Separated DB usage for messages in CSRF and Stored XSS

Many cosmetic english changes Fixed IE rendering for Challenge git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@350 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-07-09 00:17:20 +00:00 · 2008-07-09 00:17:20 +00:00 · 71460125b6
commit 71460125b6
parent 29f0222258
14 changed files with 99 additions and 70 deletions
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
@ -59,7 +59,7 @@ import org.owasp.webgoat.session.WebgoatProperties;
 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
 * @created October 28, 2003
 */
-public abstract class AbstractLesson extends Screen implements Comparable
+public abstract class AbstractLesson extends Screen implements Comparable<Object>
 {
 	/**
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@ -87,7 +87,7 @@ public class CSRF extends LessonAdapter
 			Connection connection = DatabaseUtilities.getConnection(s);
-			String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
+			String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
 			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																		ResultSet.CONCUR_READ_ONLY);
@ -95,6 +95,7 @@ public class CSRF extends LessonAdapter
 			statement.setString(2, title);
 			statement.setString(3, message);
 			statement.setString(4, s.getUserName());
 			statement.setString(5, this.getClass().getName());
 			statement.execute();
 		} catch (Exception e)
@ -170,11 +171,17 @@ public class CSRF extends LessonAdapter
 		{
 			Connection connection = DatabaseUtilities.getConnection(s);
-			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+			// edit by Chuck Willis - Added logic to associate similar usernames
-																ResultSet.CONCUR_READ_ONLY);
+			// The idea is that users chuck-1, chuck-2, etc will see each other's messages
 			// but not anyone elses. This allows users to try out XSS to grab another user's
 			// cookies, but not get confused by other users scripts
-			ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+			String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
-					+ getNameroot(s.getUserName()) + "%'");
+			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																		ResultSet.CONCUR_READ_ONLY);
 			statement.setString(1, getNameroot(s.getUserName()) + "%");
 			statement.setString(2, getClass().getName());
 			ResultSet results = statement.executeQuery();
 			if ((results != null) && (results.first() == true))
 			{
@ -223,11 +230,12 @@ public class CSRF extends LessonAdapter
 			Connection connection = DatabaseUtilities.getConnection(s);
-			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
+			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
 			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																		ResultSet.CONCUR_READ_ONLY);
 			statement.setString(1, getNameroot(s.getUserName()) + "%");
 			statement.setInt(2, messageNum);
 			statement.setString(3, this.getClass().getName());
 			ResultSet results = statement.executeQuery();
 			if ((results != null) && results.first())
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
@ -252,6 +252,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 			if (v.size() == 13)
 			{
 				s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!");
 				s.setMessage("  - Look in the credit card pull down to see the numbers.");
 				ec.addElement(new BR());
 				// TR inf = new TR();
 				Center center = new Center();
@ -340,7 +341,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 				ec.addElement(t);
 			} catch (Exception e)
 			{
-				ec.addElement(new P().addElement("Select a message to read from the Message List below"));
+				ec.addElement(new P().addElement("Error in obtaining network status"));
 			}
 			ec.addElement(new HR());
@ -557,7 +558,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		String instructions = "Your mission is to break the authentication scheme, "
 				+ "steal all the credit cards from the database, and then deface the website. "
 				+ "You will have to use many of the techniques you have learned in the other lessons. "
-				+ "The main webpage for this site is 'webgoat_challenge_&lt;username&gt;.jsp'";
+				+ "The main webpage to deface for this site is 'webgoat_challenge_" + s.getUserName() + ".jsp'";
 		return (instructions);
 	}
@ -623,18 +624,19 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		ElementContainer ec = new ElementContainer();
-		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("80%").setAlign("center");
 		if (s.isColor())
 		{
 			t.setBorder(1);
 		}
 		String[] colWidths = new String[]{"55", "110", "260", "70"};
 		TR tr = new TR();
-		tr.addElement(new TH().addElement("Protocol").setWidth("7%"));
+		tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0]));
-		tr.addElement(new TH().addElement("Local Address").setWidth("80%"));
+		tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1]));
-		tr.addElement(new TH().addElement("Foreign Address").setWidth("10%"));
+		tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2]));
-		tr.addElement(new TH().addElement("State").setWidth("3%"));
+		tr.addElement(new TH().addElement("State").setWidth(colWidths[3]));
 		t.addElement(tr);
 		String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp");
@ -672,12 +674,14 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		{
 			// in order to avoid a ill-rendered screen when the user performs
 			// command injection, we will wrap the screen at 4 columns
-			int columnCount = 4;
+			int columnCount = 0;
