dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating README and moving webapp dir to old

Browse Source
This commit is contained in:
Nanne Baars 2016-04-10 21:22:20 +02:00
parent 289da771c9
commit 9066e45725
46 changed files with 1349 additions and 1640 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.MD
View File

@ -44,15 +44,15 @@ first thing that all hackers claim.*
# Easy Run ( For non-developers ) # Easy Run ( For non-developers )
Every successful build of the WebGoat Lessons Container and the WebGoat Lessons in our Continuous Integration Server Every successful build of the WebGoat Lessons Container and the WebGoat Lessons in our Continuous Integration Server
creates an "Easy Run" Executable JAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server. creates an "Easy Run" Executable WAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.
You can check for the "Last Modified" date of our "Easy Run" jar file [HERE](http://webgoat-war.s3-website-us-east-1.amazonaws.com/) You can check for the "Last Modified" date of our "Easy Run" war file [HERE](http://webgoat-war.s3-website-us-east-1.amazonaws.com/)
The "Easy Run" JAR file offers a no hassle approach to testing and running WebGoat. Follow these instructions if you The "Easy Run" JAR file offers a no hassle approach to testing and running WebGoat. Follow these instructions if you
wish to simply try/test/run the current development version of WebGoat wish to simply try/test/run the current development version of WebGoat
### Prerequisites: ### Prerequisites:
* Java VM >= 1.6 installed ( JDK 1.7 recommended) * Java VM 1.8 installed
## Easy Run Instructions: ## Easy Run Instructions:
@ -65,7 +65,7 @@ https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar
Open a command shell/window, browse to where you downloaded the easy run jar and type: Open a command shell/window, browse to where you downloaded the easy run jar and type:
```Shell ```Shell
java -jar webgoat-container-7.0.1-war-exec.jar java -jar webgoat-container-7.0.1.war
``` ```
#### 3. Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking ! #### 3. Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
@ -82,8 +82,8 @@ Follow these instructions if you wish to run Webgoat and modify the source code
### Prerequisites: ### Prerequisites:
* Java >= 1.6 ( JDK 1.7 recommended ) * Java 8
* Maven > 2.0.9 * Maven > 3.2.1
* Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed. * Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
* Git, or Git support in your IDE * Git, or Git support in your IDE
@ -136,19 +136,19 @@ The __maven tomcat7:run-war__ goal runs the project in an embedded tomcat:
```Shell ```Shell
cd WebGoat cd WebGoat
mvn -pl webgoat-container tomcat7:run-war mvn -pl webgoat-container spring-boot:run
``` ```
Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking ! Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
#### Option #2: Java executable JAR #### Option #2: Java executable JAR
The __maven package__ goal generates an executable .jar file: The __maven install__ goal generates an executable .war file:
```Shell ```Shell
cd WebGoat cd WebGoat
mvn package mvn package
cd webgoat-container/target cd webgoat-container/target
java -jar webgoat-container-7.1-SNAPSHOT-war-exec.jar http://localhost:8080/WebGoat java -jar webgoat-container-7.1-SNAPSHOT.war
``` ```
Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking ! Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
@ -168,18 +168,10 @@ Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and hap
## Reloading plugins and lessons ## Reloading plugins and lessons
If you want to __reload all the plugin and lessons__, open a new browser tab and visit the following url: If you want to __reload all the plugin and lessons__, open up the developer tools available from the info menu. This will
show an extra set of links below the cookie overview.
[http://localhost:8080/WebGoat/service/reloadplugins.mvc](http://localhost:8080/WebGoat/service/reloadplugins.mvc)
After the plugin reload is complete, _reloading a message_ will appear and you can refresh the __main WebGoat browser tab__.
## Debugging label properties ## Debugging label properties
To be able to see which labels are loaded through a property file, open a new browser tab and visit the following url: To be able to see which labels are loaded through a property file, open up the developer tools avalailable from the info menu
After the reload is complete, all labels which are loaded from a property file will be __marked green__.
[http://localhost:8080/WebGoat/service/debug/labels.mvc](http://localhost:8080/WebGoat/service/debug/labels.mvc)
Switch back to the main WebGoat broswer tab and __reload the main WebGoat browser tab__.
After the reload is complete, all labels which where loaded from a property file will be __marked green__.

