dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

git-svn-id: http://webgoat.googlecode.com/svn/trunk@6 4033779f-a91e-0410-96ef-6bf7bf53c507

Browse Source
This commit is contained in:
mayhew64
2006-09-30 13:12:13 +00:00
parent 8455a33200
commit 7414ec751d
103 changed files with 24646 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

355
webgoat/main/project/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java Normal file
View File

@ -0,0 +1,355 @@
package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.lessons.LessonAction;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.ListStaff;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Login;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.Logout;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.SearchStaff;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
*/
public class CrossSiteScripting extends LessonAdapter
{
public final static String DESCRIPTION = "description";
public final static String DISCIPLINARY_DATE = "disciplinaryDate";
public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
public final static String CCN_LIMIT = "ccnLimit";
public final static String CCN = "ccn";
public final static String SALARY = "salary";
public final static String START_DATE = "startDate";
public final static String MANAGER = "manager";
public final static String ADDRESS1 = "address1";
public final static String ADDRESS2 = "address2";
public final static String PHONE_NUMBER = "phoneNumber";
public final static String TITLE = "title";
public final static String SSN = "ssn";
public final static String LAST_NAME = "lastName";
public final static String FIRST_NAME = "firstName";
public final static String PASSWORD = "password";
public final static String EMPLOYEE_ID = "employee_id";
public final static String USER_ID = "user_id";
public final static String SEARCHNAME = "search_name";
public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
public final static String STAFF_ATTRIBUTE_KEY = "Staff";
public final static String LOGIN_ACTION = "Login";
public final static String LOGOUT_ACTION = "Logout";
public final static String LISTSTAFF_ACTION = "ListStaff";
public final static String SEARCHSTAFF_ACTION = "SearchStaff";
public final static String FINDPROFILE_ACTION = "FindProfile";
public final static String VIEWPROFILE_ACTION = "ViewProfile";
public final static String EDITPROFILE_ACTION = "EditProfile";
public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
public final static String CREATEPROFILE_ACTION = "CreateProfile";
public final static String DELETEPROFILE_ACTION = "DeleteProfile";
public final static String ERROR_ACTION = "error";
private final static String LESSON_NAME = "CrossSiteScripting";
private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/";
private final static Integer DEFAULT_RANKING = new Integer(100);
private static Connection connection = null;
private Map lessonFunctions = new Hashtable();
public static synchronized Connection getConnection(WebSession s)
throws SQLException, ClassNotFoundException
{
if ( connection == null )
{
connection = DatabaseUtilities.makeConnection( s );
}
return connection;
}
public CrossSiteScripting()
{
String myClassName = parseClassName(this.getClass().getName());
registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.
registerAction(new Login(this, myClassName, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
registerAction(new Logout(this, myClassName, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
registerAction(new UpdateProfile(this, myClassName, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
registerAction(new DeleteProfile(this, myClassName, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
}
protected static String parseClassName(String fqcn)
{
String className = fqcn;
int lastDotIndex = fqcn.lastIndexOf('.');
if (lastDotIndex > -1)
className = fqcn.substring(lastDotIndex + 1);
return className;
}
protected void registerAction(LessonAction action)
{
lessonFunctions.put(action.getActionName(), action);
}
/**
* Gets the category attribute of the CrossSiteScripting object
*
* @return The category value
*/
public Category getDefaultCategory()
{
return AbstractLesson.A4;
}
/**
* Gets the hints attribute of the DirectoryScreen object
*
* @return The hints value
*/
protected List getHints()
{
List hints = new ArrayList();
// Stage 1
hints.add( "You can put HTML tags in form input fields." );
hints.add( "Bury a SCRIPT tag in the field to attack anyone who reads it." );
hints.add( "Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields." );
hints.add( "Enter this: <script&gtalert(\"document.cookie\");</script> in message fields." );
// Stage 2
hints.add( "Many scripts rely on the use of special characters such as: <" );
hints.add( "Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering)." );
hints.add( "The java.util.regex package is useful for filtering string values." );
// Stage 3
hints.add( "Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags." );
