added parameters service

java/org/owasp/webgoat/HammerHead.java

@@ -399,10 +399,10 @@ public class HammerHead extends HttpServlet {
 
         }
 
-        session.update(request, response, this.getServletName());
         // update last attack request info (cookies, parms)
         // this is so the REST services can have access to them via the session 
         session.updateLastAttackRequestInfo(request);
+        session.update(request, response, this.getServletName());
 
         // to authenticate
         // System.out.println( "HH Leaving Session_id: " + hs.getId() );

java/org/owasp/webgoat/lessons/model/RequestParameter.java

@@ -0,0 +1,66 @@
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ */
+package org.owasp.webgoat.lessons.model;
+
+/**
+ *
+ * @author rlawson
+ */
+public class RequestParameter implements Comparable<RequestParameter> {
+
+    private final String name;
+    private final String value;
+
+    public RequestParameter(String name, String value) {
+        this.name = name;
+        this.value = value;
+    }
+
+    /**
+     * @return the name
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * @return the values
+     */
+    public String getValue() {
+        return value;
+    }
+
+    @Override
+    public int compareTo(RequestParameter o) {
+        return this.name.compareTo(o.getName());
+    }
+
+}

java/org/owasp/webgoat/service/CookieService.java

@@ -49,7 +49,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
 public class CookieService extends BaseService {
 
     /**
-     * Returns hints for current lesson
+     * Returns cookies for last attack
      *
      * @param session
      * @return
@@ -57,7 +57,6 @@ public class CookieService extends BaseService {
     @RequestMapping(value = "/cookie.mvc", produces = "application/json")
     public @ResponseBody
     List<Cookie> showCookies(HttpSession session) {
-        List<Hint> listHints = new ArrayList<Hint>();
         WebSession ws = getWebSesion(session);
         List<Cookie> cookies = ws.getCookiesOnLastRequest();
         return cookies;

java/org/owasp/webgoat/service/ParameterService.java

@@ -0,0 +1,70 @@
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ */
+package org.owasp.webgoat.service;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import javax.servlet.http.HttpSession;
+import org.owasp.webgoat.lessons.model.RequestParameter;
+import org.owasp.webgoat.session.WebSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class ParameterService extends BaseService {
+
+    final Logger logger = LoggerFactory.getLogger(ParameterService.class);
+
+    /**
+     * Returns request parameters for last attack
+     *
+     * @param session
+     * @return
+     */
+    @RequestMapping(value = "/parameter.mvc", produces = "application/json")
+    public @ResponseBody
+    List<RequestParameter> showParameters(HttpSession session) {
+        List<RequestParameter> listParms = new ArrayList<RequestParameter>();
+        WebSession ws = getWebSesion(session);
+        listParms = ws.getParmsOnLastRequest();
+        Collections.sort(listParms);
+        return listParms;
+    }
+}

java/org/owasp/webgoat/servlets/Controller.java

@@ -1 +1 @@
-
package org.owasp.webgoat.servlets;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


/***************************************************************************************************
 * 
 * 
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
 * 
 * Copyright (c) 2002 - 2007 Bruce Mayhew
 * 
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 * 
 * Getting Source ==============
 * 
 * Source for this application is maintained at code.google.com, a repository for free software
 * projects.
 * 
 * For details, please see http://code.google.com/p/webgoat/
 */

public class Controller extends HttpServlet

{

	private static final long serialVersionUID = 1L;

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException

	{

		doPost(request, response);

	}

	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
			IOException

	{

		String userAgent = request.getHeader("user-agent");

		String clientBrowser = "Not known!";

		if (userAgent != null)

		{

			clientBrowser = userAgent;

		}

		request.setAttribute("client.browser", clientBrowser);

		request.getRequestDispatcher("/view.jsp").forward(request, response);

	}

}
+package org.owasp.webgoat.servlets;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * *************************************************************************************************
 *
 *
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 *
 * Copyright (c) 2002 - 2007 Bruce Mayhew
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 *
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Getting Source ==============
 *
 * Source for this application is maintained at code.google.com, a repository
 * for free software projects.
 *
 * For details, please see http://code.google.com/p/webgoat/
 */
public class Controller extends HttpServlet {

    private static final long serialVersionUID = 1L;

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        doPost(request, response);

    }

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
            IOException {

        String userAgent = request.getHeader("user-agent");

        String clientBrowser = "Not known!";

        if (userAgent != null) {

            clientBrowser = userAgent;

        }

        request.setAttribute("client.browser", clientBrowser);

        request.getRequestDispatcher("/view.jsp").forward(request, response);

    }

}

java/org/owasp/webgoat/session/WebSession.java

@@ -22,7 +22,10 @@ import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.RandomLessonAdapter;
 import org.owasp.webgoat.lessons.SequentialLessonAdapter;
+import org.owasp.webgoat.lessons.model.RequestParameter;
 import org.owasp.webgoat.util.WebGoatI18N;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * *************************************************************************************************
@@ -62,6 +65,8 @@ import org.owasp.webgoat.util.WebGoatI18N;
  */
 public class WebSession {
 
+    final Logger logger = LoggerFactory.getLogger(WebSession.class);
+
     /**
      * Description of the Field
      */
@@ -207,6 +212,8 @@ public class WebSession {
 
     private List<Cookie> cookiesOnLastRequest;
 
+    private List<RequestParameter> parmsOnLastRequest;
+
     /**
      * Constructor for the WebSession object
      *
@@ -904,7 +911,27 @@ public class WebSession {
         } else {
             this.cookiesOnLastRequest = Arrays.asList(cookies);
         }
-
+        // store parameters
+        Map<String, String[]> parmMap = request.getParameterMap();
+        logger.info("PARM MAP: " + parmMap);
+        if (parmMap == null) {
+            this.parmsOnLastRequest = new ArrayList<RequestParameter>();
+        } else {
+            this.parmsOnLastRequest = new ArrayList<RequestParameter>();
+            for (String name : parmMap.keySet()) {
+                String[] values = parmMap.get(name);
+                String value = "";
+                if (values != null && values.length > 0) {
+                    if (values.length > 1) {
+                        value = String.join(",", values);
+                    } else {
+                        value = values[0];
+                    }
+                }
+                RequestParameter parm = new RequestParameter(name, value);
+                this.parmsOnLastRequest.add(parm);
+            }
+        }
     }
 
     private void restartLesson(int lessonId) {
@@ -1003,10 +1030,10 @@ public class WebSession {
     }
 
     /**
-     * @param cookiesOnLastRequest the cookiesOnLastRequest to set
+     * @return the parmsOnLastRequest
      */
-    public void setCookiesOnLastRequest(List<Cookie> cookiesOnLastRequest) {
+    public List<RequestParameter> getParmsOnLastRequest() {
-        this.cookiesOnLastRequest = cookiesOnLastRequest;
+        return parmsOnLastRequest;
     }
 
 }