 			tr = new TR();
 			TD td;
 			StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t ");
-			while (tokens.hasMoreTokens() && columnCount-- > 0)
+			while (tokens.hasMoreTokens() && columnCount <4)
 			{
-				tr.addElement(new TD().addElement(tokens.nextToken()));
+				td = new TD().setWidth(colWidths[columnCount++]);
 				tr.addElement(td.addElement(tokens.nextToken()));
 			}
 			t.addElement(tr);
 		}
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
@ -134,7 +134,7 @@ public class LogSpoofing extends LessonAdapter
 	protected List<String> getHints(WebSession s)
 	{
 		List<String> hints = new ArrayList<String>();
-		hints.add("Try to fool the humane eye by using new lines.");
+		hints.add("Try to fool the human eye by using new lines.");
 		hints.add("Use CR (%0d) and LF (%0a) for a new line.");
 		hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
 		hints
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
@ -107,7 +107,6 @@ public class SessionFixation extends SequentialLessonAdapter
 				String randomSid = randomSIDGenerator();
 				s.add("SID", randomSid);
 				this.sid = randomSid;
 				System.out.println("RANDOMSID " + randomSid);
 			}
 			String name = s.getParser().getStringParameter(USER, "");
@ -245,12 +244,12 @@ public class SessionFixation extends SequentialLessonAdapter
 		String link = getLink();
 		String mailText = "<b>Dear MS. Plane</b> <br><br>"
 				+ "During the last week we had a few problems with our database. "
-				+ "A lot of people complained that there account details are wrong. "
+				+ "We have received many complaints regarding incorrect account details. "
-				+ "That is why we kindly ask you to use following link to verify your "
+				+ "Please use the following link to verify your account "
 				+ "data:<br><br><center><a href=http://localhost/WebGoat/"
 				+ link
 				+ "> Goat Hills Financial</a></center><br><br>"
-				+ "We are sorry for the caused inconvenience and thank you for your cooparation.<br><br>"
+				+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"
 				+ "<b>Your Goat Hills Financial Team</b><center> <br><br><img src='images/WebGoatFinancial/banklogo.jpg'></center>";
 		ElementContainer ec = new ElementContainer();
@ -738,22 +737,22 @@ public class SessionFixation extends SequentialLessonAdapter
 		{
 			instructions += "You are Hacker Joe and " +
 					"you want to steal the session from Jane. " +
-					"That is why you have to send a prepared mail " +
+					"Send a prepared email to the victim " +
-					"which looks like an official mail from the bank" +
+					"which looks like an official email from the bank.  " +
-					"to her. The mail is already prepared. Only " +
+					"A template message is prepared below, you will need to add " +
-					"thing missing is a Session ID (SID) in the Link. Alter " +
+					"a Session ID (SID) in the link inside the email. Alter " +
 					"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
 		}
 		else if (stage == 2)
 		{
-			instructions += "Now you are the victim Jane who received the mail you see. " +
+			instructions += "Now you are the victim Jane who received the email below. " +
-					"If you point on the link with your mouse you will see that there is a SID included." +
+					"If you point on the link with your mouse you will see that there is a SID included. " +
 					"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
 		}
 		else if (stage == 3)
 		{
-			instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are "  +
+			instructions += "The bank has asked you to verfy your data. Log in to see if your details are "  +
-					"correct ;). Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
+					"correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
 		}
 		else if (stage == 4)
 		{
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
@ -128,7 +128,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 					{
 						makeSuccess(s);
 						getLessonTracker(s).setStage(2);
-						s.setMessage("Start this lesson over to attack a parameterized query.");
+						StringBuffer msg = new StringBuffer();
 						msg.append("Bet you can't do it again! ");
 						msg.append("This lesson has detected your successfull attack ");
 						msg.append("and has now switched to a defensive mode. ");
 						msg.append("Try again to attack a parameterized query.");
 						s.setMessage(msg.toString());
 					}
 				}
 				else
@ -222,9 +229,9 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 		ec.addElement(new P().addElement("Select your local weather station: "));
-		Map stations = getStations(s);
+		Map<String, String> stations = getStations(s);
 		Select select = new Select(STATION_ID);
-		Iterator it = stations.keySet().iterator();
+		Iterator<String> it = stations.keySet().iterator();
 		while (it.hasNext())
 		{
 			String key = (String) it.next();
@ -244,7 +251,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 	 * 
 	 * @return A map containing each station, indexed by station number
 	 */
-	protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException
+	protected Map<String, String> getStations(WebSession s) throws SQLException, ClassNotFoundException
 	{
 		Connection connection = DatabaseUtilities.getConnection(s);
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
@ -96,7 +96,7 @@ public class StoredXss extends LessonAdapter
 			Connection connection = DatabaseUtilities.getConnection(s);
-			String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
+			String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
