Migrate other lessons to extending GoatHillsFinancial
git-svn-id: http://webgoat.googlecode.com/svn/trunk@155 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
@ -1,25 +1,17 @@
|
|||||||
package org.owasp.webgoat.lessons.CrossSiteScripting;
|
package org.owasp.webgoat.lessons.CrossSiteScripting;
|
||||||
|
|
||||||
import java.sql.Connection;
|
|
||||||
import java.sql.SQLException;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Hashtable;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
import org.apache.ecs.Element;
|
|
||||||
import org.apache.ecs.ElementContainer;
|
import org.apache.ecs.ElementContainer;
|
||||||
import org.apache.ecs.html.IMG;
|
|
||||||
import org.apache.ecs.html.A;
|
|
||||||
import org.owasp.webgoat.lessons.Category;
|
import org.owasp.webgoat.lessons.Category;
|
||||||
import org.owasp.webgoat.lessons.LessonAdapter;
|
|
||||||
import org.owasp.webgoat.lessons.LessonAction;
|
import org.owasp.webgoat.lessons.LessonAction;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.ListStaff;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Login;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
|
||||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
|
||||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||||
import org.owasp.webgoat.session.UnauthorizedException;
|
import org.owasp.webgoat.session.UnauthorizedException;
|
||||||
@ -57,140 +49,31 @@ import org.owasp.webgoat.session.WebSession;
|
|||||||
* For details, please see http://code.google.com/p/webgoat/
|
* For details, please see http://code.google.com/p/webgoat/
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class CrossSiteScripting extends LessonAdapter
|
public class CrossSiteScripting extends GoatHillsFinancial
|
||||||
{
|
{
|
||||||
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
|
|
||||||
|
|
||||||
public final static String DESCRIPTION = "description";
|
|
||||||
|
|
||||||
public final static String DISCIPLINARY_DATE = "disciplinaryDate";
|
|
||||||
|
|
||||||
public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
|
|
||||||
|
|
||||||
public final static String CCN_LIMIT = "ccnLimit";
|
|
||||||
|
|
||||||
public final static String CCN = "ccn";
|
|
||||||
|
|
||||||
public final static String SALARY = "salary";
|
|
||||||
|
|
||||||
public final static String START_DATE = "startDate";
|
|
||||||
|
|
||||||
public final static String MANAGER = "manager";
|
|
||||||
|
|
||||||
public final static String ADDRESS1 = "address1";
|
|
||||||
|
|
||||||
public final static String ADDRESS2 = "address2";
|
|
||||||
|
|
||||||
public final static String PHONE_NUMBER = "phoneNumber";
|
|
||||||
|
|
||||||
public final static String TITLE = "title";
|
|
||||||
|
|
||||||
public final static String SSN = "ssn";
|
|
||||||
|
|
||||||
public final static String LAST_NAME = "lastName";
|
|
||||||
|
|
||||||
public final static String FIRST_NAME = "firstName";
|
|
||||||
|
|
||||||
public final static String PASSWORD = "password";
|
|
||||||
|
|
||||||
public final static String EMPLOYEE_ID = "employee_id";
|
|
||||||
|
|
||||||
public final static String USER_ID = "user_id";
|
|
||||||
|
|
||||||
public final static String SEARCHNAME = "search_name";
|
|
||||||
|
|
||||||
public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
|
|
||||||
|
|
||||||
public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
|
|
||||||
|
|
||||||
public final static String STAFF_ATTRIBUTE_KEY = "Staff";
|
|
||||||
|
|
||||||
public final static String LOGIN_ACTION = "Login";
|
|
||||||
|
|
||||||
public final static String LOGOUT_ACTION = "Logout";
|
|
||||||
|
|
||||||
public final static String LISTSTAFF_ACTION = "ListStaff";
|
|
||||||
|
|
||||||
public final static String SEARCHSTAFF_ACTION = "SearchStaff";
|
|
||||||
|
|
||||||
public final static String FINDPROFILE_ACTION = "FindProfile";
|
|
||||||
|
|
||||||
public final static String VIEWPROFILE_ACTION = "ViewProfile";
|
|
||||||
|
|
||||||
public final static String EDITPROFILE_ACTION = "EditProfile";
|
|
||||||
|
|
||||||
public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
|
|
||||||
|
|
||||||
public final static String CREATEPROFILE_ACTION = "CreateProfile";
|
|
||||||
|
|
||||||
public final static String DELETEPROFILE_ACTION = "DeleteProfile";
|
|
||||||
|
|
||||||
public final static String ERROR_ACTION = "error";
|
|
||||||
|
|
||||||
private final static String LESSON_NAME = "CrossSiteScripting";
