dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session Fixation

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@311 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel 2008-04-09 14:09:31 +00:00
parent 13eb970062
commit 7e7936e43c
1 changed files with 82 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
View File

@ -110,24 +110,28 @@ public class SessionFixation extends SequentialLessonAdapter
if(correctLogin(name, password, s)) if(correctLogin(name, password, s))
{ {
getLessonTracker(s).setStage(4); getLessonTracker(s).setStage(4);
sid="";
s.add(LOGGEDIN, "true");
s.add(LOGGEDINUSER, name);
s.setMessage("You completed stage 3!"); s.setMessage("You completed stage 3!");
} }
} }
if(getLessonTracker(s).getStage() == 4) if(getLessonTracker(s).getStage() == 4)
{ {
if (sid.equals(""))
if (sid.equals("NOVALIDSESSION"))
{ {
String randomSid = randomSIDGenerator(); System.out.println("STAGE 5");
this.sid = randomSid; getLessonTracker(s).setStage(5);
} }
} }
if (getLessonTracker(s).getStage() == 2) if (getLessonTracker(s).getStage() == 2)
{ {
if (!sid.equals("")) if (!sid.equals(""))
{ {
System.out.println("MySid: " + sid);
s.add("SID", sid); s.add("SID", sid);
getLessonTracker(s).setStage(3); getLessonTracker(s).setStage(3);
s.setMessage("You completed stage 2!"); s.setMessage("You completed stage 2!");
@ -165,13 +169,6 @@ public class SessionFixation extends SequentialLessonAdapter
return ec; return ec;
} }
@Override
public String getHint(WebSession s, int hintNumber)
{
// TODO Auto-generated method stub
return super.getHint(s, hintNumber);
}
@Override @Override
protected Element doStage2(WebSession s) throws Exception protected Element doStage2(WebSession s) throws Exception
@ -184,10 +181,10 @@ public class SessionFixation extends SequentialLessonAdapter
private Element createStage2Content(WebSession s) private Element createStage2Content(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
String mailHeader = "<b>MailFrom:</b> &nbsp;&nbsp;admin@webgoatfinancial.com<br><br>";
String mailContent = (String) s.get(MAILCONTENTNAME); String mailContent = (String) s.get(MAILCONTENTNAME);
ec.addElement(mailContent); ec.addElement(mailHeader + mailContent);
return ec; return ec;
@ -204,6 +201,19 @@ public class SessionFixation extends SequentialLessonAdapter
{ {
return createStage4Content(s); return createStage4Content(s);
} }
@Override
protected Element doStage5(WebSession s) throws Exception
{
System.out.println("Doing stage 5");
return createStage5Content(s);
}
private Element createStage5Content(WebSession s)
{
return createMainLoginContent(s);
}
private Element createStage3Content(WebSession s) private Element createStage3Content(WebSession s)
{ {
@ -214,7 +224,9 @@ public class SessionFixation extends SequentialLessonAdapter
private Element createStage4Content(WebSession s) private Element createStage4Content(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement("Hello Hacker"); ec.addElement("<h2>Jane has logged into her account. Go and grab her session!" +
" Use Following link to reach the login screen of the bank:</h2><br><br>" +
"<a href=" + super.getLink() +"&SID=NOVALIDSESSION><center> WebGoat Financial </center></a><br><br><br><br>");
return ec; return ec;
//return createMainLoginContent(s); //return createMainLoginContent(s);
} }
@ -227,7 +239,7 @@ public class SessionFixation extends SequentialLessonAdapter
+ "During the last week we had a few problems with our database. " + "During the last week we had a few problems with our database. "
+ "A lot of people complained that there account details are wrong. " + "A lot of people complained that there account details are wrong. "
+ "That is why we kindly ask you to use following link to verify your " + "That is why we kindly ask you to use following link to verify your "
+ "data:<br><br><center><a href=" + "data:<br><br><center><a href=http://localhost/WebGoat/"
+ link + link
+ "> Goat Hills Financial</a></center><br><br>" + "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the caused inconvenience and thank you for your colaboration.<br><br>" + "We are sorry for the caused inconvenience and thank you for your colaboration.<br><br>"