 			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																		ResultSet.CONCUR_READ_ONLY);
@ -104,6 +104,7 @@ public class StoredXss extends LessonAdapter
 			statement.setString(2, title);
 			statement.setString(3, message);
 			statement.setString(4, s.getUserName());
 			statement.setString(5, this.getClass().getName());
 			statement.execute();
 		} catch (Exception e)
 		{
@ -204,11 +205,12 @@ public class StoredXss extends LessonAdapter
 			// but not anyone elses. This allows users to try out XSS to grab another user's
 			// cookies, but not get confused by other users scripts
-			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
+			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
 			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																		ResultSet.CONCUR_READ_ONLY);
 			statement.setString(1, getNameroot(s.getUserName()) + "%");
 			statement.setInt(2, messageNum);
 			statement.setString(3, this.getClass().getName());
 			ResultSet results = statement.executeQuery();
 			if ((results != null) && results.first())
@ -305,7 +307,7 @@ public class StoredXss extends LessonAdapter
 	 *            Description of the Parameter
 	 * @return Description of the Return Value
 	 */
-	public static Element makeList(WebSession s)
+	public  Element makeList(WebSession s)
 	{
 		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
@ -313,16 +315,18 @@ public class StoredXss extends LessonAdapter
 		{
 			Connection connection = DatabaseUtilities.getConnection(s);
 			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
 																ResultSet.CONCUR_READ_ONLY);
 			// edit by Chuck Willis - Added logic to associate similar usernames
 			// The idea is that users chuck-1, chuck-2, etc will see each other's messages
 			// but not anyone elses. This allows users to try out XSS to grab another user's
 			// cookies, but not get confused by other users scripts
-			ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+			String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
-					+ getNameroot(s.getUserName()) + "%'");
+			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-
+																		ResultSet.CONCUR_READ_ONLY);
 			statement.setString(1, getNameroot(s.getUserName()) + "%");
 			statement.setString(2, getClass().getName());
 			ResultSet results = statement.executeQuery();
 			if ((results != null) && (results.first() == true))
 			{
 				results.beforeFirst();
--- a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
@ -66,7 +66,7 @@ public class CreateDB
 		try
 		{
 			String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
-					+ "message varchar(200)," + "user_name varchar(50) not null " + ")";
+					+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")";
 			statement.executeUpdate(createTableStatement);
 		} catch (SQLException e)
 		{
--- a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
@ -168,6 +168,7 @@ public class WebSession
 	private boolean isColor = false;
 	private boolean isDebug = false;
 	private boolean hasHackedHackableAdmin = false;
 	private StringBuffer message = new StringBuffer("");
@ -363,11 +364,11 @@ public class WebSession
 	public String getCurrentLink()
 	{
 		String thisLink = "attack";
-		Enumeration e = request.getParameterNames();
+		Enumeration<String> e = request.getParameterNames();
 		boolean isFirstParameter = true;
 		while (e.hasMoreElements())
 		{
-			String name = (String) e.nextElement();
+			String name = e.nextElement();
 			if (isFirstParameter)
 			{
 				isFirstParameter = false;
@ -428,7 +429,7 @@ public class WebSession
 		{
 			params = new Vector<Parameter>();
-			Enumeration e = getParser().getParameterNames();
+			Enumeration<String> e = getParser().getParameterNames();
 			while ((e != null) && e.hasMoreElements())
 			{
@ -448,9 +449,9 @@ public class WebSession
 		return params;
 	}
-	public List getCookies()
+	public List<Cookie> getCookies()
 	{
-		List cookies = null;
+		List<Cookie> cookies = null;
 		if (showCookies()) cookies = Arrays.asList(request.getCookies());
@ -669,7 +670,7 @@ public class WebSession
 	public LessonSession getLessonSession(AbstractLesson lesson)
 	{
-		return (LessonSession) lessonSessions.get(lesson);
+		return lessonSessions.get(lesson);
 	}
 	/**
--- a/main/project/WebContent/css/webgoat_challenge.css
+++ b/main/project/WebContent/css/webgoat_challenge.css
@ -6,8 +6,9 @@
 }
 #top_ch{
 	height:86px;
 	width: 500px;
 	height:136px;
 	background-image: url(../images/header/header.jpg);
 }
 #wrap_ch {
@ -19,22 +20,24 @@
 }
 #start_ch {
-	height: 300px;
+	height: 350px;
-	padding: 10px 50px 10px 50px;
+	width: 500px;
-	font-size: 12px;
+	padding: 10px 10px 10px 10px;
 	font-size: 15px;
 }
 #warning_ch {
 	border: 1px solid #666666;
 	padding: 10px;
 	font-size: 10px;
 	color: #FF3300;
-	width: 400px;
+	width: 450px;
-	margin-left: 50px;
+	margin-left: 5px;
 	margin-right: 5px;
 }
 #team_ch {
 }
 .style1_ch {
-	font-size: 10px;
+	font-size: 11px;
 	font-weight: bold;
 }
 .style2_ch {
--- a/main/project/WebContent/images/introduction/Thumbs.db
+++ b/main/project/WebContent/images/introduction/Thumbs.db
--- a/main/project/WebContent/lesson_plans/HttpOnly.html
+++ b/main/project/WebContent/lesson_plans/HttpOnly.html
@ -8,6 +8,7 @@ introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
 set, then the browser should not allow client-side script to access the
 cookie. Since the attribute is relatively new, several browsers neglect
 to handle the new attribute properly.