hints.add( "An HTML entity encoder is provided in the ParameterParser class." );
// Stage 4
hints.add( "Examine content served in response to form submissions looking for data taken from the form." );
// Stage 5
hints.add( "Validate early. Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");" );
return hints;
}
/**
* Gets the instructions attribute of the ParameterInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "";
if (!getLessonTracker(s).getCompleted())
{
switch (getStage(s))
{
case 1:
instructions = "Stage " + getStage(s) + ": Execute a Stored Cross Site Scripting (XSS) attack.<br>" +
"For this exercise, your mission is to cause the application to serve a script of your making " +
" to some other user.";
break;
case 2:
instructions = "Stage " + getStage(s) + ": Block Stored XSS using Input Validation.<br>" +
"You will modify the application to perform input validation on the vulnerable input field " +
"you just exploited.";
break;
case 3:
instructions = "Stage " + getStage(s) + ": Execute a previously Stored Cross Site Scripting (XSS) attack.<br>" +
"The application is still vulnerable to scripts in the database. Trigger a pre-stored " +
"script by logging in as employee 'David' and viewing Bruce's profile.";
break;
case 4:
instructions = "Stage " + getStage(s) + ": Block Stored XSS using Output Encoding.<br>" +
"Encode data served from the database to the client so that any scripts are rendered harmless.";
break;
case 5:
instructions = "Stage " + getStage(s) + ": Execute a Reflected XSS attack.<br>" +
"Your goal here is to craft a link containing a script which the application will " +
"serve right back to any client that activates the link.";
break;
case 6:
instructions = "Stage " + getStage(s) + ": Block Reflected XSS using Input Validation.<br>" +
"Use the input validation techniques learned ealier in this lesson to close the vulnerability " +
"you just exploited.";
break;
default:
// Illegal stage value
break;
}
}
return instructions;
}
protected LessonAction getAction(String actionName)
{
return (LessonAction) lessonFunctions.get(actionName);
}
public void handleRequest(WebSession s)
{
if (s.getLessonSession(this) == null)
s.openLessonSession(this);
String requestedActionName = null;
try
{
requestedActionName = s.getParser().getStringParameter("action");
}
catch (ParameterNotFoundException pnfe)
{
// Let them eat login page.
requestedActionName = LOGIN_ACTION;
}
if (requestedActionName != null)
{
try
{
LessonAction action = getAction(requestedActionName);
if (action != null)
{
if (!action.requiresAuthentication() || action.isAuthenticated(s))
{
action.handleRequest(s);
//setCurrentAction(s, action.getNextPage(s));
}
}
else
{
setCurrentAction(s, ERROR_ACTION);
}
}
catch (ParameterNotFoundException pnfe)
{
System.out.println("Missing parameter");
pnfe.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
catch (ValidationException ve)
{
System.out.println("Validation failed");
ve.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
catch (UnauthenticatedException ue)
{
s.setMessage("Login failed");
System.out.println("Authentication failure");
ue.printStackTrace();
}
catch (UnauthorizedException ue2)
{
s.setMessage("You are not authorized to perform this function");
System.out.println("Authorization failure");
ue2.printStackTrace();
}
catch (Exception e)
{
// All other errors send the user to the generic error page
System.out.println("handleRequest() error");
e.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
}
// All this does for this lesson is ensure that a non-null content exists.
setContent(new ElementContainer());
}
public boolean isAuthorized(WebSession s, int userId, String functionId)
{
//System.out.println("Checking authorization from " + getCurrentAction(s));
LessonAction action = (LessonAction) lessonFunctions.get(getCurrentAction(s));
return action.isAuthorized(s, userId, functionId);
}
public int getUserId(WebSession s) throws ParameterNotFoundException
{
LessonAction action = (LessonAction) lessonFunctions.get(getCurrentAction(s));
return action.getUserId(s);
}
public String getUserName(WebSession s) throws ParameterNotFoundException
{
LessonAction action = (LessonAction) lessonFunctions.get(getCurrentAction(s));
return action.getUserName(s);
}
public String getTemplatePage(WebSession s)
{
return JSP_PATH + LESSON_NAME + ".jsp";
}
public String getPage(WebSession s)
{
String page = JSP_PATH + getCurrentAction(s) + ".jsp";
//System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page);
return page;
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the CrossSiteScripting object
*
* @return The title value
*/
public String getTitle()
{
return "LAB: Cross Site Scripting (XSS)";
}
public String getSourceFileName()
{
// FIXME: Need to generalize findSourceResource() and use it on the currently active
// LessonAction delegate to get its source file.
//return findSourceResource(getCurrentLessonScreen()....);
return super.getSourceFileName();
}
}