|
|
||||||
|
|
||||||
private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/";
|
|
||||||
|
|
||||||
private final static Integer DEFAULT_RANKING = new Integer(100);
|
private final static Integer DEFAULT_RANKING = new Integer(100);
|
||||||
|
|
||||||
private static Connection connection = null;
|
protected void registerActions(String className)
|
||||||
|
|
||||||
private Map lessonFunctions = new Hashtable();
|
|
||||||
|
|
||||||
|
|
||||||
public static synchronized Connection getConnection(WebSession s)
|
|
||||||
throws SQLException, ClassNotFoundException
|
|
||||||
{
|
{
|
||||||
if (connection == null)
|
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
|
||||||
{
|
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
|
||||||
connection = DatabaseUtilities.makeConnection(s);
|
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
|
||||||
}
|
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
|
||||||
|
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
|
||||||
return connection;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public CrossSiteScripting()
|
|
||||||
{
|
|
||||||
String myClassName = parseClassName(this.getClass().getName());
|
|
||||||
registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION));
|
|
||||||
registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION));
|
|
||||||
registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION));
|
|
||||||
registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION));
|
|
||||||
registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION));
|
|
||||||
|
|
||||||
// These actions are special in that they chain to other actions.
|
// These actions are special in that they chain to other actions.
|
||||||
registerAction(new Login(this, myClassName, LOGIN_ACTION,
|
registerAction(new Login(this, className, LOGIN_ACTION,
|
||||||
getAction(LISTSTAFF_ACTION)));
|
getAction(LISTSTAFF_ACTION)));
|
||||||
registerAction(new Logout(this, myClassName, LOGOUT_ACTION,
|
registerAction(new Logout(this, className, LOGOUT_ACTION,
|
||||||
getAction(LOGIN_ACTION)));
|
getAction(LOGIN_ACTION)));
|
||||||
registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION,
|
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
|
||||||
getAction(VIEWPROFILE_ACTION)));
|
getAction(VIEWPROFILE_ACTION)));
|
||||||
registerAction(new UpdateProfile(this, myClassName,
|
registerAction(new UpdateProfile(this, className,
|
||||||
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
||||||
registerAction(new DeleteProfile(this, myClassName,
|
registerAction(new DeleteProfile(this, className,
|
||||||
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected static String parseClassName(String fqcn)
|
|
||||||
{
|
|
||||||
String className = fqcn;
|
|
||||||
|
|
||||||
int lastDotIndex = fqcn.lastIndexOf('.');
|
|
||||||
if (lastDotIndex > -1)
|
|
||||||
className = fqcn.substring(lastDotIndex + 1);
|
|
||||||
|
|
||||||
return className;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protected void registerAction(LessonAction action)
|
|
||||||
{
|
|
||||||
lessonFunctions.put(action.getActionName(), action);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the category attribute of the CrossSiteScripting object
|
* Gets the category attribute of the CrossSiteScripting object
|
||||||
*
|
*
|
||||||
@ -201,7 +84,6 @@ public class CrossSiteScripting extends LessonAdapter
|
|||||||
return Category.A4;
|
return Category.A4;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the hints attribute of the DirectoryScreen object
|
* Gets the hints attribute of the DirectoryScreen object
|
||||||
*
|
*
|
||||||
@ -315,12 +197,6 @@ public class CrossSiteScripting extends LessonAdapter
|
|||||||
return 6;
|
return 6;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected LessonAction getAction(String actionName)
|
|
||||||
{
|
|
||||||
return (LessonAction) lessonFunctions.get(actionName);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public void handleRequest(WebSession s)
|
public void handleRequest(WebSession s)
|
||||||
{
|
{
|
||||||
if (s.getLessonSession(this) == null)
|
if (s.getLessonSession(this) == null)
|
||||||
@ -394,47 +270,6 @@ public class CrossSiteScripting extends LessonAdapter
|
|||||||
setContent(new ElementContainer());
|
setContent(new ElementContainer());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public boolean isAuthorized(WebSession s, int userId, String functionId)
