From 7e7936e43c764380aedbc2aaef1fcd253fd91a42 Mon Sep 17 00:00:00 2001
From: "wirth.marcel" <wirth.marcel@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Wed, 9 Apr 2008 14:09:31 +0000
Subject: [PATCH] Session Fixation

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@311 4033779f-a91e-0410-96ef-6bf7bf53c507
---
 .../webgoat/lessons/SessionFixation.java      | 104 ++++++++++++++----
 1 file changed, 82 insertions(+), 22 deletions(-)

diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
index 77510a4e8..60a7088e5 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
@@ -110,24 +110,28 @@ public class SessionFixation extends SequentialLessonAdapter
 			if(correctLogin(name, password, s))
 			{
 				getLessonTracker(s).setStage(4);
+				sid="";
+				s.add(LOGGEDIN, "true");
+				s.add(LOGGEDINUSER, name);
 				s.setMessage("You completed stage 3!");
 			}
 			
 		}
 		if(getLessonTracker(s).getStage() == 4)
 		{
-			if (sid.equals(""))
+
+			if (sid.equals("NOVALIDSESSION"))
 			{
-				String randomSid = randomSIDGenerator();
-				this.sid = randomSid;
+				System.out.println("STAGE 5");
+				getLessonTracker(s).setStage(5);
 			}
+					
 		}
 
 		if (getLessonTracker(s).getStage() == 2)
 		{
 			if (!sid.equals(""))
 			{
-				System.out.println("MySid: " + sid);
 				s.add("SID", sid);
 				getLessonTracker(s).setStage(3);
 				s.setMessage("You completed stage 2!");
@@ -165,13 +169,6 @@ public class SessionFixation extends SequentialLessonAdapter
 		return ec;
 
 	}
-	
-	@Override
-	public String getHint(WebSession s, int hintNumber)
-	{
-		// TODO Auto-generated method stub
-		return super.getHint(s, hintNumber);
-	}
 
 	@Override
 	protected Element doStage2(WebSession s) throws Exception
@@ -184,10 +181,10 @@ public class SessionFixation extends SequentialLessonAdapter
 	private Element createStage2Content(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
-
+		String mailHeader = "<b>MailFrom:</b> &nbsp;&nbsp;admin@webgoatfinancial.com<br><br>";
 		String mailContent = (String) s.get(MAILCONTENTNAME);
 
-		ec.addElement(mailContent);
+		ec.addElement(mailHeader + mailContent);
 
 		return ec;
 
@@ -204,6 +201,19 @@ public class SessionFixation extends SequentialLessonAdapter
 	{
 		return createStage4Content(s);
 	}
+	
+	@Override
+	protected Element doStage5(WebSession s) throws Exception
+	{
+		System.out.println("Doing stage 5");
+		return createStage5Content(s);
+	}
+	
+	private Element createStage5Content(WebSession s)
+	{
+		
+		return createMainLoginContent(s);
+	}
 