157
webgoat/main/project/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java Normal file
View File

@ -0,0 +1,157 @@
package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.DefaultLessonAction;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;
public class EditProfile extends DefaultLessonAction
{
public EditProfile(AbstractLesson lesson, String lessonName, String actionName)
{
super(lesson, lessonName, actionName);
}
public void handleRequest( WebSession s )
throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException
{
getLesson().setCurrentAction(s, getActionName());
if (isAuthenticated(s))
{
int userId = getUserId(s);
int employeeId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID);
Employee employee = getEmployeeProfile(s, userId, employeeId);
setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
}
else
throw new UnauthenticatedException();
}
public String getNextPage(WebSession s)
{
return CrossSiteScripting.EDITPROFILE_ACTION;
}
public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId)
throws UnauthorizedException
{
Employee profile = null;
// Query the database for the profile data of the given employee
try
{
String query = "SELECT * FROM employee WHERE userid = ?";
try
{
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.setInt(1, subjectUserId);
ResultSet answer_results = answer_statement.executeQuery();
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/ }
}
catch ( SQLException sqle )
{
s.setMessage( "Error getting employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error getting employee profile" );
e.printStackTrace();
}
return profile;
}
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId)
throws UnauthorizedException
{
Employee profile = null;
// Query the database for the profile data of the given employee
try
{
String query = "SELECT * FROM employee WHERE userid = ?";
try
{
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.setInt(1, subjectUserId);
ResultSet answer_results = answer_statement.executeQuery();
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/ }
}
catch ( SQLException sqle )
{
s.setMessage( "Error getting employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error getting employee profile" );
e.printStackTrace();
}
return profile;
}
}

209
webgoat/main/project/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java Normal file
View File

@ -0,0 +1,209 @@
package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.DefaultLessonAction;
import org.owasp.webgoat.lessons.LessonAction;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
public class FindProfile extends DefaultLessonAction
{
private LessonAction chainedAction;
public FindProfile(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction)
{
super(lesson, lessonName, actionName);
this.chainedAction = chainedAction;
}
public void handleRequest( WebSession s )
throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException
{
if (isAuthenticated(s))
{
int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
String searchName = null;
try
{
searchName = getRequestParameter(s, CrossSiteScripting.SEARCHNAME);
Employee employee = null;
employee = findEmployeeProfile(s, userId, searchName);
if (employee == null)
{
setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.SEARCHRESULT_ATTRIBUTE_KEY,
"Employee " + searchName + " not found.");
}
}
catch (ValidationException e)
{
if (getStage(s) == 6)
{
s.setMessage("Congratulations. You have successfully completed this lesson");
getLesson().getLessonTracker( s ).setCompleted( true );
}
throw e;
}
if (getStage(s) == 5)
{
if (searchName.indexOf("<script>") > -1 && searchName.indexOf("alert") > -1 && searchName.indexOf("</script>") > -1)
{
s.setMessage( "Welcome to stage 6 - more input validation" );
setStage(s, 6);
}
}
// Execute the chained Action if the employee was found.
if (foundEmployee(s))
{
try
{
chainedAction.handleRequest(s);
}
catch (UnauthenticatedException ue1)
{
System.out.println("Internal server error");
ue1.printStackTrace();
}
catch (UnauthorizedException ue2)
{
System.out.println("Internal server error");
ue2.printStackTrace();
}
}
}
else
throw new UnauthenticatedException();
}
public String getNextPage(WebSession s)
{
String page = CrossSiteScripting.SEARCHSTAFF_ACTION;
if (foundEmployee(s))
page = CrossSiteScripting.VIEWPROFILE_ACTION;
return page;
}
protected String getRequestParameter(WebSession s, String name)
throws ParameterNotFoundException, ValidationException
{
return s.getParser().getRawParameter(name);
}
protected String getRequestParameter_BACKUP(WebSession s, String name)
throws ParameterNotFoundException, ValidationException
{
return s.getParser().getRawParameter(name);
}
public Employee findEmployeeProfile(WebSession s, int userId, String pattern)
throws UnauthorizedException
{
Employee profile = null;
// Query the database for the profile data of the given employee
try
{
String query = "SELECT * FROM employee WHERE first_name like ? OR last_name like ?";
try
{
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.setString(1, "%" + pattern + "%");
answer_statement.setString(2, "%" + pattern + "%");
ResultSet answer_results = answer_statement.executeQuery();
// Just use the first hit.
if (answer_results.next())
{
int id = answer_results.getInt("userid");
// Note: Do NOT get the password field.
profile = new Employee(
id,
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/
setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
}
}
catch ( SQLException sqle )
{
s.setMessage( "Error finding employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error finding employee profile" );
e.printStackTrace();
}
return profile;
}
private boolean foundEmployee(WebSession s)
{
boolean found = false;
try
{
getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
found = true;
}
catch (ParameterNotFoundException e)
{
}
return found;
}
protected String validate(final String parameter, final Pattern pattern) throws ValidationException
{
Matcher matcher = pattern.matcher(parameter);
if (!matcher.matches())
throw new ValidationException();
return parameter;
}
protected static Map patterns = new HashMap();
static
{
patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
}
}