1
pom.xml
View File

@ -152,7 +152,6 @@
<maven-release-plugin.version>2.5.2</maven-release-plugin.version> <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
<maven-source-plugin.version>2.4</maven-source-plugin.version> <maven-source-plugin.version>2.4</maven-source-plugin.version>
<maven-surefire-plugin.version>2.19</maven-surefire-plugin.version> <maven-surefire-plugin.version>2.19</maven-surefire-plugin.version>
<maven-war-plugin.version>2.6</maven-war-plugin.version>
<nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version> <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
<sauce_junit.version>2.1.20</sauce_junit.version> <sauce_junit.version>2.1.20</sauce_junit.version>
<selenium-java.version>2.48.2</selenium-java.version> <selenium-java.version>2.48.2</selenium-java.version>

211
webgoat-container/pom.xml
View File

@ -39,7 +39,7 @@
<attachArtifactClassifier>exec</attachArtifactClassifier> <attachArtifactClassifier>exec</attachArtifactClassifier>
<contextReloadable>true</contextReloadable> <contextReloadable>true</contextReloadable>
<useSeparateTomcatClassLoader>true</useSeparateTomcatClassLoader> <useSeparateTomcatClassLoader>true</useSeparateTomcatClassLoader>
<contextFile>${project.basedir}/src/main/webapp/WEB-INF/context.xml</contextFile> <contextFile>${project.basedir}/src/main/old/WEB-INF/context.xml</contextFile>
</configuration> </configuration>
<dependencies> <dependencies>
<dependency> <dependency>
@ -147,77 +147,6 @@
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>${maven-war-plugin.version}</version>
<configuration>
<!-- archiving the classes breaks the admin screen loads in course.java
the legacy lesson loader does not look in jar files for lessons -->
<archiveClasses>false</archiveClasses>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
<manifestEntries>
<Specification-Title>${project.name}</Specification-Title>
<Specification-Version>${project.version}</Specification-Version>
<Implementation-Version>${build.number}</Implementation-Version>
</manifestEntries>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>${build-helper-maven-plugin.version}</version>
<executions>
<execution>
<id>attach-artifacts</id>
<phase>package</phase>
<goals>
<goal>attach-artifact</goal>
</goals>
<configuration>
<artifacts>
<artifact>
<file>${project.build.directory}/webgoat-container-${project.version}.jar</file>
</artifact>
</artifacts>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.3-SNAPSHOT</version>
<configuration>
<server>local_tomcat</server>
<url>http://localhost:8080/manager/text</url>
<path>/WebGoat</path>
<attachArtifactClassifier>exec</attachArtifactClassifier>
<contextReloadable>true</contextReloadable>
<useSeparateTomcatClassLoader>true</useSeparateTomcatClassLoader>
<contextFile>${project.basedir}/src/main/webapp/WEB-INF/context.xml</contextFile>
</configuration>
<dependencies>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-container</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
<executions>
<execution>
<id>tomcat-run</id>
<goals>
<goal>exec-war-only</goal>
</goals>
<phase>package</phase>
</execution>
</executions>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId> <artifactId>maven-surefire-plugin</artifactId>
@ -276,11 +205,6 @@
<artifactId>thymeleaf-extras-springsecurity4</artifactId> <artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>2.1.2.RELEASE</version> <version>2.1.2.RELEASE</version>
</dependency> </dependency>
<dependency>
<groupId>org.xeustechnologies</groupId>
<artifactId>jcl-core</artifactId>
<version>2.7</version>
</dependency>
<dependency> <dependency>
<groupId>javax.activation</groupId> <groupId>javax.activation</groupId>
<artifactId>activation</artifactId> <artifactId>activation</artifactId>
@ -311,52 +235,6 @@
<artifactId>axis-ant</artifactId> <artifactId>axis-ant</artifactId>
<version>${axis-ant.version}</version> <version>${axis-ant.version}</version>
</dependency> </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>${commons-io.version}</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>${commons-collections.version}</version>
</dependency>
