dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated cookie retrieval to decode. helps with people using firebug to solve since firecookie will encode

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@448 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64@gmail.com 2012-04-23 19:56:10 +00:00
parent 8e227c41ab
commit 881c54ef2c
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
webgoat/src/main/java/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -10,6 +10,7 @@ import java.net.DatagramPacket;
import java.net.DatagramSocket; import java.net.DatagramSocket;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.Socket; import java.net.Socket;
import java.net.URLDecoder;
import java.sql.Connection; import java.sql.Connection;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.Statement; import java.sql.Statement;
@ -209,7 +210,9 @@ public class Challenge2Screen extends SequentialLessonAdapter
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
// pull the USER_COOKIE from the cookies // pull the USER_COOKIE from the cookies
String user = Encoding.base64Decode(getCookie(s)); String cookie = URLDecoder.decode(getCookie(s),"utf-8");
String user = Encoding.base64Decode(cookie);
String query = "SELECT * FROM user_data WHERE last_name = '" + user + "'"; String query = "SELECT * FROM user_data WHERE last_name = '" + user + "'";
Vector<String> v = new Vector<String>(); Vector<String> v = new Vector<String>();
@ -626,12 +629,13 @@ public class Challenge2Screen extends SequentialLessonAdapter
t.setBorder(1); t.setBorder(1);
} }
String[] colWidths = new String[] { "55", "110", "260", "70" }; String[] colWidths = new String[] { "55", "110", "260", "70", "50" };
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0])); tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0]));
tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1])); tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1]));
tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2])); tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2]));
tr.addElement(new TH().addElement("State").setWidth(colWidths[3])); tr.addElement(new TH().addElement("State").setWidth(colWidths[3]));
tr.addElement(new TH().addElement("Offload State").setWidth(colWidths[4]));
t.addElement(tr); t.addElement(tr);
String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp"); String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp");
@ -640,12 +644,12 @@ public class Challenge2Screen extends SequentialLessonAdapter
ExecResults er = null; ExecResults er = null;
if (osName.indexOf("Windows") != -1) if (osName.indexOf("Windows") != -1)
{ {
String cmd = "cmd.exe /c netstat -a -p " + protocol; String cmd = "cmd.exe /c netstat -ant -p " + protocol;
er = Exec.execSimple(cmd); er = Exec.execSimple(cmd);
} }
else else
{ {
String[] cmd = { "/bin/sh", "-c", "netstat -a -p " + protocol }; String[] cmd = { "/bin/sh", "-c", "netstat -ant -p " + protocol };
er = Exec.execSimple(cmd); er = Exec.execSimple(cmd);
} }
@ -673,7 +677,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
tr = new TR(); tr = new TR();
TD td; TD td;
StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t "); StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t ");
while (tokens.hasMoreTokens() && columnCount < 4) while (tokens.hasMoreTokens() && columnCount < 5)
{ {
td = new TD().setWidth(colWidths[columnCount++]); td = new TD().setWidth(colWidths[columnCount++]);
tr.addElement(td.addElement(tokens.nextToken())); tr.addElement(td.addElement(tokens.nextToken()));