356
webgoat/main/project/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java Normal file
View File

@ -0,0 +1,356 @@
package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.PreparedStatement;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.DefaultLessonAction;
import org.owasp.webgoat.lessons.LessonAction;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.ParameterParser;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
public class UpdateProfile extends DefaultLessonAction
{
private LessonAction chainedAction;
public UpdateProfile(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction)
{
super(lesson, lessonName, actionName);
this.chainedAction = chainedAction;
}
public void handleRequest( WebSession s )
throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException
{
if (isAuthenticated(s))
{
int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
int subjectId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID, 0);
Employee employee = null;
try
{
employee = parseEmployeeProfile(subjectId, s);
}
catch (ValidationException e)
{
if (getStage(s) == 2)
{
s.setMessage( "Welcome to stage 3 - demonstrate Stored XSS again" );
setStage(s, 3);
}
throw e;
}
if (subjectId > 0)
{
this.changeEmployeeProfile(s, userId, subjectId, employee);
setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(subjectId));
}
else
this.createEmployeeProfile(s, userId, employee);
try
{
chainedAction.handleRequest(s);
}
catch (UnauthenticatedException ue1)
{
System.out.println("Internal server error");
ue1.printStackTrace();
}
catch (UnauthorizedException ue2)
{
System.out.println("Internal server error");
ue2.printStackTrace();
}
}
else
throw new UnauthenticatedException();
}
protected Employee parseEmployeeProfile(int subjectId, WebSession s)
throws ParameterNotFoundException, ValidationException
{
// The input validation can be added using a parsing component
// or by using an inline regular expression. The parsing component
// is the better solution.
HttpServletRequest request = s.getRequest();
String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
String ssn = request.getParameter(CrossSiteScripting.SSN);
String title = request.getParameter(CrossSiteScripting.TITLE);
String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
String startDate = request.getParameter(CrossSiteScripting.START_DATE);
int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
String ccn = request.getParameter(CrossSiteScripting.CCN);
int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone,
address1, address2, manager, startDate, salary,
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
personalDescription);
return employee;
}
protected Employee parseEmployeeProfile_BACKUP(int subjectId, WebSession s)
throws ParameterNotFoundException, ValidationException
{
// The input validation can be added using a parsing component
// or by using an inline regular expression. The parsing component
// is the better solution.
HttpServletRequest request = s.getRequest();
String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
String ssn = request.getParameter(CrossSiteScripting.SSN);
String title = request.getParameter(CrossSiteScripting.TITLE);
String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
String startDate = request.getParameter(CrossSiteScripting.START_DATE);
int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
String ccn = request.getParameter(CrossSiteScripting.CCN);
int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone,
address1, address2, manager, startDate, salary,
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
personalDescription);
return employee;
}
protected Employee doParseEmployeeProfile(int subjectId, ParameterParser parser)
throws ParameterNotFoundException, ValidationException
{
// Fix this method using the org.owasp.webgoat.session.ParameterParser class
return null;
}
public String getNextPage(WebSession s)
{
return CrossSiteScripting.VIEWPROFILE_ACTION;
}
public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee)
throws UnauthorizedException
{
try
{
// Note: The password field is ONLY set by ChangePassword
String query = "UPDATE employee SET first_name = '" + employee.getFirstName() +
"', last_name = '" + employee.getLastName() +
"', ssn = '" + employee.getSsn() +
"', title = '" + employee.getTitle() +
"', phone = '" + employee.getPhoneNumber() +
"', address1 = '" + employee.getAddress1() +
"', address2 = '" + employee.getAddress2() +
"', manager = " + employee.getManager() +
", start_date = '" + employee.getStartDate() +