|
|
||||||
{
|
|
||||||
//System.out.println("Checking authorization from " + getCurrentAction(s));
|
|
||||||
LessonAction action = (LessonAction) lessonFunctions
|
|
||||||
.get(getCurrentAction(s));
|
|
||||||
return action.isAuthorized(s, userId, functionId);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public int getUserId(WebSession s) throws ParameterNotFoundException
|
|
||||||
{
|
|
||||||
LessonAction action = (LessonAction) lessonFunctions
|
|
||||||
.get(getCurrentAction(s));
|
|
||||||
return action.getUserId(s);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public String getUserName(WebSession s) throws ParameterNotFoundException
|
|
||||||
{
|
|
||||||
LessonAction action = (LessonAction) lessonFunctions
|
|
||||||
.get(getCurrentAction(s));
|
|
||||||
return action.getUserName(s);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public String getTemplatePage(WebSession s)
|
|
||||||
{
|
|
||||||
return JSP_PATH + LESSON_NAME + ".jsp";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public String getPage(WebSession s)
|
|
||||||
{
|
|
||||||
String page = JSP_PATH + getCurrentAction(s) + ".jsp";
|
|
||||||
//System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page);
|
|
||||||
|
|
||||||
return page;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protected Integer getDefaultRanking()
|
protected Integer getDefaultRanking()
|
||||||
{
|
{
|
||||||
return DEFAULT_RANKING;
|
return DEFAULT_RANKING;
|
||||||
@ -451,17 +286,4 @@ public class CrossSiteScripting extends LessonAdapter
|
|||||||
return "LAB: Cross Site Scripting (XSS)";
|
return "LAB: Cross Site Scripting (XSS)";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public String getSourceFileName()
|
|
||||||
{
|
|
||||||
// FIXME: Need to generalize findSourceResource() and use it on the currently active
|
|
||||||
// LessonAction delegate to get its source file.
|
|
||||||
//return findSourceResource(getCurrentLessonScreen()....);
|
|
||||||
return super.getSourceFileName();
|
|
||||||
}
|
|
||||||
|
|
||||||
public Element getCredits()
|
|
||||||
{
|
|
||||||
return super.getCustomCredits("", ASPECT_LOGO);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -249,7 +249,7 @@ public class FindProfile extends DefaultLessonAction
|
|||||||
return parameter;
|
return parameter;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected static Map patterns = new HashMap();
|
protected static Map<String, Pattern> patterns = new HashMap<String, Pattern>();
|
||||||
static
|
static
|
||||||
{
|
{
|
||||||
patterns.put(CrossSiteScripting.SEARCHNAME, Pattern
|
patterns.put(CrossSiteScripting.SEARCHNAME, Pattern
|
||||||
|
|||||||
@ -1,26 +1,17 @@
|
|||||||
package org.owasp.webgoat.lessons.SQLInjection;
|
package org.owasp.webgoat.lessons.SQLInjection;
|
||||||
|
|
||||||
import java.sql.Connection;
|
|
||||||
import java.sql.SQLException;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Hashtable;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
import org.apache.ecs.Element;
|
|
||||||
import org.apache.ecs.ElementContainer;
|
import org.apache.ecs.ElementContainer;
|
||||||
import org.apache.ecs.html.A;
|
|
||||||
import org.apache.ecs.html.IMG;
|
|
||||||
import org.owasp.webgoat.lessons.Category;
|
import org.owasp.webgoat.lessons.Category;
|
||||||
import org.owasp.webgoat.lessons.LessonAction;
|
import org.owasp.webgoat.lessons.LessonAction;
|
||||||
import org.owasp.webgoat.lessons.LessonAdapter;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.FindProfile;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.UpdateProfile;
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.UpdateProfile;
|
||||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
|
||||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||||
import org.owasp.webgoat.session.UnauthorizedException;
|
import org.owasp.webgoat.session.UnauthorizedException;
|
||||||
@ -56,144 +47,35 @@ import org.owasp.webgoat.session.WebSession;
|
|||||||
*
|
*
|
||||||
* For details, please see http://code.google.com/p/webgoat/
|
* For details, please see http://code.google.com/p/webgoat/
|
||||||
*/
|
*/
|
||||||
public class SQLInjection extends LessonAdapter
|
public class SQLInjection extends GoatHillsFinancial
|
||||||
{
|
{
|
||||||
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
|
|
||||||
|
|
||||||
public final static String DESCRIPTION = "description";
|
|
