dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

git-svn-id: http://webgoat.googlecode.com/svn/trunk@6 4033779f-a91e-0410-96ef-6bf7bf53c507

Browse Source
This commit is contained in:
mayhew64
2006-09-30 13:12:13 +00:00
parent 8455a33200
commit 7414ec751d
103 changed files with 24646 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
webgoat/main/project/org/owasp/webgoat/lessons/admin/AdminScreen.java Normal file
View File

@ -0,0 +1,76 @@
package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public abstract class AdminScreen extends Screen
{
/**
* Description of the Field
*/
protected String query = null;
/**
* Constructor for the AdminScreen object
*
* @param s Description of the Parameter
* @param q Description of the Parameter
*/
public AdminScreen( WebSession s, String q )
{
setQuery( q );
// setupAdmin(s); FIXME: what was this supposed to do?
}
/**
* Constructor for the AdminScreen object
*
* @param s Description of the Parameter
*/
public AdminScreen( WebSession s ) { }
/**
* Constructor for the AdminScreen object
*/
public AdminScreen() { }
/**
* Gets the title attribute of the AdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Admin Information" );
}
public String getRole() {
return AbstractLesson.ADMIN_ROLE;
}
/**
* Sets the query attribute of the AdminScreen object
*
* @param q The new query value
*/
public void setQuery( String q )
{
query = q;
}
}

105
webgoat/main/project/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java Normal file
View File

@ -0,0 +1,105 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class ProductsAdminScreen extends LessonAdapter
{
private final static String QUERY = "SELECT * FROM product_system_data";
private static Connection connection = null;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
try
{
if ( connection == null )
{
connection = DatabaseUtilities.makeConnection( s );
}
Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
ResultSet results = statement.executeQuery( QUERY );
if ( results != null )
{
makeSuccess( s );
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement( DatabaseUtilities.writeTable( results, resultsMetaData ) );
}
}
catch ( Exception e )
{
s.setMessage( "Error generating " + this.getClass().getName() );
e.printStackTrace();
}
return ( ec );
}
/**
* Gets the category attribute of the ProductsAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return ADMIN_FUNCTIONS;
}
/**
* Gets the role attribute of the ProductsAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the ProductsAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Product Information" );
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
}

143
webgoat/main/project/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java Normal file
View File

@ -0,0 +1,143 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class RefreshDBScreen extends LessonAdapter
{
private final static String REFRESH = "Refresh";
private static Connection connection = null;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
try
{
boolean refresh = s.getParser().getBooleanParameter( REFRESH, false );
if ( refresh )
{
refreshDB( s );
ec.addElement( new StringElement( "Successfully refreshed the database." ) );
}
else
{
Element label = new StringElement( "Refresh the database? " );
A link1 = ECSFactory.makeLink( "Yes", REFRESH, true );
A link2 = ECSFactory.makeLink( "No", REFRESH, false );
TD td1 = new TD().addElement( label );
TD td2 = new TD().addElement( link1 );
TD td3 = new TD().addElement( link2 );
TR row = new TR().addElement( td1 ).addElement( td2 ).addElement( td3 );
Table t = new Table().setCellSpacing( 40 ).setWidth( "50%" );
if ( s.isColor() )
{
t.setBorder( 1 );
}
t.addElement( row );
ec.addElement( t );
}
}
catch ( Exception e )
{
s.setMessage( "Error generating " + this.getClass().getName() );
e.printStackTrace();
}
return ( ec );
}
/**
* Gets the category attribute of the RefreshDBScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the RefreshDBScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the RefreshDBScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Refresh Database" );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
*/
public void refreshDB( WebSession s )
{
try
{
if ( connection == null )
{
connection = DatabaseUtilities.makeConnection( s );
}
CreateDB db = new CreateDB();
db.makeDB( connection );
System.out.println( "Successfully refreshed the database." );
}
catch ( Exception e )
{
s.setMessage( "Error refreshing database " + this.getClass().getName() );
e.printStackTrace();
}
}
}

278
webgoat/main/project/org/owasp/webgoat/lessons/admin/ReportCardScreen.java Normal file
View File