"', ccn = '" + employee.getCcn() +
"', ccn_limit = " + employee.getCcnLimit() +
// "', disciplined_date = '" + employee.getDisciplinaryActionDate() +
// "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() +
", personal_description = '" + employee.getPersonalDescription() +
"' WHERE userid = " + subjectId;
//System.out.println("Query: " + query);
try
{
Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.executeUpdate( query );
}
catch ( SQLException sqle )
{
s.setMessage( "Error updating employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error updating employee profile" );
e.printStackTrace();
}
}
public void doChangeEmployeeProfile_BACKUP(WebSession s, int userId, int subjectId, Employee employee)
throws UnauthorizedException
{
try
{
// Note: The password field is ONLY set by ChangePassword
String query = "UPDATE employee SET first_name = '" + employee.getFirstName() +
"', last_name = '" + employee.getLastName() +
"', ssn = '" + employee.getSsn() +
"', title = '" + employee.getTitle() +
"', phone = '" + employee.getPhoneNumber() +
"', address1 = '" + employee.getAddress1() +
"', address2 = '" + employee.getAddress2() +
"', manager = " + employee.getManager() +
", start_date = '" + employee.getStartDate() +
"', ccn = '" + employee.getCcn() +
"', ccn_limit = " + employee.getCcnLimit() +
// "', disciplined_date = '" + employee.getDisciplinaryActionDate() +
// "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() +
", personal_description = '" + employee.getPersonalDescription() +
"' WHERE userid = " + subjectId;
//System.out.println("Query: " + query);
try
{
Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.executeUpdate( query );
}
catch ( SQLException sqle )
{
s.setMessage( "Error updating employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error updating employee profile" );
e.printStackTrace();
}
}
public void createEmployeeProfile(WebSession s, int userId, Employee employee)
throws UnauthorizedException
{
try
{
// FIXME: Cannot choose the id because we cannot guarantee uniqueness
String query = "INSERT INTO employee VALUES ( max(userid)+1, '"
+ employee.getFirstName() + "','"
+ employee.getLastName() + "','"
+ employee.getSsn() + "','"
+ employee.getFirstName().toLowerCase() + "','"
+ employee.getTitle() + "','"
+ employee.getPhoneNumber() + "','"
+ employee.getAddress1() + "','"
+ employee.getAddress2() + "',"
+ employee.getManager() + ",'"
+ employee.getStartDate() + "',"
+ employee.getSalary() + ",'"
+ employee.getCcn() + "',"
+ employee.getCcnLimit() + ",'"
+ employee.getDisciplinaryActionDate() + "','"
+ employee.getDisciplinaryActionNotes() + "','"
+ employee.getPersonalDescription()
+ "')";
//System.out.println("Query: " + query);
try
{
Statement statement = WebSession.getConnection(s).createStatement();
statement.executeUpdate(query);
}
catch ( SQLException sqle )
{
s.setMessage( "Error updating employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error updating employee profile" );
e.printStackTrace();
}
}
public void createEmployeeProfile_BACKUP(WebSession s, int userId, Employee employee)
throws UnauthorizedException
{
try
{
// FIXME: Cannot choose the id because we cannot guarantee uniqueness
String query = "INSERT INTO employee VALUES ( max(userid)+1, '"
+ employee.getFirstName() + "','"
+ employee.getLastName() + "','"
+ employee.getSsn() + "','"
+ employee.getFirstName().toLowerCase() + "','"
+ employee.getTitle() + "','"
+ employee.getPhoneNumber() + "','"
+ employee.getAddress1() + "','"
+ employee.getAddress2() + "',"
+ employee.getManager() + ",'"
+ employee.getStartDate() + "',"
+ employee.getSalary() + ",'"
+ employee.getCcn() + "',"
+ employee.getCcnLimit() + ",'"
+ employee.getDisciplinaryActionDate() + "','"
+ employee.getDisciplinaryActionNotes() + "','"
+ employee.getPersonalDescription()
+ "')";
//System.out.println("Query: " + query);
try
{
Statement statement = WebSession.getConnection(s).createStatement();
statement.executeUpdate(query);
}
catch ( SQLException sqle )
{
s.setMessage( "Error updating employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error updating employee profile" );
e.printStackTrace();
}
}
/**
* Validates that the given parameter value matches the given regular expression pattern.
*
* @param parameter
* @param pattern
* @return
* @throws ValidationException
*/
protected String validate(final String parameter, final Pattern pattern) throws ValidationException
{
Matcher matcher = pattern.matcher(parameter);
if (!matcher.matches())
throw new ValidationException();
return parameter;
}
}

