From 775fdad7c442be0b47ca30c102713e921eb4e08f Mon Sep 17 00:00:00 2001 From: "brandon.devries" Date: Tue, 12 Aug 2008 14:33:22 +0000 Subject: [PATCH] some cleanup, and removing unneeded ClassNotFoundExceptions git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@361 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../CrossSiteScripting.java | 5 +++- .../CrossSiteScripting/FindProfile.java | 1 - .../CrossSiteScripting/UpdateProfile.java | 4 ---- .../CrossSiteScripting/ViewProfile.java | 4 ---- .../DBCrossSiteScripting/UpdateProfile.java | 17 +------------- .../GoatHillsFinancial/UpdateProfile.java | 4 ---- .../RoleBasedAccessControl/UpdateProfile.java | 4 ---- .../lessons/SQLInjection/SQLInjection.java | 2 +- .../webgoat/session/DatabaseUtilities.java | 15 ++++++++---- .../org/owasp/webgoat/session/WebSession.java | 23 +++++++++++++++---- 10 files changed, 34 insertions(+), 45 deletions(-) diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java index 96ae2e6da..4082f5967 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java @@ -149,6 +149,9 @@ public class CrossSiteScripting extends GoatHillsFinancial hints.add("Stage2: The java.util.regex package is useful for filtering string values."); // Stage 3 + hints + .add("Stage3: Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags."); + hints.add("Stage3: An HTML entity encoder is provided in the ParameterParser class."); // Stage 4 hints @@ -177,7 +180,7 @@ public class CrossSiteScripting extends GoatHillsFinancial { instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.
" + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. " - + "Verify that 'Jerry' is affected by the attack.
The passwords for the accounts are the prenames."; + + "Verify that 'Jerry' is affected by the attack.
(The passwords for the accounts are the first names.)"; } else if (STAGE2.equals(stage)) { diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java index 1ab4068e1..b98f08ae2 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java @@ -17,7 +17,6 @@ import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.ValidationException; import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.util.HtmlEncoder; /*************************************************************************************************** diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java index b2e8d0fa8..0682cc5b0 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java @@ -378,10 +378,6 @@ public class UpdateProfile extends DefaultLessonAction { sqle.printStackTrace(); s.setMessage("Error updating employee profile"); - } catch (ClassNotFoundException e) - { - // TODO Auto-generated catch block - e.printStackTrace(); } return uid + 1; } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java index 430c4cb79..4fdc04ea8 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java @@ -4,18 +4,14 @@ package org.owasp.webgoat.lessons.CrossSiteScripting; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.apache.ecs.xhtml.html; import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.ParameterParser; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.ValidationException; import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.util.HtmlEncoder; -import com.sun.corba.se.spi.activation.Server; /*************************************************************************************************** diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java index d9e3a4f07..7a9a328eb 100755 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java @@ -118,10 +118,6 @@ public class UpdateProfile extends DefaultLessonAction setStageComplete(s, DBCrossSiteScripting.STAGE2); } - } catch (ClassNotFoundException e) - { - s.setMessage("Error updating employee profile"); - e.printStackTrace(); } try @@ -146,10 +142,7 @@ public class UpdateProfile extends DefaultLessonAction return DBCrossSiteScripting.VIEWPROFILE_ACTION; } - public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee) throws SQLException, - ClassNotFoundException - { - try + public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee) throws SQLException { String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }"; CallableStatement call = WebSession.getConnection(s).prepareCall(update); @@ -171,10 +164,6 @@ public class UpdateProfile extends DefaultLessonAction call.setString(15, employee.getDisciplinaryActionNotes()); call.setString(16, employee.getPersonalDescription()); call.executeUpdate(); - } catch (ClassNotFoundException e) - { - e.printStackTrace(); - } } public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException @@ -230,10 +219,6 @@ public class UpdateProfile extends DefaultLessonAction { sqle.printStackTrace(); s.setMessage("Error updating employee profile"); - } catch (ClassNotFoundException e) - { - // TODO Auto-generated catch block - e.printStackTrace(); } return uid + 1; } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java index 3760aa5f1..f0f2715d0 100755 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java @@ -167,10 +167,6 @@ public class UpdateProfile extends DefaultLessonAction { sqle.printStackTrace(); s.setMessage("Error