@ -0,0 +1,278 @@
package org.owasp.webgoat.lessons.admin;
import java.util.Iterator;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class ReportCardScreen extends LessonAdapter
{
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
String user = null;
try
{
if ( s.getRequest().isUserInRole( WebSession.WEBGOAT_ADMIN ) )
{
user = s.getParser().getRawParameter( USERNAME );
}
else
{
user = s.getUserName();
}
}
catch ( Exception e )
{
}
if ( user == null )
{
user = s.getUserName();
}
ec.addElement( makeFeedback( s ));
ec.addElement( makeReportCard( s, user ) );
return ec;
}
private Element makeFeedback( WebSession s )
{
ElementContainer ec = new ElementContainer();
ec.addElement( new Center( new StringElement( "Comments and suggestions are welcome. " + s.getFeedbackAddress() )) );
return ec;
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return USER_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Report Card" );
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @param user Description of the Parameter
* @return Description of the Return Value
*/
private TR makeLessonRow( WebSession s, String user, Screen screen )
{
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker( s, user, screen );
TR tr = new TR();
if ( lessonTracker.getCompleted() )
{
tr.setBgColor( HtmlColor.LIGHTGREEN );
}
else if ( lessonTracker.getNumVisits() == 0 )
{
tr.setBgColor( HtmlColor.LIGHTBLUE );
}
else if ( !lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10 )
{
tr.setBgColor( HtmlColor.RED );
}
else
{
tr.setBgColor( HtmlColor.YELLOW );
}
tr.addElement( new TD().addElement( screen.getTitle() ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( lessonTracker.getCompleted() ? "Y" : "N" ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( Integer.toString( lessonTracker.getNumVisits() ) ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( Integer.toString( lessonTracker.getMaxHintLevel() ) ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( lessonTracker.getViewedCookies() ? "Y" : "N" ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( lessonTracker.getViewedHtml() ? "Y" : "N" ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( lessonTracker.getViewedLessonPlan() ? "Y" : "N" ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( lessonTracker.getViewedParameters() ? "Y" : "N" ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( lessonTracker.getViewedSource() ? "Y" : "N" ) );
return tr;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages( WebSession s )
{
ElementContainer ec = new ElementContainer();
return ( ec );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param user Description of the Parameter
* @return Description of the Return Value
*/
public Element makeReportCard( WebSession s, String user )
{
ElementContainer ec = new ElementContainer();
ec.addElement( makeUser( s, user ) );
Table t = new Table().setCellSpacing( 0 ).setCellPadding( 2 ).setBorder( 1 );
if ( s.isColor() )
{
t.setBorder( 1 );
}
TR tr = new TR();
t.addElement( makeUserHeaderRow() );
// These are all the user lesson
tr = new TR();
tr.addElement( new TD().setAlign( "CENTER" ).setColSpan( 9 ).addElement( "Normal user lessons" ) );
t.addElement( tr );
for ( Iterator lessonIter = s.getCourse().getLessons( s, AbstractLesson.USER_ROLE ).iterator(); lessonIter.hasNext(); )
{
Screen screen = (Screen) lessonIter.next();
t.addElement( makeLessonRow( s, user, screen ) );
}
// The user figured out there was a hackable admin acocunt
tr = new TR();
tr.addElement( new TD().setAlign( "CENTER" ).setColSpan( 9 ).addElement( "Hackable Admin Screens" ) );
t.addElement( tr );
for ( Iterator lessonIter = s.getCourse().getLessons( s, AbstractLesson.HACKED_ADMIN_ROLE ).iterator(); lessonIter.hasNext(); )
{
Screen screen = (Screen) lessonIter.next();
t.addElement( makeLessonRow( s, user, screen ) );
}
// The user figured out how to actually hack the admin acocunt
tr = new TR();
tr.addElement( new TD().setAlign( "CENTER" ).setColSpan( 9 ).addElement( "Actual Admin Screens" ) );
t.addElement( tr );
for ( Iterator lessonIter = s.getCourse().getLessons( s, AbstractLesson.ADMIN_ROLE ).iterator(); lessonIter.hasNext(); )
{
Screen screen = (Screen) lessonIter.next();
t.addElement( makeLessonRow( s, user, screen ) );
}
ec.addElement( t );
return ( ec );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param user Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeUser( WebSession s, String user )
{
H2 h2 = new H2();
// FIXME: The session is the current session, not the session of the user we are reporting.
//String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? " [Normal User - Hacked Admin Access]" : " [Normal User]";
String type = "";
h2.addElement( new StringElement( "Results for: " + user + type ) );
return h2;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
private TR makeUserHeaderRow()
{
TR tr = new TR();
tr.addElement( new TH( "Lesson" ) );
tr.addElement( new TH( "Complete" ) );
tr.addElement( new TH( "Visits" ) );
tr.addElement( new TH( "Hints" ) );
tr.addElement( new TH( "Cookies" ) );
tr.addElement( new TH( "HTML" ) );
tr.addElement( new TH( "LessonPlan" ) );
tr.addElement( new TH( "Parameters" ) );
tr.addElement( new TH( "Source" ) );
return tr;
}
}