<dependency>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
<version>${commons-digester.version}</version>
<exclusions>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--<dependency>-->
<!--<groupId>commons-logging</groupId>-->
<!--<artifactId>commons-logging</artifactId>-->
<!--<version>${commons-logging.version}</version>-->
<!--</dependency>-->
<!--<dependency>-->
<!--<groupId>org.slf4j</groupId>-->
<!--<artifactId>jcl-over-slf4j</artifactId>-->
<!--<version>${jcl-over-slf4j.version}</version>-->
<!--</dependency>-->
<dependency>
<groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId>
<version>${commons-discovery.version}</version>
</dependency>
<dependency>
<groupId>javax.mail</groupId>
<artifactId>javax.mail-api</artifactId>
<version>${mail-api.version}</version>
</dependency>
<dependency> <dependency>
<groupId>hsqldb</groupId> <groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId> <artifactId>hsqldb</artifactId>
@ -367,11 +245,6 @@
<artifactId>wsdl4j</artifactId> <artifactId>wsdl4j</artifactId>
<version>${wsdl4j.version}</version> <version>${wsdl4j.version}</version>
</dependency> </dependency>
<dependency>
<groupId>java2html</groupId>
<artifactId>j2h</artifactId>
<version>${j2h.version}</version>
</dependency>
<dependency> <dependency>
<groupId>ecs</groupId> <groupId>ecs</groupId>
<artifactId>ecs</artifactId> <artifactId>ecs</artifactId>
@ -382,39 +255,6 @@
<artifactId>javax.transaction-api</artifactId> <artifactId>javax.transaction-api</artifactId>
<version>${javax.transaction-api.version}</version> <version>${javax.transaction-api.version}</version>
</dependency> </dependency>
<dependency>
<groupId>net.sourceforge.jtds</groupId>
<artifactId>jtds</artifactId>
<version>${jtds.version}</version>
</dependency>
<!--<dependency>-->
<!--<groupId>org.apache.tomcat</groupId>-->
<!--<artifactId>tomcat-catalina</artifactId>-->
<!--<version>${tomcat-catalina.version}</version>-->
<!--<scope>provided</scope>-->
<!--</dependency>-->
<!-- ************* spring MVC and related dependencies ************** -->
<!-- servlet API -->
<!--<dependency>-->
<!--<groupId>javax</groupId>-->
<!--<artifactId>javaee-api</artifactId>-->
<!--<version>${javaee-api.version}</version>-->
<!--<scope>provided</scope>-->
<!--</dependency>-->
<!-- Jackson -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<!-- Apache Commons Upload --> <!-- Apache Commons Upload -->
<dependency> <dependency>
@ -429,56 +269,7 @@
<version>${guava.version}</version> <version>${guava.version}</version>
</dependency> </dependency>
<!-- JSTL -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>${jstl.version}</version>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>${standard.version}</version>
</dependency>
<!--<dependency>-->
<!--<groupId>log4j</groupId>-->
<!--<artifactId>log4j</artifactId>-->
<!--<version>${log4j.version}</version>-->
<!--<exclusions>-->
<!--<exclusion>-->
<!--<groupId>javax.jms</groupId>-->
<!--<artifactId>jms</artifactId>-->
<!--</exclusion>-->
<!--<exclusion>-->
<!--<groupId>com.sun.jdmk</groupId>-->
<!--<artifactId>jmxtools</artifactId>-->
<!--</exclusion>-->
<!--<exclusion>-->
<!--<groupId>com.sun.jmx</groupId>-->
<!--<artifactId>jmxri</artifactId>-->
<!--</exclusion>-->
<!--</exclusions>-->
<!--</dependency>-->
<dependency>
<groupId>org.apache.tiles</groupId>
<artifactId>tiles-core</artifactId>
<version>${tiles.version}</version>
<type>jar</type>
</dependency>
<!--<dependency>-->
<!--<groupId>org.slf4j</groupId>-->
<!--<artifactId>slf4j-api</artifactId>-->
<!--<version>${slf4j-api.version}</version>-->
<!--<type>jar</type>-->
<!--</dependency>-->
<!--<dependency>-->
<!--<groupId>org.slf4j</groupId>-->
<!--<artifactId>slf4j-log4j12</artifactId>-->
<!--<version>${slf4j-log4j12.version}</version>-->
<!--<type>jar</type>-->
<!--</dependency>-->
<!-- ************* END spring MVC and related dependencies ************** --> <!-- ************* END spring MVC and related dependencies ************** -->
<!-- ************* START: Dependencies for Unit and Integration Testing ************** --> <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
<dependency> <dependency>

