diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java index 5f933c25c..7af2d7439 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java @@ -59,7 +59,7 @@ import org.owasp.webgoat.session.WebgoatProperties; * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ -public abstract class AbstractLesson extends Screen implements Comparable +public abstract class AbstractLesson extends Screen implements Comparable { /** diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java index dbfd7ecfe..e661e06a3 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -87,7 +87,7 @@ public class CSRF extends LessonAdapter Connection connection = DatabaseUtilities.getConnection(s); - String query = "INSERT INTO messages VALUES (?, ?, ?, ? )"; + String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )"; PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); @@ -95,6 +95,7 @@ public class CSRF extends LessonAdapter statement.setString(2, title); statement.setString(3, message); statement.setString(4, s.getUserName()); + statement.setString(5, this.getClass().getName()); statement.execute(); } catch (Exception e) @@ -170,11 +171,17 @@ public class CSRF extends LessonAdapter { Connection connection = DatabaseUtilities.getConnection(s); - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); + // edit by Chuck Willis - Added logic to associate similar usernames + // The idea is that users chuck-1, chuck-2, etc will see each other's messages + // but not anyone elses. This allows users to try out XSS to grab another user's + // cookies, but not get confused by other users scripts - ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '" - + getNameroot(s.getUserName()) + "%'"); + String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?"; + PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + statement.setString(1, getNameroot(s.getUserName()) + "%"); + statement.setString(2, getClass().getName()); + ResultSet results = statement.executeQuery(); if ((results != null) && (results.first() == true)) { @@ -223,11 +230,12 @@ public class CSRF extends LessonAdapter Connection connection = DatabaseUtilities.getConnection(s); - String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?"; + String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?"; PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); statement.setString(1, getNameroot(s.getUserName()) + "%"); statement.setInt(2, messageNum); + statement.setString(3, this.getClass().getName()); ResultSet results = statement.executeQuery(); if ((results != null) && results.first()) diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java index 23e650d92..924767fb8 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java @@ -252,6 +252,7 @@ public class Challenge2Screen extends SequentialLessonAdapter if (v.size() == 13) { s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!"); + s.setMessage(" - Look in the credit card pull down to see the numbers."); ec.addElement(new BR()); // TR inf = new TR(); Center center = new Center(); @@ -340,7 +341,7 @@ public class Challenge2Screen extends SequentialLessonAdapter ec.addElement(t); } catch (Exception e) { - ec.addElement(new P().addElement("Select a message to read from the Message List below")); + ec.addElement(new P().addElement("Error in obtaining network status")); } ec.addElement(new HR()); @@ -557,7 +558,7 @@ public class Challenge2Screen extends SequentialLessonAdapter String instructions = "Your mission is to break the authentication scheme, " + "steal all the credit cards from the database, and then deface the website. " + "You will have to use many of the techniques you have learned in the other lessons. " - + "The main webpage for this site is 'webgoat_challenge_<username>.jsp'"; + + "The main webpage to deface for this site is 'webgoat_challenge_" + s.getUserName() + ".jsp'"; return (instructions); } @@ -623,18 +624,19 @@ public class Challenge2Screen extends SequentialLessonAdapter ElementContainer ec = new ElementContainer(); - Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); + Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("80%").setAlign("center"); if (s.isColor()) { t.setBorder(1); } + String[] colWidths = new String[]{"55", "110", "260", "70"}; TR tr = new TR(); - tr.addElement(new TH().addElement("Protocol").setWidth("7%")); - tr.addElement(new TH().addElement("Local Address").setWidth("80%")); - tr.addElement(new TH().addElement("Foreign Address").setWidth("10%")); - tr.addElement(new TH().addElement("State").setWidth("3%")); + tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0])); + tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1])); + tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2])); + tr.addElement(new TH().addElement("State").setWidth(colWidths[3])); t.addElement(tr); String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp"); @@ -672,12 +674,14 @@ public class Challenge2Screen extends SequentialLessonAdapter { // in order to avoid a ill-rendered screen when the user performs // command injection, we will wrap the screen at 4 columns - int columnCount = 4; + int columnCount = 0; tr = new TR(); + TD td; StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t "); - while (tokens.hasMoreTokens() && columnCount-- > 0) + while (tokens.hasMoreTokens() && columnCount <4) { - tr.addElement(new TD().addElement(tokens.nextToken())); + td = new TD().setWidth(colWidths[columnCount++]); + tr.addElement(td.addElement(tokens.nextToken())); } t.addElement(tr); } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java index 2181706f8..98a1bb3ae 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java @@ -134,7 +134,7 @@ public class LogSpoofing extends LessonAdapter protected List getHints(WebSession s) { List hints = new ArrayList(); - hints.add("Try to fool the humane eye by using new lines."); + hints.add("Try to fool the human eye by using new lines."); hints.add("Use CR (%0d) and LF (%0a) for a new line."); hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin"); hints diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java index 74305ed19..31e8caf74 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java @@ -107,7 +107,6 @@ public class SessionFixation extends SequentialLessonAdapter String randomSid = randomSIDGenerator(); s.add("SID", randomSid); this.sid = randomSid; - System.out.println("RANDOMSID " + randomSid); } String name = s.getParser().getStringParameter(USER, ""); @@ -245,12 +244,12 @@ public class SessionFixation extends SequentialLessonAdapter String link = getLink(); String mailText = "Dear MS. Plane