292
webgoat/main/project/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java Normal file
View File

@ -0,0 +1,292 @@
package org.owasp.webgoat.lessons.admin;
import java.util.Enumeration;
import java.util.Iterator;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class SummaryReportCardScreen extends LessonAdapter
{
private int totalUsersNormalComplete = 0;
private int totalUsersAdminComplete = 0;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
String selectedUser = null;
try
{
if ( s.getRequest().isUserInRole( WebSession.WEBGOAT_ADMIN ) )
{
Enumeration e = s.getParser().getParameterNames();
while ( e.hasMoreElements() )
{
String key = (String) e.nextElement();
if ( key.startsWith( "View_" ) )
{
selectedUser = key.substring( "View_".length() );
ReportCardScreen reportCard = new ReportCardScreen();
return reportCard.makeReportCard( s, selectedUser );
}
if ( key.startsWith( "Delete_" ) )
{
selectedUser = key.substring( "Delete_".length() );
deleteUser( selectedUser );
}
}
}
}
catch ( Exception e )
{
e.printStackTrace();
}
ec.addElement( new Center().addElement(makeSummary(s)) );
ec.addElement( new P() );
Table t = new Table().setCellSpacing( 0 ).setCellPadding( 4 ).setBorder( 1 ).setWidth("100%");
if ( s.isColor() )
{
t.setBorder( 1 );
}
t.addElement( makeUserSummaryHeader() );
for ( Iterator userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter.hasNext(); )
{
String user = (String) userIter.next();
t.addElement( makeUserSummaryRow( s, user ) );
}
ec.addElement( new Center().addElement( t ) );
return ec;
}
protected Element makeSummary( WebSession s)
{
Table t = new Table().setCellSpacing( 0 ).setCellPadding( 2 ).setBorder( 0 ).setWidth("100%");
if ( s.isColor() )
{
t.setBorder( 1 );
}
TR tr = new TR();
//tr.addElement( new TH().addElement( "Summary").setColSpan(1));
//t.addElement( tr );
tr = new TR();
tr.addElement( new TD().setWidth("60%").addElement( "Total number of users"));
tr.addElement( new TD().setAlign("LEFT").addElement(Integer.toString( UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).size() )));
t.addElement( tr );
tr = new TR();
tr.addElement( new TD().setWidth("60%").addElement( "Total number of users that completed all normal lessons"));
tr.addElement( new TD().setAlign("LEFT").addElement(Integer.toString( totalUsersNormalComplete )));
t.addElement( tr );
tr = new TR();
tr.addElement( new TD().setWidth("60%").addElement( "Total number of users that completed all admin lessons"));
tr.addElement( new TD().setAlign("LEFT").addElement(Integer.toString( totalUsersAdminComplete )));
t.addElement( tr );
return t;
}
private void deleteUser( String user )
{
UserTracker.instance().deleteUser( user );
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Summary Report Card" );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages( WebSession s )
{
ElementContainer ec = new ElementContainer();
return ( ec );
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeUserSummaryHeader()
{
TR tr = new TR();
tr.addElement( new TH( "User Name" ) );
tr.addElement( new TH( "Normal Complete" ) );
tr.addElement( new TH( "Admin Complete" ) );
tr.addElement( new TH( "View" ) );
tr.addElement( new TH( "Delete" ) );
return tr;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param user Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeUserSummaryRow( WebSession s, String user )
{
TR tr = new TR();
tr.addElement( new TD().setAlign( "LEFT" ).addElement( user ) );
int lessonCount = 0;
int passedCount = 0;
boolean normalComplete = false;
boolean adminComplete = false;
for ( Iterator lessonIter = s.getCourse().getLessons( s, AbstractLesson.USER_ROLE ).iterator(); lessonIter.hasNext(); )
{
lessonCount++;
Screen screen = (Screen) lessonIter.next();
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker( s, user, screen );
if ( lessonTracker.getCompleted() )
{
passedCount++;
}
}
if ( lessonCount == passedCount )
{
normalComplete = true;
totalUsersNormalComplete++;
}
String text = Integer.toString( passedCount ) + " of " + Integer.toString( lessonCount );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( text ) );
lessonCount = 0;
passedCount = 0;
for ( Iterator lessonIter = s.getCourse().getLessons( s, AbstractLesson.HACKED_ADMIN_ROLE ).iterator(); lessonIter.hasNext(); )
{
lessonCount++;
Screen screen = (Screen) lessonIter.next();
LessonTracker lessonTracker = UserTracker.instance().getLessonTracker( s, user, screen );
if ( lessonTracker.getCompleted() )
{
passedCount++;
}
}
if ( lessonCount == passedCount )
{
adminComplete = true;
totalUsersAdminComplete++;
}
text = Integer.toString( passedCount ) + " of " + Integer.toString( lessonCount );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( text ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( new Input( Input.SUBMIT, "View_" + user, "View" ) ) );
tr.addElement( new TD().setAlign( "CENTER" ).addElement( new Input( Input.SUBMIT, "Delete_" + user, "Delete" ) ) );
if ( normalComplete && adminComplete )
{
tr.setBgColor( HtmlColor.GREEN );
}
else if ( normalComplete )
{
tr.setBgColor( HtmlColor.LIGHTGREEN );
}
else
{
tr.setBgColor( HtmlColor.LIGHTBLUE );
}
return ( tr );
}
public boolean isEnterprise()
{
return true;
}
}