||||||
|
|
||||||
public final static String DISCIPLINARY_DATE = "disciplinaryDate";
|
|
||||||
|
|
||||||
public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
|
|
||||||
|
|
||||||
public final static String CCN_LIMIT = "ccnLimit";
|
|
||||||
|
|
||||||
public final static String CCN = "ccn";
|
|
||||||
|
|
||||||
public final static String SALARY = "salary";
|
|
||||||
|
|
||||||
public final static String START_DATE = "startDate";
|
|
||||||
|
|
||||||
public final static String MANAGER = "manager";
|
|
||||||
|
|
||||||
public final static String ADDRESS1 = "address1";
|
|
||||||
|
|
||||||
public final static String ADDRESS2 = "address2";
|
|
||||||
|
|
||||||
public final static String PHONE_NUMBER = "phoneNumber";
|
|
||||||
|
|
||||||
public final static String TITLE = "title";
|
|
||||||
|
|
||||||
public final static String SSN = "ssn";
|
|
||||||
|
|
||||||
public final static String LAST_NAME = "lastName";
|
|
||||||
|
|
||||||
public final static String FIRST_NAME = "firstName";
|
|
||||||
|
|
||||||
public final static String PASSWORD = "password";
|
|
||||||
|
|
||||||
public final static String EMPLOYEE_ID = "employee_id";
|
|
||||||
|
|
||||||
public final static String USER_ID = "user_id";
|
|
||||||
|
|
||||||
public final static String SEARCHNAME = "search_name";
|
|
||||||
|
|
||||||
public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
|
|
||||||
|
|
||||||
public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
|
|
||||||
|
|
||||||
public final static String STAFF_ATTRIBUTE_KEY = "Staff";
|
|
||||||
|
|
||||||
public final static String LOGIN_ACTION = "Login";
|
|
||||||
|
|
||||||
public final static String LOGOUT_ACTION = "Logout";
|
|
||||||
|
|
||||||
public final static String LISTSTAFF_ACTION = "ListStaff";
|
|
||||||
|
|
||||||
public final static String SEARCHSTAFF_ACTION = "SearchStaff";
|
|
||||||
|
|
||||||
public final static String FINDPROFILE_ACTION = "FindProfile";
|
|
||||||
|
|
||||||
public final static String VIEWPROFILE_ACTION = "ViewProfile";
|
|
||||||
|
|
||||||
public final static String EDITPROFILE_ACTION = "EditProfile";
|
|
||||||
|
|
||||||
public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
|
|
||||||
|
|
||||||
public final static String CREATEPROFILE_ACTION = "CreateProfile";
|
|
||||||
|
|
||||||
public final static String DELETEPROFILE_ACTION = "DeleteProfile";
|
|
||||||
|
|
||||||
public final static String ERROR_ACTION = "error";
|
|
||||||
|
|
||||||
private final static String LESSON_NAME = "SQLInjection";
|
|
||||||
|
|
||||||
private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/";
|
|
||||||
|
|
||||||
private final static Integer DEFAULT_RANKING = new Integer(75);
|
private final static Integer DEFAULT_RANKING = new Integer(75);
|
||||||
|
|
||||||
public final static int PRIZE_EMPLOYEE_ID = 112;
|
public final static int PRIZE_EMPLOYEE_ID = 112;
|
||||||
|
|
||||||
public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
|
public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
|
||||||
|
|
||||||
private static Connection connection = null;
|
public void registerActions(String className)
|
||||||
|
|
||||||
private Map lessonFunctions = new Hashtable();
|
|
||||||
|
|
||||||
|
|
||||||
public static synchronized Connection getConnection(WebSession s)
|
|
||||||
throws SQLException, ClassNotFoundException
|
|
||||||
{
|
{
|
||||||
if (connection == null)
|
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
|
||||||
{
|
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
|
||||||
connection = DatabaseUtilities.makeConnection(s);
|
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
|
||||||
}
|
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
|
||||||
|
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
|
||||||
return connection;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public SQLInjection()
|
|
||||||
{
|
|
||||||
String myClassName = parseClassName(this.getClass().getName());
|
|
||||||
registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION));
|
|
||||||
registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION));
|
|
||||||
registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION));
|
|
||||||
registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION));
|
|
||||||
registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION));
|
|
||||||
|
|
||||||
// These actions are special in that they chain to other actions.