" + "During the last week we had a few problems with our database. " - + "A lot of people complained that there account details are wrong. " - + "That is why we kindly ask you to use following link to verify your " + + "We have received many complaints regarding incorrect account details. " + + "Please use the following link to verify your account " + "data:

Goat Hills Financial


" - + "We are sorry for the caused inconvenience and thank you for your cooparation.

" + + "We are sorry for the any inconvenience and thank you for your cooparation.

" + "Your Goat Hills Financial Team


"; ElementContainer ec = new ElementContainer(); @@ -738,22 +737,22 @@ public class SessionFixation extends SequentialLessonAdapter { instructions += "You are Hacker Joe and " + "you want to steal the session from Jane. " + - "That is why you have to send a prepared mail " + - "which looks like an official mail from the bank" + - "to her. The mail is already prepared. Only " + - "thing missing is a Session ID (SID) in the Link. Alter " + + "Send a prepared email to the victim " + + "which looks like an official email from the bank. " + + "A template message is prepared below, you will need to add " + + "a Session ID (SID) in the link inside the email. Alter " + "the link to include a SID.

You are: Hacker Joe"; } else if (stage == 2) { - instructions += "Now you are the victim Jane who received the mail you see. " + - "If you point on the link with your mouse you will see that there is a SID included." + + instructions += "Now you are the victim Jane who received the email below. " + + "If you point on the link with your mouse you will see that there is a SID included. " + "Click on it to see what happens.

You are: Victim Jane "; } else if (stage == 3) { - instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are " + - "correct ;). Your user name is Jane and your password is tarzan.

You are: Victim Jane "; + instructions += "The bank has asked you to verfy your data. Log in to see if your details are " + + "correct. Your user name is Jane and your password is tarzan.