updating employee profile"); - } catch (ClassNotFoundException e) - { - // TODO Auto-generated catch block - e.printStackTrace(); } return uid + 1; } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java index 70cba0845..6315d2dc2 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java @@ -213,10 +213,6 @@ public class UpdateProfile extends DefaultLessonAction { sqle.printStackTrace(); s.setMessage("Error updating employee profile"); - } catch (ClassNotFoundException e) - { - // TODO Auto-generated catch block - e.printStackTrace(); } return uid + 1; } diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java index ffad7e4d9..a072a5dfe 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java @@ -115,7 +115,7 @@ public class SQLInjection extends GoatHillsFinancial .add("Many of WebGoat's database queries are already parameterized. Search the project for PreparedStatement."); // Stage 3 - hints.add("Try entering an employee_id of [ 101 OR 1=1 ORDER BY salary ]."); + hints.add("Try entering an employee_id of [ 101 or 1=1 order by salary desc ]."); // Stage 4 diff --git a/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java b/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java index abb047f8e..0875aa1cc 100644 --- a/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java +++ b/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java @@ -51,13 +51,12 @@ public class DatabaseUtilities private static Map connections = new HashMap(); private static Map dbBuilt = new HashMap(); - public static Connection getConnection(WebSession s) throws ClassNotFoundException, SQLException + public static Connection getConnection(WebSession s) throws SQLException { return getConnection(s.getUserName(), s.getWebgoatContext()); } - public static synchronized Connection getConnection(String user, WebgoatContext context) - throws ClassNotFoundException, SQLException + public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException { Connection conn = connections.get(user); if (conn != null && !conn.isClosed()) return conn; @@ -87,8 +86,9 @@ public class DatabaseUtilities } } - private static Connection makeConnection(String user, WebgoatContext context) throws ClassNotFoundException, - SQLException + private static Connection makeConnection(String user, WebgoatContext context) throws SQLException + { + try { Class.forName(context.getDatabaseDriver()); @@ -98,6 +98,11 @@ public class DatabaseUtilities String password = context.getDatabasePassword(); String url = context.getDatabaseConnectionString(); return DriverManager.getConnection(url, userPrefix + "_" + user, password); + } catch (ClassNotFoundException cnfe) + { + cnfe.printStackTrace(); + throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage()); + } } private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException, diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java index 1560df1a6..6aa22647f 100644 --- a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java +++ b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.session; import java.io.IOException; import java.io.PrintWriter; +import java.security.Principal; import java.sql.Connection; import java.sql.SQLException; import java.util.ArrayList; @@ -219,7 +220,7 @@ public class WebSession course.loadCourses(webgoatContext, context, "/"); } - public static synchronized Connection getConnection(WebSession s) throws SQLException, ClassNotFoundException + public static synchronized Connection getConnection(WebSession s) throws SQLException { return DatabaseUtilities.getConnection(s); } @@ -727,6 +728,11 @@ public class WebSession message.append("
" + " * " + text); } + public void setLineBreak(String text) + { + message.append("

" + text); + } + /** * Description of the Method * @@ -779,10 +785,11 @@ public class WebSession */ public String getUserName() { - // System.out.println("Request: " + getRequest() ); - // System.out.println("Principal: " + getRequest().getUserPrincipal() ); - // System.out.println("Name: " + getRequest().getUserPrincipal().getName( ) ); - return getRequest().getUserPrincipal().getName(); + HttpServletRequest request = getRequest(); + if (request == null) throw new RuntimeException("Could not find the ServletRequest in the web session"); + Principal principal = request.getUserPrincipal(); + if (principal == null) throw new RuntimeException("Could not find the Principal in the Servlet Request"); + return principal.getName(); } /** @@ -888,6 +895,7 @@ public class WebSession RandomLessonAdapter rla = (RandomLessonAdapter) al; int stage = myParser.getIntParameter(STAGE) - 1; String[] stages = rla.getStages(); + if (stages == null) stages = new String[0]; if (stage >= 0 && stage < stages.length) rla.setStage(this, stages[stage]); } catch (ParameterNotFoundException pnfe) { @@ -979,6 +987,11 @@ public class WebSession SequentialLessonAdapter sla = (SequentialLessonAdapter) al; sla.getLessonTracker(this).setStage(1); } + else if (al instanceof RandomLessonAdapter) + { + RandomLessonAdapter rla = (RandomLessonAdapter) al; + rla.setStage(this, rla.getStages()[0]); + } } /**