2
webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
View File

@ -69,7 +69,7 @@ public class PluginReloadService extends BaseService {
String pluginPath = session.getServletContext().getRealPath("plugin_lessons"); String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
String targetPath = session.getServletContext().getRealPath("plugin_extracted"); String targetPath = session.getServletContext().getRealPath("plugin_extracted");
//new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars(); //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
webSession.getCourse().loadLessonFromPlugin(session.getServletContext()); webSession.getCourse().loadLessonFromPlugin();
Map<String, Object> result = new HashMap<String, Object>(); Map<String, Object> result = new HashMap<String, Object>();
result.put("success", true); result.put("success", true);

71
webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java
View File

@ -1,71 +0,0 @@
package org.owasp.webgoat.servlets;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @version $Id: $Id
* @author dm
*/
public class Controller extends HttpServlet {
private static final long serialVersionUID = 1L;
/** {@inheritDoc} */
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
/** {@inheritDoc} */
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
String userAgent = request.getHeader("user-agent");
String clientBrowser = "Not known!";
if (userAgent != null) {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
request.getRequestDispatcher("/view.jsp").forward(request, response);
}
}

6
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -321,10 +321,8 @@ public class Course {
/** /**
* <p>loadLessonFromPlugin.</p> * <p>loadLessonFromPlugin.</p>
*
* @param context a {@link javax.servlet.ServletContext} object.
*/ */
public void loadLessonFromPlugin(ServletContext context) { public void loadLessonFromPlugin() {
Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt"); Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
String pluginPath = null; String pluginPath = null;
String targetPath = null; String targetPath = null;
@ -380,7 +378,7 @@ public class Course {
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) { public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
logger.info("Loading courses: " + path); logger.info("Loading courses: " + path);
this.webgoatContext = webgoatContext; this.webgoatContext = webgoatContext;
loadLessonFromPlugin(context); loadLessonFromPlugin();
LegacyLoader loader = new LegacyLoader(); LegacyLoader loader = new LegacyLoader();
lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties)); lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties));
} }

0
webgoat-container/src/main/webapp/META-INF/MANIFEST.MF → webgoat-container/src/main/old/META-INF/MANIFEST.MF
View File

0
webgoat-container/src/main/webapp/META-INF/context.xml → webgoat-container/src/main/old/META-INF/context.xml
View File

0
webgoat-container/src/main/webapp/WEB-INF/context.xml → webgoat-container/src/main/old/WEB-INF/context.xml
View File

0
webgoat-container/src/main/webapp/WEB-INF/mvc-dispatcher-servlet.xmlold → webgoat-container/src/main/old/WEB-INF/mvc-dispatcher-servlet.xmlold
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/about.jsp → webgoat-container/src/main/old/WEB-INF/pages/about.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/login.jsp → webgoat-container/src/main/old/WEB-INF/pages/login.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/logout.jsp → webgoat-container/src/main/old/WEB-INF/pages/logout.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp → webgoat-container/src/main/old/WEB-INF/pages/main_new.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/widgets/cookies_and_params.jsp → webgoat-container/src/main/old/WEB-INF/pages/widgets/cookies_and_params.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/widgets/hints.jsp → webgoat-container/src/main/old/WEB-INF/pages/widgets/hints.jsp
View File

138
webgoat-container/src/main/webapp/WEB-INF/server-config.wsdd → webgoat-container/src/main/old/WEB-INF/server-config.wsdd
View File