You are: Victim Jane "; } else if (stage == 4) { diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java index d29fb0222..9f0172a47 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java @@ -128,7 +128,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter { makeSuccess(s); getLessonTracker(s).setStage(2); - s.setMessage("Start this lesson over to attack a parameterized query."); + StringBuffer msg = new StringBuffer(); + + msg.append("Bet you can't do it again! "); + msg.append("This lesson has detected your successfull attack "); + msg.append("and has now switched to a defensive mode. "); + msg.append("Try again to attack a parameterized query."); + + s.setMessage(msg.toString()); } } else @@ -222,9 +229,9 @@ public class SqlNumericInjection extends SequentialLessonAdapter ec.addElement(new P().addElement("Select your local weather station: ")); - Map stations = getStations(s); + Map stations = getStations(s); Select select = new Select(STATION_ID); - Iterator it = stations.keySet().iterator(); + Iterator it = stations.keySet().iterator(); while (it.hasNext()) { String key = (String) it.next(); @@ -244,7 +251,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter * * @return A map containing each station, indexed by station number */ - protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException + protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException { Connection connection = DatabaseUtilities.getConnection(s); diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java index 9e395041d..35c7b6606 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java @@ -96,7 +96,7 @@ public class StoredXss extends LessonAdapter Connection connection = DatabaseUtilities.getConnection(s); - String query = "INSERT INTO messages VALUES (?, ?, ?, ? )"; + String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )"; PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); @@ -104,6 +104,7 @@ public class StoredXss extends LessonAdapter statement.setString(2, title); statement.setString(3, message); statement.setString(4, s.getUserName()); + statement.setString(5, this.getClass().getName()); statement.execute(); } catch (Exception e) { @@ -204,11 +205,12 @@ public class StoredXss extends LessonAdapter // but not anyone elses. This allows users to try out XSS to grab another user's // cookies, but not get confused by other users scripts - String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?"; + String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?"; PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); statement.setString(1, getNameroot(s.getUserName()) + "%"); statement.setInt(2, messageNum); + statement.setString(3, this.getClass().getName()); ResultSet results = statement.executeQuery(); if ((results != null) && results.first()) @@ -305,7 +307,7 @@ public class StoredXss extends LessonAdapter * Description of the Parameter * @return Description of the Return Value */ - public static Element makeList(WebSession s) + public Element makeList(WebSession s) { Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); @@ -313,16 +315,18 @@ public class StoredXss extends LessonAdapter { Connection connection = DatabaseUtilities.getConnection(s); - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); // edit by Chuck Willis - Added logic to associate similar usernames // The idea is that users chuck-1, chuck-2, etc will see each other's messages // but not anyone elses. This allows users to try out XSS to grab another user's // cookies, but not get confused by other users scripts - ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '" - + getNameroot(s.getUserName()) + "%'"); - + String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?"; + PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + statement.setString(1, getNameroot(s.getUserName()) + "%"); + statement.setString(2, getClass().getName()); + ResultSet results = statement.executeQuery(); + if ((results != null) && (results.first() == true)) { results.beforeFirst(); diff --git a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java index 852f2859c..793607bf6 100644 --- a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java +++ b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java @@ -66,7 +66,7 @@ public class CreateDB try { String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," - + "message varchar(200)," + "user_name varchar(50) not null " + ")"; + + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java index a76cc35bf..45392ee8a 100644 --- a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java +++ b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java @@ -168,6 +168,7 @@ public class WebSession private boolean isColor = false; private boolean isDebug = false; + private boolean hasHackedHackableAdmin = false; private StringBuffer message = new StringBuffer(""); @@ -363,11 +364,11 @@ public class WebSession public String getCurrentLink() { String thisLink = "attack"; - Enumeration e = request.getParameterNames(); + Enumeration e = request.getParameterNames(); boolean isFirstParameter = true; while (e.hasMoreElements()) { - String name = (String) e.nextElement(); + String name = e.nextElement(); if (isFirstParameter) { isFirstParameter = false; @@ -428,7 +429,7 @@ public class WebSession { params = new Vector(); - Enumeration e = getParser().getParameterNames(); + Enumeration e = getParser().getParameterNames(); while ((e != null) && e.hasMoreElements()) { @@ -448,9 +449,9 @@ public class WebSession return params; } - public List getCookies() + public List getCookies() { - List cookies = null; + List cookies = null; if (showCookies()) cookies = Arrays.asList(request.getCookies()); @@ -669,7 +670,7 @@ public class WebSession public LessonSession getLessonSession(AbstractLesson lesson) { - return (LessonSession) lessonSessions.get(lesson); + return lessonSessions.get(lesson); } /** diff --git a/main/project/WebContent/css/webgoat_challenge.css b/main/project/WebContent/css/webgoat_challenge.css index b72336e5a..0633cedcc 100644 --- a/main/project/WebContent/css/webgoat_challenge.css +++ b/main/project/WebContent/css/webgoat_challenge.css @@ -6,8 +6,9 @@ } #top_ch{ - height:86px; width: 500px; + height:136px; + background-image: url(../images/header/header.jpg); } #wrap_ch { @@ -19,22 +20,24 @@ } #start_ch { - height: 300px; - padding: 10px 50px 10px 50px; - font-size: 12px; + height: 350px; + width: 500px; + padding: 10px 10px 10px 10px; + font-size: 15px; } #warning_ch { border: 1px solid #666666; padding: 10px; font-size: 10px; color: #FF3300; - width: 400px; - margin-left: 50px; + width: 450px; + margin-left: 5px; + margin-right: 5px; } #team_ch { } .style1_ch { - font-size: 10px; + font-size: 11px; font-weight: bold; } .style2_ch { diff --git a/main/project/WebContent/images/introduction/Thumbs.db b/main/project/WebContent/images/introduction/Thumbs.db deleted file mode 100644 index 94a125e02..000000000 Binary files a/main/project/WebContent/images/introduction/Thumbs.db and /dev/null differ diff --git a/main/project/WebContent/lesson_plans/HttpOnly.html b/main/project/WebContent/lesson_plans/HttpOnly.html index 535439d3c..aea12470c 100644 --- a/main/project/WebContent/lesson_plans/HttpOnly.html +++ b/main/project/WebContent/lesson_plans/HttpOnly.html @@ -8,6 +8,7 @@ introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly. +

