dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Separated DB usage for messages in CSRF and Stored XSS

Browse Source 
Many cosmetic english changes
Fixed IE rendering for Challenge
 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@350 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2008-07-09 00:17:20 +00:00
parent 29f0222258
commit 71460125b6
14 changed files with 99 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -59,7 +59,7 @@ import org.owasp.webgoat.session.WebgoatProperties;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public abstract class AbstractLesson extends Screen implements Comparable
public abstract class AbstractLesson extends Screen implements Comparable<Object>
{
/**

20
main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -87,7 +87,7 @@ public class CSRF extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
@ -95,6 +95,7 @@ public class CSRF extends LessonAdapter
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
@ -170,11 +171,17 @@ public class CSRF extends LessonAdapter
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+ getNameroot(s.getUserName()) + "%'");
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true))
{
@ -223,11 +230,12 @@ public class CSRF extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())

24
main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -252,6 +252,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
if (v.size() == 13)
{
s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!");
s.setMessage(" - Look in the credit card pull down to see the numbers.");
ec.addElement(new BR());
// TR inf = new TR();
Center center = new Center();
@ -340,7 +341,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
ec.addElement(t);
} catch (Exception e)
{
ec.addElement(new P().addElement("Select a message to read from the Message List below"));
ec.addElement(new P().addElement("Error in obtaining network status"));
}
ec.addElement(new HR());
@ -557,7 +558,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
String instructions = "Your mission is to break the authentication scheme, "
+ "steal all the credit cards from the database, and then deface the website. "
+ "You will have to use many of the techniques you have learned in the other lessons. "
+ "The main webpage for this site is 'webgoat_challenge_&lt;username&gt;.jsp'";
+ "The main webpage to deface for this site is 'webgoat_challenge_" + s.getUserName() + ".jsp'";
return (instructions);
}
@ -623,18 +624,19 @@ public class Challenge2Screen extends SequentialLessonAdapter
ElementContainer ec = new ElementContainer();
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("80%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
String[] colWidths = new String[]{"55", "110", "260", "70"};
TR tr = new TR();
tr.addElement(new TH().addElement("Protocol").setWidth("7%"));
tr.addElement(new TH().addElement("Local Address").setWidth("80%"));
tr.addElement(new TH().addElement("Foreign Address").setWidth("10%"));
tr.addElement(new TH().addElement("State").setWidth("3%"));
tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0]));
tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1]));
tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2]));
tr.addElement(new TH().addElement("State").setWidth(colWidths[3]));
t.addElement(tr);
String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp");
@ -672,12 +674,14 @@ public class Challenge2Screen extends SequentialLessonAdapter
{
// in order to avoid a ill-rendered screen when the user performs
// command injection, we will wrap the screen at 4 columns
int columnCount = 4;
int columnCount = 0;
tr = new TR();
TD td;
StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t ");
while (tokens.hasMoreTokens() && columnCount-- > 0)
while (tokens.hasMoreTokens() && columnCount <4)
{
tr.addElement(new TD().addElement(tokens.nextToken()));
td = new TD().setWidth(colWidths[columnCount++]);
tr.addElement(td.addElement(tokens.nextToken()));
}
t.addElement(tr);
}

2
main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -134,7 +134,7 @@ public class LogSpoofing extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try to fool the humane eye by using new lines.");
hints.add("Try to fool the human eye by using new lines.");
hints.add("Use CR (%0d) and LF (%0a) for a new line.");
hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
hints