|
// These actions are special in that they chain to other actions.
|
||||||
registerAction(new Login(this, myClassName, LOGIN_ACTION,
|
registerAction(new Login(this, className, LOGIN_ACTION,
|
||||||
getAction(LISTSTAFF_ACTION)));
|
getAction(LISTSTAFF_ACTION)));
|
||||||
registerAction(new Logout(this, myClassName, LOGOUT_ACTION,
|
registerAction(new Logout(this, className, LOGOUT_ACTION,
|
||||||
getAction(LOGIN_ACTION)));
|
getAction(LOGIN_ACTION)));
|
||||||
registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION,
|
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
|
||||||
getAction(VIEWPROFILE_ACTION)));
|
getAction(VIEWPROFILE_ACTION)));
|
||||||
registerAction(new UpdateProfile(this, myClassName,
|
registerAction(new UpdateProfile(this, className,
|
||||||
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
||||||
registerAction(new DeleteProfile(this, myClassName,
|
registerAction(new DeleteProfile(this, className,
|
||||||
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected static String parseClassName(String fqcn)
|
|
||||||
{
|
|
||||||
String className = fqcn;
|
|
||||||
|
|
||||||
int lastDotIndex = fqcn.lastIndexOf('.');
|
|
||||||
if (lastDotIndex > -1)
|
|
||||||
className = fqcn.substring(lastDotIndex + 1);
|
|
||||||
|
|
||||||
return className;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protected void registerAction(LessonAction action)
|
|
||||||
{
|
|
||||||
lessonFunctions.put(action.getActionName(), action);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the category attribute of the CrossSiteScripting object
|
* Gets the category attribute of the CrossSiteScripting object
|
||||||
*
|
*
|
||||||
@ -204,7 +86,6 @@ public class SQLInjection extends LessonAdapter
|
|||||||
return Category.A6;
|
return Category.A6;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the hints attribute of the DirectoryScreen object
|
* Gets the hints attribute of the DirectoryScreen object
|
||||||
*
|
*
|
||||||
@ -298,13 +179,6 @@ public class SQLInjection extends LessonAdapter
|
|||||||
return instructions;
|
return instructions;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected LessonAction getAction(String actionName)
|
|
||||||
{
|
|
||||||
return (LessonAction) lessonFunctions.get(actionName);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public void handleRequest(WebSession s)
|
public void handleRequest(WebSession s)
|
||||||
{
|
{
|
||||||
if (s.getLessonSession(this) == null)
|
if (s.getLessonSession(this) == null)
|
||||||
@ -376,47 +250,6 @@ public class SQLInjection extends LessonAdapter
|
|||||||
setContent(new ElementContainer());
|
setContent(new ElementContainer());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public boolean isAuthorized(WebSession s, int userId, String functionId)
|
|
||||||
{
|
|
||||||
//System.out.println("Checking authorization from " + getCurrentAction(s));
|
|
||||||
LessonAction action = (LessonAction) lessonFunctions
|
|
||||||
.get(getCurrentAction(s));
|
|
||||||
return action.isAuthorized(s, userId, functionId);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public int getUserId(WebSession s) throws ParameterNotFoundException
|
|
||||||
{
|
|
||||||
LessonAction action = (LessonAction) lessonFunctions
|
|
||||||
.get(getCurrentAction(s));
|
|
||||||
return action.getUserId(s);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public String getUserName(WebSession s) throws ParameterNotFoundException
|
|
||||||
{
|
|
||||||
LessonAction action = (LessonAction) lessonFunctions
|
|
||||||
.get(getCurrentAction(s));
|
|
||||||
return action.getUserName(s);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public String getTemplatePage(WebSession s)
|
|
||||||
{
|
|
||||||
return JSP_PATH + LESSON_NAME + ".jsp";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public String getPage(WebSession s)
|
|
||||||
{
|
|
||||||
String page = JSP_PATH + getCurrentAction(s) + ".jsp";
|
|
||||||