@ -1,69 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration> <globalConfiguration>
<parameter name="sendMultiRefs" value="true"/> <parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/> <parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/> <parameter name="adminPassword" value="admin"/>
<!-- <!--
<parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/> <parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/>
--> -->
<parameter name="dotNetSoapEncFix" value="true"/> <parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="true"/> <parameter name="enableNamespacePrefixOptimization" value="true"/>
<parameter name="sendXMLDeclaration" value="true"/> <parameter name="sendXMLDeclaration" value="true"/>
<!-- <!--
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/> <parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
--> -->
<parameter name="sendXsiTypes" value="true"/> <parameter name="sendXsiTypes" value="true"/>
<requestFlow> <requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler"> <handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/> <parameter name="scope" value="session"/>
</handler> </handler>
<handler type="java:org.apache.axis.handlers.JWSHandler"> <handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/> <parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/> <parameter name="extension" value=".jwr"/>
</handler> </handler>
</requestFlow> </requestFlow>
</globalConfiguration> </globalConfiguration>
<handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/> <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/> <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
<handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/> <handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<service name="WSDLScanning" provider="java:RPC"> <service name="WSDLScanning" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/> <parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WSDLScanning"/> <parameter name="className" value="org.owasp.webgoat.plugin.WSDLScanning"/>
</service> </service>
<service name="SoapRequest" provider="java:RPC"> <service name="SoapRequest" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/> <parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.SoapRequest"/> <parameter name="className" value="org.owasp.webgoat.plugin.SoapRequest"/>
</service> </service>
<service name="AdminService" provider="java:MSG"> <service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService"/> <parameter name="allowedMethods" value="AdminService"/>
<parameter name="enableRemoteAdmin" value="false"/> <parameter name="enableRemoteAdmin" value="false"/>
<parameter name="className" value="org.apache.axis.utils.Admin"/> <parameter name="className" value="org.apache.axis.utils.Admin"/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace> <namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service> </service>
<service name="Version" provider="java:RPC"> <service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion"/> <parameter name="allowedMethods" value="getVersion"/>
<parameter name="className" value="org.apache.axis.Version"/> <parameter name="className" value="org.apache.axis.Version"/>
</service> </service>
<service name="WsSqlInjection" provider="java:RPC"> <service name="WsSqlInjection" provider="java:RPC">
<parameter name="allowedMethods" value="getCreditCard"/> <parameter name="allowedMethods" value="getCreditCard"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WsSqlInjection"/> <parameter name="className" value="org.owasp.webgoat.plugin.WsSqlInjection"/>
</service> </service>
<transport name="http"> <transport name="http">
<requestFlow> <requestFlow>
<handler type="URLMapper"/> <handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/> <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow> </requestFlow>
<parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> <parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/> <parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/> <parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/> <parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport> </transport>
<transport name="local"> <transport name="local">
<responseFlow> <responseFlow>
<handler type="LocalResponder"/> <handler type="LocalResponder"/>
</responseFlow> </responseFlow>
</transport> </transport>
</deployment> </deployment>

0
webgoat-container/src/main/webapp/WEB-INF/spring-security.xmlold → webgoat-container/src/main/old/WEB-INF/spring-security.xmlold
View File

0
webgoat-container/src/main/webapp/WEB-INF/web.xmlold → webgoat-container/src/main/old/WEB-INF/web.xmlold
View File

118
webgoat-container/src/main/webapp/WEB-INF/webgoat-class.properties → webgoat-container/src/main/old/WEB-INF/webgoat-class.properties
View File

@ -1,60 +1,60 @@
category.General.ranking=11 category.General.ranking=11
lesson.HttpBasics.ranking=10 lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20 lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30 lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21 category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10 lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20 lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31 category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10 lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20 lesson.PathBasedAccessControl.ranking=20
lesson.RoleBasedAccessControl.hidden=true lesson.RoleBasedAccessControl.hidden=true
category.Cross-Site\ Scripting\ (XSS).ranking=41 category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10 lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20 lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30 lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40 lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50 lesson.CsrfTokenByPass.ranking=50
lesson.CrossSiteScripting.hidden=true lesson.CrossSiteScripting.hidden=true
category.Unvalidated\ Parameters.ranking=51 category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10 lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20 lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30 lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61 category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10 lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71 category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10 lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20 lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30 lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40 lesson.LogSpoofing.ranking=40
lesson.SQLInjection.hidden=true lesson.SQLInjection.hidden=true
category.Improper\ Error\ Handling.ranking=81 category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10 lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91 category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10 lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101 category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10 lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20 lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30 lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111 category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10 lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true lesson.ChallengeScreen.hidden=true

114
webgoat-container/src/main/webapp/WEB-INF/webgoat-lab.properties → webgoat-container/src/main/old/WEB-INF/webgoat-lab.properties
View File