106
webgoat/main/project/org/owasp/webgoat/lessons/admin/UserAdminScreen.java Normal file
View File

@ -0,0 +1,106 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class UserAdminScreen extends LessonAdapter
{
private final static String QUERY = "SELECT * FROM user_system_data";
private static Connection connection = null;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
try
{
if ( connection == null )
{
connection = DatabaseUtilities.makeConnection( s );
}
Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
ResultSet results = statement.executeQuery( QUERY );
if ( results != null )
{
makeSuccess( s );
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement( DatabaseUtilities.writeTable( results, resultsMetaData ) );
}
}
catch ( Exception e )
{
s.setMessage( "Error generating " + this.getClass().getName() );
e.printStackTrace();
}
return ( ec );
}
/**
* Gets the category attribute of the UserAdminScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the role attribute of the UserAdminScreen object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the UserAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "User Information" );
}
}

147
webgoat/main/project/org/owasp/webgoat/lessons/admin/ViewDatabase.java Normal file
View File

@ -0,0 +1,147 @@
package org.owasp.webgoat.lessons.admin;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.owasp.webgoat.lessons.*;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.*;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class ViewDatabase extends LessonAdapter
{
private final static String SQL = "sql";
private static Connection connection = null;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
try
{
ec.addElement( new StringElement( "Enter a SQL statement: " ) );
StringBuffer sqlStatement = new StringBuffer( s.getParser().getRawParameter( SQL, "" ) );
Input input = new Input( Input.TEXT, SQL, sqlStatement.toString() );
ec.addElement( input );
Element b = ECSFactory.makeButton( "Go!" );
ec.addElement( b );
if ( connection == null )
{
connection = DatabaseUtilities.makeConnection( s );
}
if(sqlStatement.length() > 0)
{
Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
ResultSet results = statement.executeQuery( sqlStatement.toString() );
if ( ( results != null ) && ( results.first() == true ) )
{
makeSuccess( s );
ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement( DatabaseUtilities.writeTable( results, resultsMetaData ) );
}
}
}
catch ( Exception e )
{
s.setMessage( "Error generating " + this.getClass().getName() );
e.printStackTrace();
}
return ( ec );
}
/**
* Gets the category attribute of the DatabaseScreen object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return ADMIN_FUNCTIONS;
}
private final static Integer DEFAULT_RANKING = new Integer(1000);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the hints attribute of the DatabaseScreen object
*
* @return The hints value
*/
protected List getHints()
{
List hints = new ArrayList();
hints.add( "There are no hints defined" );
return hints;
}
/**
* Gets the instructions attribute of the ViewDatabase object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
return ( instructions );
}
/**
* Gets the role attribute of the ViewDatabase object
*
* @return The role value
*/
public String getRole()
{
return HACKED_ADMIN_ROLE;
}
/**
* Gets the title attribute of the DatabaseScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Database Dump" );
}
}

67
webgoat/main/project/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java Normal file
View File

@ -0,0 +1,67 @@
package org.owasp.webgoat.lessons.admin;
import org.owasp.webgoat.lessons.WelcomeScreen;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class WelcomeAdminScreen extends WelcomeScreen
{
/**
* Constructor for the WelcomeAdminScreen object
*
* @param s Description of the Parameter
*/
public WelcomeAdminScreen( WebSession s )
{
super( s );
}
/**
* Constructor for the WelcomeAdminScreen object
*/
public WelcomeAdminScreen() { }
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
ElementContainer ec = new ElementContainer();
ec.addElement( new Center( new H1( "You are logged on as an administrator" ) ) );
ec.addElement( super.createContent( s ) );
return ( ec );
}
/**
* Gets the title attribute of the WelcomeAdminScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Admin Welcome" );
}
}