//System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page);
|
|
||||||
|
|
||||||
return page;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protected Integer getDefaultRanking()
|
protected Integer getDefaultRanking()
|
||||||
{
|
{
|
||||||
return DEFAULT_RANKING;
|
return DEFAULT_RANKING;
|
||||||
@ -432,18 +265,4 @@ public class SQLInjection extends LessonAdapter
|
|||||||
{
|
{
|
||||||
return "LAB: SQL Injection";
|
return "LAB: SQL Injection";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public String getSourceFileName()
|
|
||||||
{
|
|
||||||
// FIXME: Need to generalize findSourceResource() and use it on the currently active
|
|
||||||
// LessonAction delegate to get its source file.
|
|
||||||
//return findSourceResource(getCurrentLessonScreen()....);
|
|
||||||
return super.getSourceFileName();
|
|
||||||
}
|
|
||||||
|
|
||||||
public Element getCredits()
|
|
||||||
{
|
|
||||||
return super.getCustomCredits("", ASPECT_LOGO);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,7 +7,6 @@ import java.sql.SQLException;
|
|||||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
|
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
|
||||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
||||||
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
|
|
||||||
import org.owasp.webgoat.session.Employee;
|
import org.owasp.webgoat.session.Employee;
|
||||||
import org.owasp.webgoat.session.UnauthorizedException;
|
import org.owasp.webgoat.session.UnauthorizedException;
|
||||||
import org.owasp.webgoat.session.WebSession;
|
import org.owasp.webgoat.session.WebSession;
|
||||||
@ -50,7 +49,7 @@ public class EditProfile_i extends EditProfile
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query,
|
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
|
||||||
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
||||||
answer_statement.setInt(1, subjectUserId);
|
answer_statement.setInt(1, subjectUserId);
|
||||||
ResultSet answer_results = answer_statement.executeQuery();
|
ResultSet answer_results = answer_statement.executeQuery();
|
||||||
|
|||||||
@ -48,7 +48,7 @@ public class Login_i extends Login
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query,
|
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
|
||||||
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 2 - FIX
|
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 2 - FIX
|
||||||
answer_statement.setString(1, userId); // STAGE 2 - FIX
|
answer_statement.setString(1, userId); // STAGE 2 - FIX
|
||||||
answer_statement.setString(2, password); // STAGE 2 - FIX
|
answer_statement.setString(2, password); // STAGE 2 - FIX
|
||||||
|
|||||||
@ -5,7 +5,6 @@ import java.sql.ResultSet;
|
|||||||
import java.sql.SQLException;
|
import java.sql.SQLException;
|
||||||
|
|
||||||
import org.owasp.webgoat.lessons.AbstractLesson;
|
import org.owasp.webgoat.lessons.AbstractLesson;
|
||||||
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
|
|
||||||
import org.owasp.webgoat.lessons.SQLInjection.ViewProfile;
|
import org.owasp.webgoat.lessons.SQLInjection.ViewProfile;
|
||||||
import org.owasp.webgoat.session.Employee;
|
import org.owasp.webgoat.session.Employee;
|
||||||
import org.owasp.webgoat.session.UnauthorizedException;
|
import org.owasp.webgoat.session.UnauthorizedException;
|
||||||
@ -52,7 +51,7 @@ public class ViewProfile_i extends ViewProfile
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query,
|
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
|
||||||
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX
|
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX
|
||||||
answer_statement.setInt(1, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
|
answer_statement.setInt(1, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
|
||||||
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
|
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
|
||||||
|
|||||||
Reference in New Issue
Block a user