@ -395,11 +407,21 @@ public class SessionFixation extends SequentialLessonAdapter
} }
else if (sid.equals(s.get("SID")) && s.get(LOGGEDIN).equals("true")) else if (sid.equals(s.get("SID")) && s.get(LOGGEDIN).equals("true"))
{ {
makeSuccess(s);
createSuccessfulLoginContent(s, ec); createSuccessfulLoginContent(s, ec);
} }
else else
{ {
createLogInContent(ec, ""); if((name+password).equals(""))
{
createLogInContent(ec, "");
}
else
{
createLogInContent(ec, "Login Failed! Make sure user name and password is correct!");
}
} }
} catch (Exception e) } catch (Exception e)
{ {
@ -436,9 +458,10 @@ public class SessionFixation extends SequentialLessonAdapter
*/ */
private boolean correctLogin(String userName, String password, WebSession s) private boolean correctLogin(String userName, String password, WebSession s)
{ {
Connection connection = null;
try try
{ {
Connection connection = DatabaseUtilities.getConnection(s); connection = DatabaseUtilities.getConnection(s);
String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?"; String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY); ResultSet.CONCUR_READ_ONLY);
@ -457,6 +480,21 @@ public class SessionFixation extends SequentialLessonAdapter
{ {
e.printStackTrace(); e.printStackTrace();
} }
finally
{
try
{
if (connection != null)
{
connection.close();
}
}
catch (Exception e)
{
e.printStackTrace();
}
}
return false; return false;
@ -520,7 +558,6 @@ public class SessionFixation extends SequentialLessonAdapter
*/ */
private void createSuccessfulLoginContent(WebSession s, ElementContainer ec) private void createSuccessfulLoginContent(WebSession s, ElementContainer ec)
{ {
String userDataStyle = "margin-top:50px;"; String userDataStyle = "margin-top:50px;";
Div userDataDiv = new Div(); Div userDataDiv = new Div();
@ -598,9 +635,10 @@ public class SessionFixation extends SequentialLessonAdapter
*/ */
private ResultSet getUser(String user, WebSession s) private ResultSet getUser(String user, WebSession s)
{ {
Connection connection = null;
try try
{ {
Connection connection = DatabaseUtilities.getConnection(s); connection = DatabaseUtilities.getConnection(s);
String query = "SELECT * FROM user_data_tan WHERE first_name = ? "; String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY); ResultSet.CONCUR_READ_ONLY);
@ -614,6 +652,20 @@ public class SessionFixation extends SequentialLessonAdapter
{ {
e.printStackTrace(); e.printStackTrace();
} }
finally
{
try
{
if (connection != null)
{
connection.close();
}
}
catch (Exception e)
{
e.printStackTrace();
}
}
return null; return null;
} }
@ -661,9 +713,11 @@ public class SessionFixation extends SequentialLessonAdapter
hints.add("Stage 1: Alter the link in the mail to: href=" + getLink() + "&SID=Whatever"); hints.add("Stage 1: Alter the link in the mail to: href=" + getLink() + "&SID=Whatever");
hints.add("Stage 2: Click on the link!"); hints.add("Stage 2: Click on the link!");
hints.add("Stage 3: Log in as Jane with user name jane and password tarzan."); hints.add("Stage 3: Log in as Jane with user name jane and password tarzan.");
hints.add("Stage 4: Click on the link provided");
hints.add("Stage 4: What is your actual SID?");
hints.add("Stage 4: Change the SID (NOVALIDSESSION) to the choosen one in the mail");
hints.add("Stage 2: Watch out for hidden fields");
hints.add("Stage 2: Manipulate the hidden field 'hidden_tan'");
return hints; return hints;
@ -675,6 +729,10 @@ public class SessionFixation extends SequentialLessonAdapter
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
int stage = getLessonTracker(s).getStage(); int stage = getLessonTracker(s).getStage();
if (stage > 4)
{
stage = 4;
}
String instructions = "STAGE " +stage+": "; String instructions = "STAGE " +stage+": ";
if(stage == 1) if(stage == 1)
{ {
@ -698,9 +756,11 @@ public class SessionFixation extends SequentialLessonAdapter
} }
else if (stage == 4) else if (stage == 4)
{ {
instructions += "It is time to steal the session. <br><br><b>You are: Hacker Joe</b> "; instructions += "It is time to steal the session now. Just use the link you sent to " +
"Jane.<br><br><b>You are: Hacker Joe</b> ";
} }
return (instructions); return (instructions);
} }