For a list of supported browsers see: OWASP HTTPOnly Support

General Goal(s):

The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the diff --git a/main/project/WebContent/lesson_plans/TomcatSetup.html b/main/project/WebContent/lesson_plans/TomcatSetup.html index 1c98d770f..ef5f0dda9 100644 --- a/main/project/WebContent/lesson_plans/TomcatSetup.html +++ b/main/project/WebContent/lesson_plans/TomcatSetup.html @@ -1,12 +1,12 @@

How To Configure Tomcat



Introduction

-

WebGoat comes with sane default configurations for Tomcat. This page will explain the configurations -and which further possibilities you have to configure Tomcat. This is just +

WebGoat comes with default configurations for Tomcat. This page will explain these configurations +and other possible configurations for Tomcat. This is just a short description which should be enough in most cases. For more advanced tasks please refer to the Tomcat documentation. Please note that all solutions -are written for the standard configurations on port 80. If you use another configurations you have -to adjust the solution to your configurations.

+are written for the standard configurations on port 80. If you use another port you have +to adjust the solution to your configuration.

The Standard Configurations

There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost. @@ -52,7 +52,7 @@ In this example to port 8442:

Make WebGoat Reachable From Another Client

THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN -SAVE NETWORKS!

+SAFE NETWORKS!

By its default configurations WebGoat is only reachable within the localhost. In a laboratory or a class there is maybe the need of having a server and a few clients. diff --git a/main/project/WebContent/webgoat_challenge.jsp b/main/project/WebContent/webgoat_challenge.jsp index 18e1192f0..61d6795b9 100644 --- a/main/project/WebContent/webgoat_challenge.jsp +++ b/main/project/WebContent/webgoat_challenge.jsp @@ -10,20 +10,22 @@ WebSession webSession = ((WebSession) session.getAttribute("websession")); WebGoat V5.2 - + -

-
-
-

Thank you for using WebGoat!

-

This program is a demonstration of common web application flaws. +

+
+
+

Thank you for using WebGoat! This program is a demonstration of common web application flaws. The exercises are intended to provide hands on experience with -application penetration testing techniques.

The WebGoat project is lead +application penetration testing techniques.

+

The WebGoat project is lead by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.

-
+

Thanks to Ounce Labs for supporting Bruce on the WebGoat Project.

+ +
@@ -107,7 +109,7 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
 
 
 
-
WARNING
+
WARNING
While running this program, your machine is extremely vulnerable to attack. You should disconnect from the network while using this program.