; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -56,144 +47,35 @@ import org.owasp.webgoat.session.WebSession; * * For details, please see http://code.google.com/p/webgoat/ */ -public class SQLInjection extends LessonAdapter +public class SQLInjection extends GoatHillsFinancial { - public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); - - public final static String DESCRIPTION = "description"; - - public final static String DISCIPLINARY_DATE = "disciplinaryDate"; - - public final static String DISCIPLINARY_NOTES = "disciplinaryNotes"; - - public final static String CCN_LIMIT = "ccnLimit"; - - public final static String CCN = "ccn"; - - public final static String SALARY = "salary"; - - public final static String START_DATE = "startDate"; - - public final static String MANAGER = "manager"; - - public final static String ADDRESS1 = "address1"; - - public final static String ADDRESS2 = "address2"; - - public final static String PHONE_NUMBER = "phoneNumber"; - - public final static String TITLE = "title"; - - public final static String SSN = "ssn"; - - public final static String LAST_NAME = "lastName"; - - public final static String FIRST_NAME = "firstName"; - - public final static String PASSWORD = "password"; - - public final static String EMPLOYEE_ID = "employee_id"; - - public final static String USER_ID = "user_id"; - - public final static String SEARCHNAME = "search_name"; - - public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult"; - - public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee"; - - public final static String STAFF_ATTRIBUTE_KEY = "Staff"; - - public final static String LOGIN_ACTION = "Login"; - - public final static String LOGOUT_ACTION = "Logout"; - - public final static String LISTSTAFF_ACTION = "ListStaff"; - - public final static String SEARCHSTAFF_ACTION = "SearchStaff"; - - public final static String FINDPROFILE_ACTION = "FindProfile"; - - public final static String VIEWPROFILE_ACTION = "ViewProfile"; - - public final static String EDITPROFILE_ACTION = "EditProfile"; - - public final static String UPDATEPROFILE_ACTION = "UpdateProfile"; - - public final static String CREATEPROFILE_ACTION = "CreateProfile"; - - public final static String DELETEPROFILE_ACTION = "DeleteProfile"; - - public final static String ERROR_ACTION = "error"; - - private final static String LESSON_NAME = "SQLInjection"; - - private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/"; - private final static Integer DEFAULT_RANKING = new Integer(75); public final static int PRIZE_EMPLOYEE_ID = 112; public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew"; - private static Connection connection = null; - - private Map lessonFunctions = new Hashtable(); - - - public static synchronized Connection getConnection(WebSession s) - throws SQLException, ClassNotFoundException + public void registerActions(String className) { - if (connection == null) - { - connection = DatabaseUtilities.makeConnection(s); - } - - return connection; - } - - - public SQLInjection() - { - String myClassName = parseClassName(this.getClass().getName()); - registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); - registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); - registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); // These actions are special in that they chain to other actions. - registerAction(new Login(this, myClassName, LOGIN_ACTION, + registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION))); - registerAction(new Logout(this, myClassName, LOGOUT_ACTION, + registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION))); - registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new UpdateProfile(this, myClassName, + registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new DeleteProfile(this, myClassName, + registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); } - - protected static String parseClassName(String fqcn) - { - String className = fqcn; - - int lastDotIndex = fqcn.lastIndexOf('.'); - if (lastDotIndex > -1) - className = fqcn.substring(lastDotIndex + 1); - - return className; - } - - - protected void registerAction(LessonAction action) - { - lessonFunctions.put(action.getActionName(), action); - } - - /** * Gets the category attribute of the CrossSiteScripting object * @@ -204,7 +86,6 @@ public class SQLInjection extends LessonAdapter return Category.A6; } - /** * Gets the hints attribute of the DirectoryScreen object * @@ -298,13 +179,6 @@ public class SQLInjection extends LessonAdapter return instructions; } - - protected LessonAction getAction(String actionName) - { - return (LessonAction) lessonFunctions.get(actionName); - } - - public void handleRequest(WebSession s) { if (s.getLessonSession(this) == null) @@ -376,47 +250,6 @@ public class SQLInjection extends LessonAdapter setContent(new ElementContainer()); } - - public boolean isAuthorized(WebSession s, int userId, String functionId) - { - //System.out.println("Checking authorization from " + getCurrentAction(s)); - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.isAuthorized(s, userId, functionId); - } - - - public int getUserId(WebSession s) throws ParameterNotFoundException - { - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.getUserId(s); - } - - - public String getUserName(WebSession s) throws ParameterNotFoundException - { - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.getUserName(s); - } - - - public String getTemplatePage(WebSession s) - { - return JSP_PATH + LESSON_NAME + ".jsp"; - } - - - public String getPage(WebSession s) - { - String page = JSP_PATH + getCurrentAction(s) + ".jsp"; - //System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page); - - return page; - } - - protected Integer getDefaultRanking() { return DEFAULT_RANKING; @@ -432,18 +265,4 @@ public class SQLInjection extends LessonAdapter { return "LAB: SQL Injection"; } - - - public String getSourceFileName() - { - // FIXME: Need to generalize findSourceResource() and use it on the currently active - // LessonAction delegate to get its source file. - //return findSourceResource(getCurrentLessonScreen()....); - return super.getSourceFileName(); - } - - public Element getCredits() - { - return super.getCustomCredits("", ASPECT_LOGO); - } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java index 6f15af162..1e7420e8a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java @@ -7,7 +7,6 @@ import java.sql.SQLException; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; -import org.owasp.webgoat.lessons.SQLInjection.SQLInjection; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.WebSession; @@ -50,7 +49,7 @@ public class EditProfile_i extends EditProfile try { - PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query, + PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); answer_statement.setInt(1, subjectUserId); ResultSet answer_results = answer_statement.executeQuery(); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java index c41c14b10..6ade9322a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java @@ -48,7 +48,7 @@ public class Login_i extends Login try { - PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query, + PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 2 - FIX answer_statement.setString(1, userId); // STAGE 2 - FIX answer_statement.setString(2, password); // STAGE 2 - FIX diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java index e2d80701d..68dd215f7 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java @@ -5,7 +5,6 @@ import java.sql.ResultSet; import java.sql.SQLException; import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.SQLInjection.SQLInjection; import org.owasp.webgoat.lessons.SQLInjection.ViewProfile; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.UnauthorizedException; @@ -52,7 +51,7 @@ public class ViewProfile_i extends ViewProfile try { - PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query, + PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX answer_statement.setInt(1, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX