dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Separated DB usage for messages in CSRF and Stored XSS

Browse Source 
Many cosmetic english changes
Fixed IE rendering for Challenge
 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@350 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2008-07-09 00:17:20 +00:00
parent 29f0222258
commit 71460125b6
14 changed files with 99 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -59,7 +59,7 @@ import org.owasp.webgoat.session.WebgoatProperties;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public abstract class AbstractLesson extends Screen implements Comparable
public abstract class AbstractLesson extends Screen implements Comparable<Object>
{
/**

20
main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -87,7 +87,7 @@ public class CSRF extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
@ -95,6 +95,7 @@ public class CSRF extends LessonAdapter
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
@ -170,11 +171,17 @@ public class CSRF extends LessonAdapter
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+ getNameroot(s.getUserName()) + "%'");
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true))
{
@ -223,11 +230,12 @@ public class CSRF extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())

24
main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -252,6 +252,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
if (v.size() == 13)
{
s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!");
s.setMessage(" - Look in the credit card pull down to see the numbers.");
ec.addElement(new BR());
// TR inf = new TR();
Center center = new Center();
@ -340,7 +341,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
ec.addElement(t);
} catch (Exception e)
{
ec.addElement(new P().addElement("Select a message to read from the Message List below"));
ec.addElement(new P().addElement("Error in obtaining network status"));
}
ec.addElement(new HR());
@ -557,7 +558,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
String instructions = "Your mission is to break the authentication scheme, "
+ "steal all the credit cards from the database, and then deface the website. "
+ "You will have to use many of the techniques you have learned in the other lessons. "
+ "The main webpage for this site is 'webgoat_challenge_&lt;username&gt;.jsp'";
+ "The main webpage to deface for this site is 'webgoat_challenge_" + s.getUserName() + ".jsp'";
return (instructions);
}
@ -623,18 +624,19 @@ public class Challenge2Screen extends SequentialLessonAdapter
ElementContainer ec = new ElementContainer();
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("80%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
String[] colWidths = new String[]{"55", "110", "260", "70"};
TR tr = new TR();
tr.addElement(new TH().addElement("Protocol").setWidth("7%"));
tr.addElement(new TH().addElement("Local Address").setWidth("80%"));
tr.addElement(new TH().addElement("Foreign Address").setWidth("10%"));
tr.addElement(new TH().addElement("State").setWidth("3%"));
tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0]));
tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1]));
tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2]));
tr.addElement(new TH().addElement("State").setWidth(colWidths[3]));
t.addElement(tr);
String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp");
@ -672,12 +674,14 @@ public class Challenge2Screen extends SequentialLessonAdapter
{
// in order to avoid a ill-rendered screen when the user performs
// command injection, we will wrap the screen at 4 columns
int columnCount = 4;
int columnCount = 0;
tr = new TR();
TD td;
StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t ");
while (tokens.hasMoreTokens() && columnCount-- > 0)
while (tokens.hasMoreTokens() && columnCount <4)
{
tr.addElement(new TD().addElement(tokens.nextToken()));
td = new TD().setWidth(colWidths[columnCount++]);
tr.addElement(td.addElement(tokens.nextToken()));
}
t.addElement(tr);
}

2
main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -134,7 +134,7 @@ public class LogSpoofing extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try to fool the humane eye by using new lines.");
hints.add("Try to fool the human eye by using new lines.");
hints.add("Use CR (%0d) and LF (%0a) for a new line.");
hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
hints

23
main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
View File

@ -107,7 +107,6 @@ public class SessionFixation extends SequentialLessonAdapter
String randomSid = randomSIDGenerator();
s.add("SID", randomSid);
this.sid = randomSid;
System.out.println("RANDOMSID " + randomSid);
}
String name = s.getParser().getStringParameter(USER, "");
@ -245,12 +244,12 @@ public class SessionFixation extends SequentialLessonAdapter
String link = getLink();
String mailText = "<b>Dear MS. Plane</b> <br><br>"
+ "During the last week we had a few problems with our database. "
+ "A lot of people complained that there account details are wrong. "
+ "That is why we kindly ask you to use following link to verify your "
+ "We have received many complaints regarding incorrect account details. "
+ "Please use the following link to verify your account "
+ "data:<br><br><center><a href=http://localhost/WebGoat/"
+ link
+ "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the caused inconvenience and thank you for your cooparation.<br><br>"
+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"
+ "<b>Your Goat Hills Financial Team</b><center> <br><br><img src='images/WebGoatFinancial/banklogo.jpg'></center>";
ElementContainer ec = new ElementContainer();
@ -738,22 +737,22 @@ public class SessionFixation extends SequentialLessonAdapter
{
instructions += "You are Hacker Joe and " +
"you want to steal the session from Jane. " +
"That is why you have to send a prepared mail " +
"which looks like an official mail from the bank" +
"to her. The mail is already prepared. Only " +
"thing missing is a Session ID (SID) in the Link. Alter " +
"Send a prepared email to the victim " +
"which looks like an official email from the bank. " +
"A template message is prepared below, you will need to add " +
"a Session ID (SID) in the link inside the email. Alter " +
"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
}
else if (stage == 2)
{
instructions += "Now you are the victim Jane who received the mail you see. " +
"If you point on the link with your mouse you will see that there is a SID included." +
instructions += "Now you are the victim Jane who received the email below. " +
"If you point on the link with your mouse you will see that there is a SID included. " +
"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 3)
{
instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are " +
"correct ;). Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
instructions += "The bank has asked you to verfy your data. Log in to see if your details are " +
"correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 4)
{

15
main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -128,7 +128,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{
makeSuccess(s);
getLessonTracker(s).setStage(2);
s.setMessage("Start this lesson over to attack a parameterized query.");
StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! ");
msg.append("This lesson has detected your successfull attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");
s.setMessage(msg.toString());
}
}
else
@ -222,9 +229,9 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ec.addElement(new P().addElement("Select your local weather station: "));
Map stations = getStations(s);
Map<String, String> stations = getStations(s);
Select select = new Select(STATION_ID);
Iterator it = stations.keySet().iterator();
Iterator<String> it = stations.keySet().iterator();
while (it.hasNext())
{
String key = (String) it.next();
@ -244,7 +251,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
*
* @return A map containing each station, indexed by station number
*/
protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException
protected Map<String, String> getStations(WebSession s) throws SQLException, ClassNotFoundException
{
Connection connection = DatabaseUtilities.getConnection(s);

20
main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -96,7 +96,7 @@ public class StoredXss extends LessonAdapter
Connection connection = DatabaseUtilities.getConnection(s);
String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
@ -104,6 +104,7 @@ public class StoredXss extends LessonAdapter
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e)
{
@ -204,11 +205,12 @@ public class StoredXss extends LessonAdapter
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first())
@ -305,7 +307,7 @@ public class StoredXss extends LessonAdapter
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeList(WebSession s)
public Element makeList(WebSession s)
{
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
@ -313,16 +315,18 @@ public class StoredXss extends LessonAdapter
{
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+ getNameroot(s.getUserName()) + "%'");
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true))
{
results.beforeFirst();

2
main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

@ -66,7 +66,7 @@ public class CreateDB
try
{
String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
+ "message varchar(200)," + "user_name varchar(50) not null " + ")";
+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")";
statement.executeUpdate(createTableStatement);
} catch (SQLException e)
{

13
main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -168,6 +168,7 @@ public class WebSession
private boolean isColor = false;
private boolean isDebug = false;
private boolean hasHackedHackableAdmin = false;
private StringBuffer message = new StringBuffer("");
@ -363,11 +364,11 @@ public class WebSession
public String getCurrentLink()
{
String thisLink = "attack";
Enumeration e = request.getParameterNames();
Enumeration<String> e = request.getParameterNames();
boolean isFirstParameter = true;
while (e.hasMoreElements())
{
String name = (String) e.nextElement();
String name = e.nextElement();
if (isFirstParameter)
{
isFirstParameter = false;
@ -428,7 +429,7 @@ public class WebSession
{
params = new Vector<Parameter>();
Enumeration e = getParser().getParameterNames();
Enumeration<String> e = getParser().getParameterNames();
while ((e != null) && e.hasMoreElements())
{
@ -448,9 +449,9 @@ public class WebSession
return params;
}
public List getCookies()
public List<Cookie> getCookies()
{
List cookies = null;
List<Cookie> cookies = null;
if (showCookies()) cookies = Arrays.asList(request.getCookies());
@ -669,7 +670,7 @@ public class WebSession
public LessonSession getLessonSession(AbstractLesson lesson)
{
return (LessonSession) lessonSessions.get(lesson);
return lessonSessions.get(lesson);
}
/**