 	private Element createStage3Content(WebSession s)
 	{
@@ -214,7 +224,9 @@ public class SessionFixation extends SequentialLessonAdapter
 	private Element createStage4Content(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
-		ec.addElement("Hello Hacker");
+		ec.addElement("<h2>Jane has logged into her account. Go and grab her session!" +
+				" Use Following link to reach the login screen of the bank:</h2><br><br>" +
+				"<a href=" + super.getLink() +"&SID=NOVALIDSESSION><center> WebGoat Financial </center></a><br><br><br><br>");
 		return ec;
 		//return createMainLoginContent(s);
 	}
@@ -227,7 +239,7 @@ public class SessionFixation extends SequentialLessonAdapter
 				+ "During the last week we had a few problems with our database. "
 				+ "A lot of people complained that there account details are wrong. "
 				+ "That is why we kindly ask you to use following link to verify your "
-				+ "data:<br><br><center><a href="
+				+ "data:<br><br><center><a href=http://localhost/WebGoat/"
 				+ link
 				+ "> Goat Hills Financial</a></center><br><br>"
 				+ "We are sorry for the caused inconvenience and thank you for your colaboration.<br><br>"
@@ -395,11 +407,21 @@ public class SessionFixation extends SequentialLessonAdapter
 			}
 			else if (sid.equals(s.get("SID")) && s.get(LOGGEDIN).equals("true"))
 			{
+				makeSuccess(s);
 				createSuccessfulLoginContent(s, ec);
 			}
 			else
 			{
-				createLogInContent(ec, "");
+				if((name+password).equals(""))
+				{
+					createLogInContent(ec, "");
+
+				}
+				else
+				{
+					createLogInContent(ec, "Login Failed! Make sure user name and password is correct!");
+
+				}
 			}
 		} catch (Exception e)
 		{
@@ -436,9 +458,10 @@ public class SessionFixation extends SequentialLessonAdapter
 	 */
 	private boolean correctLogin(String userName, String password, WebSession s)
 	{
+		Connection connection = null;
 		try
 		{
-			Connection connection = DatabaseUtilities.getConnection(s);
+			connection = DatabaseUtilities.getConnection(s);
 			String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
 			PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																			ResultSet.CONCUR_READ_ONLY);
@@ -457,6 +480,21 @@ public class SessionFixation extends SequentialLessonAdapter
 		{
 			e.printStackTrace();
 		}
+		finally
+		{
+			try
+			{
+				if (connection != null)
+				{
+					connection.close();
+				}
+			}
+			catch (Exception e)
+			{
+				e.printStackTrace();
+			}
+		}
+		
 
 		return false;
 
@@ -520,7 +558,6 @@ public class SessionFixation extends SequentialLessonAdapter
 	 */
 	private void createSuccessfulLoginContent(WebSession s, ElementContainer ec)
 	{
-		
 		String userDataStyle = "margin-top:50px;";
 
 		Div userDataDiv = new Div();
@@ -598,9 +635,10 @@ public class SessionFixation extends SequentialLessonAdapter
 	 */
 	private ResultSet getUser(String user, WebSession s)
 	{
+		Connection connection = null;
 		try
 		{
-			Connection connection = DatabaseUtilities.getConnection(s);
+			connection = DatabaseUtilities.getConnection(s);
 			String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
 			PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
 																			ResultSet.CONCUR_READ_ONLY);
@@ -614,6 +652,20 @@ public class SessionFixation extends SequentialLessonAdapter
 		{
 			e.printStackTrace();
 		}
+		finally
+		{
+			try
+			{
+				if (connection != null)
+				{
+					connection.close();
+				}
+			}
+			catch (Exception e)
+			{
+				e.printStackTrace();
+			}
+		}
 		return null;
 
 	}
@@ -661,9 +713,11 @@ public class SessionFixation extends SequentialLessonAdapter
 		hints.add("Stage 1: Alter the link in the mail to: href=" + getLink() + "&SID=Whatever");
 		hints.add("Stage 2: Click on the link!");
 		hints.add("Stage 3: Log in as Jane with user name jane and password tarzan.");
+		hints.add("Stage 4: Click on the link provided");
+		hints.add("Stage 4: What is your actual SID?");
+		hints.add("Stage 4: Change the SID (NOVALIDSESSION) to the choosen one in the mail");
 		
-		hints.add("Stage 2: Watch out for hidden fields");
-		hints.add("Stage 2: Manipulate the hidden field 'hidden_tan'");
+
 
 		return hints;
 
@@ -675,6 +729,10 @@ public class SessionFixation extends SequentialLessonAdapter
 	public String getInstructions(WebSession s)
 	{
 		int stage = getLessonTracker(s).getStage();
+		if (stage > 4)
+		{
+			stage = 4;
+		}
 		String instructions = "STAGE " +stage+": ";
 		if(stage == 1)
 		{
@@ -698,9 +756,11 @@ public class SessionFixation extends SequentialLessonAdapter
 		}
 		else if (stage == 4)
 		{
-			instructions += "It is time to steal the session. <br><br><b>You are: Hacker Joe</b> ";
+			instructions += "It is time to steal the session now. Just use the link you sent to " +
+					"Jane.<br><br><b>You are: Hacker Joe</b> ";
 		}
 
+
 		return (instructions);
 	}