@ -1,57 +1,57 @@
category.General.ranking=11 category.General.ranking=11
lesson.HttpBasics.ranking=10 lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20 lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30 lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21 category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10 lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20 lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31 category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10 lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20 lesson.PathBasedAccessControl.ranking=20
category.Cross-Site\ Scripting\ (XSS).ranking=41 category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10 lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20 lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30 lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40 lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50 lesson.CsrfTokenByPass.ranking=50
category.Unvalidated\ Parameters.ranking=51 category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10 lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20 lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30 lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61 category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10 lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71 category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10 lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20 lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30 lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40 lesson.LogSpoofing.ranking=40
category.Improper\ Error\ Handling.ranking=81 category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10 lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91 category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10 lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101 category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10 lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20 lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30 lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111 category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10 lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true lesson.ChallengeScreen.hidden=true

4
webgoat-container/src/main/webapp/WEB-INF/webgoat-owasp.properties → webgoat-container/src/main/old/WEB-INF/webgoat-owasp.properties
View File

@ -1,2 +1,2 @@
#lesson.BufferOverflow.hidden=true #lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true lesson.BlindScript.hidden=true

264
webgoat-container/src/main/webapp/WEB-INF/webgoat_oracle.sql → webgoat-container/src/main/old/WEB-INF/webgoat_oracle.sql
View File

@ -1,132 +1,132 @@
DROP USER webgoat_guest CASCADE; DROP USER webgoat_guest CASCADE;
CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users; CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users;
GRANT CONNECT, RESOURCE TO webgoat_guest; GRANT CONNECT, RESOURCE TO webgoat_guest;
GRANT CREATE PROCEDURE TO webgoat_guest; GRANT CREATE PROCEDURE TO webgoat_guest;
CREATE TABLE WEBGOAT_guest.EMPLOYEE ( CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY, userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20), first_name VARCHAR(20),
last_name VARCHAR(20), last_name VARCHAR(20),
ssn VARCHAR(12), ssn VARCHAR(12),
password VARCHAR(10), password VARCHAR(10),
title VARCHAR(20), title VARCHAR(20),
phone VARCHAR(13), phone VARCHAR(13),
address1 VARCHAR(80), address1 VARCHAR(80),
address2 VARCHAR(80), address2 VARCHAR(80),
manager INT, manager INT,
start_date CHAR(8), start_date CHAR(8),
salary INT, salary INT,
ccn VARCHAR(30), ccn VARCHAR(30),
ccn_limit INT, ccn_limit INT,
disciplined_date CHAR(8), disciplined_date CHAR(8),
disciplined_notes VARCHAR(60), disciplined_notes VARCHAR(60),
personal_description VARCHAR(60) personal_description VARCHAR(60)
); );
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER; stmt VARCHAR(32767);cnt NUMBER;
BEGIN BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || ''''; stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt; EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt; RETURN cnt;
END; END;
/ /
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER; stmt VARCHAR(32767);cnt NUMBER;
BEGIN BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || ''''; stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt; EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt; RETURN cnt;
END; END;
/ /
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE( CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE(
v_userid IN employee.userid%type, v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type, v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type, v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type, v_ssn IN employee.ssn%type,
v_title IN employee.title%type, v_title IN employee.title%type,
v_phone IN employee.phone%type, v_phone IN employee.phone%type,
v_address1 IN employee.address1%type, v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type, v_address2 IN employee.address2%type,
v_manager IN employee.manager%type, v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type, v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type, v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type, v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type, v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type, v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type, v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type v_personal_description IN employee.personal_description%type
) )
AS AS
BEGIN BEGIN
UPDATE EMPLOYEE UPDATE EMPLOYEE
SET SET
first_name = v_first_name, first_name = v_first_name,
last_name = v_last_name, last_name = v_last_name,
ssn = v_ssn, ssn = v_ssn,
title = v_title, title = v_title,
phone = v_phone, phone = v_phone,
address1 = v_address1, address1 = v_address1,
address2 = v_address2, address2 = v_address2,
manager = v_manager, manager = v_manager,
start_date = v_Start_date, start_date = v_Start_date,
salary = v_salary, salary = v_salary,
ccn = v_ccn, ccn = v_ccn,
ccn_limit = v_ccn_limit, ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date, disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes, disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description personal_description = v_personal_description
WHERE WHERE
userid = v_userid; userid = v_userid;
END; END;
/ /
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP( CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP(
v_userid IN employee.userid%type, v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type, v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type, v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type, v_ssn IN employee.ssn%type,
v_title IN employee.title%type, v_title IN employee.title%type,
v_phone IN employee.phone%type, v_phone IN employee.phone%type,
v_address1 IN employee.address1%type, v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type, v_address2 IN employee.address2%type,
v_manager IN employee.manager%type, v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type, v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type, v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type, v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type, v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type, v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type, v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type v_personal_description IN employee.personal_description%type
) )
AS AS
BEGIN BEGIN
UPDATE EMPLOYEE UPDATE EMPLOYEE
SET SET
first_name = v_first_name, first_name = v_first_name,
last_name = v_last_name, last_name = v_last_name,
ssn = v_ssn, ssn = v_ssn,
title = v_title, title = v_title,
phone = v_phone, phone = v_phone,
address1 = v_address1, address1 = v_address1,
address2 = v_address2, address2 = v_address2,
manager = v_manager, manager = v_manager,
start_date = v_Start_date, start_date = v_Start_date,
salary = v_salary, salary = v_salary,
ccn = v_ccn, ccn = v_ccn,
ccn_limit = v_ccn_limit, ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date, disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes, disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description personal_description = v_personal_description
WHERE WHERE
userid = v_userid; userid = v_userid;
END; END;
/ /
exit; exit;