23
main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
View File

@ -107,7 +107,6 @@ public class SessionFixation extends SequentialLessonAdapter
String randomSid = randomSIDGenerator();
s.add("SID", randomSid);
this.sid = randomSid;
System.out.println("RANDOMSID " + randomSid);
}
String name = s.getParser().getStringParameter(USER, "");
@ -245,12 +244,12 @@ public class SessionFixation extends SequentialLessonAdapter
String link = getLink();
String mailText = "<b>Dear MS. Plane</b> <br><br>"
+ "During the last week we had a few problems with our database. "
+ "A lot of people complained that there account details are wrong. "
+ "That is why we kindly ask you to use following link to verify your "
+ "We have received many complaints regarding incorrect account details. "
+ "Please use the following link to verify your account "
+ "data:<br><br><center><a href=http://localhost/WebGoat/"
+ link
+ "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the caused inconvenience and thank you for your cooparation.<br><br>"
+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"
+ "<b>Your Goat Hills Financial Team</b><center> <br><br><img src='images/WebGoatFinancial/banklogo.jpg'></center>";
ElementContainer ec = new ElementContainer();
@ -738,22 +737,22 @@ public class SessionFixation extends SequentialLessonAdapter
{
instructions += "You are Hacker Joe and " +
"you want to steal the session from Jane. " +
"That is why you have to send a prepared mail " +
"which looks like an official mail from the bank" +
"to her. The mail is already prepared. Only " +
"thing missing is a Session ID (SID) in the Link. Alter " +
"Send a prepared email to the victim " +
"which looks like an official email from the bank. " +
"A template message is prepared below, you will need to add " +
"a Session ID (SID) in the link inside the email. Alter " +
"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
}
else if (stage == 2)
{
instructions += "Now you are the victim Jane who received the mail you see. " +
"If you point on the link with your mouse you will see that there is a SID included." +
instructions += "Now you are the victim Jane who received the email below. " +
"If you point on the link with your mouse you will see that there is a SID included. " +
"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 3)
{
instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are " +
"correct ;). Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
instructions += "The bank has asked you to verfy your data. Log in to see if your details are " +
"correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 4)
{

15
main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -128,7 +128,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{
makeSuccess(s);
getLessonTracker(s).setStage(2);
s.setMessage("Start this lesson over to attack a parameterized query.");
StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! ");
msg.append("This lesson has detected your successfull attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
s.setMessage(msg.toString());
}
}
else
@ -222,9 +229,9 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ec.addElement(new P().addElement("Select your local weather station: "));
Map stations = getStations(s);
Map<String, String> stations = getStations(s);
Select select = new Select(STATION_ID);
Iterator it = stations.keySet().iterator();
Iterator<String> it = stations.keySet().iterator();
while (it.hasNext())
{
String key = (String) it.next();
@ -244,7 +251,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
*
* @return A map containing each station, indexed by station number
*/
protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException
protected Map<String, String> getStations(WebSession s) throws SQLException, ClassNotFoundException
{
Connection connection = DatabaseUtilities.getConnection(s);

20
main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -96,7 +96,7 @@ public class StoredXss extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
@ -104,6 +104,7 @@ public class StoredXss extends LessonAdapter
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
{
@ -204,11 +205,12 @@ public class StoredXss extends LessonAdapter
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())
@ -305,7 +307,7 @@ public class StoredXss extends LessonAdapter
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeList(WebSession s)
public Element makeList(WebSession s)
{
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
@ -313,16 +315,18 @@ public class StoredXss extends LessonAdapter
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+ getNameroot(s.getUserName()) + "%'");
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true))
{
results.beforeFirst();

2
main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

@ -66,7 +66,7 @@ public class CreateDB
try
{
String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
+ "message varchar(200)," + "user_name varchar(50) not null " + ")";
+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")";
statement.executeUpdate(createTableStatement);
} catch (SQLException e)
{

13
main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -168,6 +168,7 @@ public class WebSession
private boolean isColor = false;
private boolean isDebug = false;
private boolean hasHackedHackableAdmin = false;
private StringBuffer message = new StringBuffer("");
@ -363,11 +364,11 @@ public class WebSession
public String getCurrentLink()
{
String thisLink = "attack";
Enumeration e = request.getParameterNames();
Enumeration<String> e = request.getParameterNames();
boolean isFirstParameter = true;
while (e.hasMoreElements())
{
String name = (String) e.nextElement();
String name = e.nextElement();
if (isFirstParameter)
{
isFirstParameter = false;
@ -428,7 +429,7 @@ public class WebSession
{
params = new Vector<Parameter>();
Enumeration e = getParser().getParameterNames();
Enumeration<String> e = getParser().getParameterNames();
while ((e != null) && e.hasMoreElements())
{
@ -448,9 +449,9 @@ public class WebSession
return params;
}
public List getCookies()
public List<Cookie> getCookies()
{
List cookies = null;
List<Cookie> cookies = null;
if (showCookies()) cookies = Arrays.asList(request.getCookies());
@ -669,7 +670,7 @@ public class WebSession
public LessonSession getLessonSession(AbstractLesson lesson)
{
return (LessonSession) lessonSessions.get(lesson);
return lessonSessions.get(lesson);
}
/**