203
webgoat/main/project/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java Normal file
View File

@ -0,0 +1,203 @@
package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.DefaultLessonAction;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
public class ViewProfile extends DefaultLessonAction
{
public ViewProfile(AbstractLesson lesson, String lessonName, String actionName)
{
super(lesson, lessonName, actionName);
}
public void handleRequest( WebSession s )
throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException
{
getLesson().setCurrentAction(s, getActionName());
if (isAuthenticated(s))
{
int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
int employeeId = -1;
try
{
// User selected employee
employeeId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID);
}
catch (ParameterNotFoundException e)
{
// May be an internally selected employee
employeeId = getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
}
Employee employee = getEmployeeProfile(s, userId, employeeId);
setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
updateLessonStatus(s, employee);
}
else
throw new UnauthenticatedException();
}
public String getNextPage(WebSession s)
{
return CrossSiteScripting.VIEWPROFILE_ACTION;
}
public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
{
Employee profile = null;
// Query the database for the profile data of the given employee
try
{
String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
try
{
Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
ResultSet answer_results = answer_statement.executeQuery( query );
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/ }
}
catch ( SQLException sqle )
{
s.setMessage( "Error getting employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error getting employee profile" );
e.printStackTrace();
}
return profile;
}
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId)
throws UnauthorizedException
{
// Query the database to determine if this employee has access to this function
// Query the database for the profile data of the given employee if "owned" by the given user
Employee profile = null;
// Query the database for the profile data of the given employee
try
{
String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
try
{
Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
ResultSet answer_results = answer_statement.executeQuery( query );
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/ }
}
catch ( SQLException sqle )
{
s.setMessage( "Error getting employee profile" );
sqle.printStackTrace();
}
}
catch ( Exception e )
{
s.setMessage( "Error getting employee profile" );
e.printStackTrace();
}
return profile;
}
private void updateLessonStatus(WebSession s, Employee employee)
{
switch (getStage(s))
{
case 1:
String address1 = employee.getAddress1().toLowerCase();
if (address1.indexOf("<script>") > -1 && address1.indexOf("alert") > -1 && address1.indexOf("</script>") > -1)
{
s.setMessage( "Welcome to stage 2 - implement input validation" );
setStage(s, 2);
}
break;
case 3:
String address2 = employee.getAddress1().toLowerCase();
if (address2.indexOf("<script>") > -1 && address2.indexOf("alert") > -1 && address2.indexOf("</script>") > -1)
{
s.setMessage( "Welcome to stage 4 - implement output encoding" );
setStage(s, 4);
}
break;
case 4:
if (employee.getAddress1().toLowerCase().indexOf("&lt;") > -1)
{
s.setMessage( "Welcome to stage 5 - demonstrate reflected XSS" );
setStage(s, 5);
}
break;
default:
break;
}
}
}