 <p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
 <p><b>General Goal(s):</b></p>
 The purpose of this lesson is to test whether your browser supports the
 HTTPOnly cookie flag. Note the value of the
--- a/main/project/WebContent/lesson_plans/TomcatSetup.html
+++ b/main/project/WebContent/lesson_plans/TomcatSetup.html
@ -1,12 +1,12 @@
 <!-- Start Instructions -->
 <h1>How To Configure Tomcat</h1><br><br>
 <h2>Introduction</h2>
-<p>WebGoat comes with sane default configurations for Tomcat. This page will explain the configurations
+<p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations
-and which further possibilities you have to configure Tomcat. This is just 
+and other possible configurations for Tomcat. This is just 
 a short description which should be enough in most cases. For more advanced tasks please 
 refer to the Tomcat documentation. Please note that all solutions
-are written for the standard configurations on port 80. If you use another configurations you have 
+are written for the standard configurations on port 80. If you use another port you have 
-to adjust the solution to your configurations.</p>
+to adjust the solution to your configuration.</p>
 <h2>The Standard Configurations</h2>
 <p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
@ -52,7 +52,7 @@ In this example to port 8442:
 <h3>Make WebGoat Reachable From Another Client</h3>
 <p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
 	UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN 
-SAVE NETWORKS!</p>
+SAFE NETWORKS!</p>
 <p>By its default configurations WebGoat is only
 reachable within the localhost. In a laboratory or a class
 there is maybe the need of having a server and a few clients. 
--- a/main/project/WebContent/webgoat_challenge.jsp
+++ b/main/project/WebContent/webgoat_challenge.jsp
@ -10,20 +10,22 @@ WebSession webSession = ((WebSession) session.getAttribute("websession"));
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
 <title>WebGoat V5.2</title>
-<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
+<link rel="stylesheet" href="css/webgoat_challenge.css" type="text/css" />
 </head>
 <body>
-<div id="wrap">
+<div id="wrap_ch">
-<div id="top"></div>
+<div id="top_ch"></div>
-<div id="start">
+<div id="start_ch">
-<p>Thank you for using WebGoat!</p>
+<p>Thank you for using WebGoat! This program is a demonstration of common web application flaws.
 <p>This program is a demonstration of common web application flaws.
 The exercises are intended to provide hands on experience with
-application penetration testing techniques. </p><p>The WebGoat project is lead
+application penetration testing techniques. </p>
 <p>The WebGoat project is lead
 by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
-<div id="team">
+<p>Thanks to <a href="http://www.ouncelabs.com"><img align="top" height="20" width="160" border = "0" src="images/logos/ounce.jpg" alt="Ounce Labs"/></a> for supporting Bruce on the WebGoat Project.</p>
 <div id="team_ch">
 <table border="0" align="center" class="lessonText">
 	<tr>
 		<td width="50%">
@ -107,7 +109,7 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
 <div align="center" class="style2">&nbsp;</div>
 <div align="center" class="style2">&nbsp;</div>
 <div align="center" class="style2">&nbsp;</div>
-<div id="warning">WARNING<br />
+<div id="warning_ch">WARNING<br />
 While running this program, your machine is extremely vulnerable to
 attack. You should disconnect from the network while using this program.
 <br />