17
main/project/WebContent/css/webgoat_challenge.css
View File

@ -6,8 +6,9 @@
}
#top_ch{
height:86px;
width: 500px;
height:136px;
background-image: url(../images/header/header.jpg);
}
#wrap_ch {
@ -19,22 +20,24 @@
}
#start_ch {
height: 300px;
padding: 10px 50px 10px 50px;
font-size: 12px;
height: 350px;
width: 500px;
padding: 10px 10px 10px 10px;
font-size: 15px;
}
#warning_ch {
border: 1px solid #666666;
padding: 10px;
font-size: 10px;
color: #FF3300;
width: 400px;
margin-left: 50px;
width: 450px;
margin-left: 5px;
margin-right: 5px;
}
#team_ch {
}
.style1_ch {
font-size: 10px;
font-size: 11px;
font-weight: bold;
}
.style2_ch {

BIN
main/project/WebContent/images/introduction/Thumbs.db
View File

Binary file not shown.

1
main/project/WebContent/lesson_plans/HttpOnly.html
View File

@ -8,6 +8,7 @@ introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
set, then the browser should not allow client-side script to access the
cookie. Since the attribute is relatively new, several browsers neglect
to handle the new attribute properly.
<p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
<p><b>General Goal(s):</b></p>
The purpose of this lesson is to test whether your browser supports the
HTTPOnly cookie flag. Note the value of the

10
main/project/WebContent/lesson_plans/TomcatSetup.html
View File

@ -1,12 +1,12 @@
<!-- Start Instructions -->
<h1>How To Configure Tomcat</h1><br><br>
<h2>Introduction</h2>
<p>WebGoat comes with sane default configurations for Tomcat. This page will explain the configurations
and which further possibilities you have to configure Tomcat. This is just
<p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations
and other possible configurations for Tomcat. This is just
a short description which should be enough in most cases. For more advanced tasks please
refer to the Tomcat documentation. Please note that all solutions
are written for the standard configurations on port 80. If you use another configurations you have
to adjust the solution to your configurations.</p>
are written for the standard configurations on port 80. If you use another port you have
to adjust the solution to your configuration.</p>
<h2>The Standard Configurations</h2>
<p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
@ -52,7 +52,7 @@ In this example to port 8442:
<h3>Make WebGoat Reachable From Another Client</h3>
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
SAVE NETWORKS!</p>
SAFE NETWORKS!</p>
<p>By its default configurations WebGoat is only
reachable within the localhost. In a laboratory or a class
there is maybe the need of having a server and a few clients.

20
main/project/WebContent/webgoat_challenge.jsp
View File

@ -10,20 +10,22 @@ WebSession webSession = ((WebSession) session.getAttribute("websession"));
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5.2</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/webgoat_challenge.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat!</p>
<p>This program is a demonstration of common web application flaws.
<div id="wrap_ch">
<div id="top_ch"></div>
<div id="start_ch">
<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p><p>The WebGoat project is lead
application penetration testing techniques. </p>
<p>The WebGoat project is lead
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team">
<p>Thanks to <a href="http://www.ouncelabs.com"><img align="top" height="20" width="160" border = "0" src="images/logos/ounce.jpg" alt="Ounce Labs"/></a> for supporting Bruce on the WebGoat Project.</p>
<div id="team_ch">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
@ -107,7 +109,7 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
<div id="warning_ch">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack. You should disconnect from the network while using this program.
<br />