dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- This patch fixes Forced Browsing lesson by removing any custom coding for WebSession and HammerHead.java

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@34 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy 2006-12-04 04:35:04 +00:00
parent 51d40b7b22
commit 80a2add2d7
4 changed files with 53 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
View File

@ -307,9 +307,6 @@ public class HammerHead extends HttpServlet
s.setHasHackableAdmin( screen.getRole() ); s.setHasHackableAdmin( screen.getRole() );
//More bookkeeping here to see if the user was able to force browse to the
//config URL.
s.setHasHackableConfig( s.getRequest().getRequestURI());
lesson.handleRequest( s ); lesson.handleRequest( s );
s.setCurrentMenu( lesson.getCategory().getRanking() ); s.setCurrentMenu( lesson.getCategory().getRanking() );
} }

37
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
View File

@ -6,7 +6,16 @@ import java.util.List;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/** /**
@ -20,7 +29,7 @@ import org.owasp.webgoat.session.WebSession;
*/ */
public class ForcedBrowsing extends LessonAdapter public class ForcedBrowsing extends LessonAdapter
{ {
private final static String SUCCEEDED = "succeeded";
/** /**
* Description of the Method * Description of the Method
* *
@ -30,9 +39,31 @@ public class ForcedBrowsing extends LessonAdapter
protected Element createContent( WebSession s ) protected Element createContent( WebSession s )
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
String success = new String( s.getParser().getStringParameter( SUCCEEDED, "" ) );
if ( s.completedHackableConfig() ) if ( success.length()!= 0 && success.equals("yes") )
{ {
ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat Configuration Page")));
ec.addElement( new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
TR tr = new TR();
tr.addElement( new TD( new StringElement( "Set Admin Privileges for: " ) ));
Input input1 = new Input( Input.TEXT, "", "" );
tr.addElement( new TD( input1 ) );
t1.addElement( tr );
tr = new TR();
tr.addElement( new TD( new StringElement ( "Set Admin Password:" )));
input1 = new Input( Input.PASSWORD, "", "");
tr.addElement( new TD(input1));
t1.addElement( tr );
Element b = ECSFactory.makeButton( "Submit" );
t1.addElement( new TR( new TD( b ).setColSpan(2).setAlign("right") ) );
ec.addElement(t1);
makeSuccess( s ); makeSuccess( s );
} }
else else

20
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -226,8 +226,6 @@ public class WebSession
private boolean completedHackableAdmin = false; private boolean completedHackableAdmin = false;
private boolean completedHackableConfig = false;
private int currentMenu; private int currentMenu;
/** /**
@ -726,16 +724,6 @@ public class WebSession
return ( completedHackableAdmin ); return ( completedHackableAdmin );
} }
/**
* Has the user ever hacked the hackable config URL
*
* @return The hackable config value
*/
public boolean completedHackableConfig()
{
return ( completedHackableConfig );
}
/** /**
* Gets the authenticated attribute of the WebSession object * Gets the authenticated attribute of the WebSession object
* *
@ -1115,14 +1103,6 @@ public class WebSession
} }
} }
public void setHasHackableConfig ( String url)
{
if ( url.indexOf("config") >= 0)
{
completedHackableConfig = true;
}
}
/** /**
* @return Returns the isDebug. * @return Returns the isDebug.
*/ */

23
webgoat/main/project/WebContent/WEB-INF/web.xml
View File

@ -124,7 +124,7 @@
<init-param> <init-param>
<param-name>DefuseOSCommands</param-name> <param-name>DefuseOSCommands</param-name>
<param-value>true</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param> <init-param>
@ -174,6 +174,14 @@
</description> </description>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class> <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet> </servlet>
<servlet>
<servlet-name>validate</servlet-name>
<servlet-class>org.owasp.webgoat.servlets.ValidateServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>config</servlet-name>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
</servlet>
<!-- Define mappings that are used by the servlet container to <!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a translate a particular request URI (context-relative) to a
@ -227,10 +235,15 @@
<url-pattern>/attack</url-pattern> <url-pattern>/attack</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>WebGoat</servlet-name> <servlet-name>config</servlet-name>
<url-pattern>/config</url-pattern> <url-pattern>/config</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping>
<servlet-name>validate</servlet-name>
<url-pattern>/validate</url-pattern>
</servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>LessonSource</servlet-name> <servlet-name>LessonSource</servlet-name>