452
webgoat-container/src/main/webapp/WEB-INF/webgoat_sqlserver.sql → webgoat-container/src/main/old/WEB-INF/webgoat_sqlserver.sql
View File

@ -1,226 +1,226 @@
EXEC sp_configure 'clr enabled', 1 EXEC sp_configure 'clr enabled', 1
GO GO
RECONFIGURE RECONFIGURE
GO GO
USE master; USE master;
go go
DROP LOGIN webgoat_guest; DROP LOGIN webgoat_guest;
go go
DROP database webgoat; DROP database webgoat;
go go
CREATE database webgoat; CREATE database webgoat;
go go
USE webgoat; USE webgoat;
go go
CREATE SCHEMA webgoat_guest; CREATE SCHEMA webgoat_guest;
go go
CREATE LOGIN webgoat_guest with password = '_webgoat'; CREATE LOGIN webgoat_guest with password = '_webgoat';
go go
CREATE USER webgoat_guest with default_schema = webgoat_guest; CREATE USER webgoat_guest with default_schema = webgoat_guest;
go go
GRANT CONTROL TO webgoat_guest; GRANT CONTROL TO webgoat_guest;
go go
CREATE TABLE WEBGOAT_guest.EMPLOYEE ( CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY, userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20), first_name VARCHAR(20),
last_name VARCHAR(20), last_name VARCHAR(20),
ssn VARCHAR(12), ssn VARCHAR(12),
password VARCHAR(10), password VARCHAR(10),
title VARCHAR(20), title VARCHAR(20),
phone VARCHAR(13), phone VARCHAR(13),
address1 VARCHAR(80), address1 VARCHAR(80),
address2 VARCHAR(80), address2 VARCHAR(80),
manager INT, manager INT,
start_date CHAR(8), start_date CHAR(8),
salary INT, salary INT,
ccn VARCHAR(30), ccn VARCHAR(30),
ccn_limit INT, ccn_limit INT,
disciplined_date CHAR(8), disciplined_date CHAR(8),
disciplined_notes VARCHAR(60), disciplined_notes VARCHAR(60),
personal_description VARCHAR(60) personal_description VARCHAR(60)
); );
go go
IF EXISTS IF EXISTS
( (
SELECT 1 SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE' WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest' AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE' AND ROUTINE_TYPE = 'PROCEDURE'
) )
BEGIN BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END END
GO GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT, @v_userid INT,
@v_first_name VARCHAR(20), @v_first_name VARCHAR(20),
@v_last_name VARCHAR(20), @v_last_name VARCHAR(20),
@v_ssn VARCHAR(12), @v_ssn VARCHAR(12),
@v_title VARCHAR(20), @v_title VARCHAR(20),
@v_phone VARCHAR(13), @v_phone VARCHAR(13),
@v_address1 VARCHAR(80), @v_address1 VARCHAR(80),
@v_address2 VARCHAR(80), @v_address2 VARCHAR(80),
@v_manager INT, @v_manager INT,
@v_start_date CHAR(8), @v_start_date CHAR(8),
@v_salary INT, @v_salary INT,
@v_ccn VARCHAR(30), @v_ccn VARCHAR(30),
@v_ccn_limit INT, @v_ccn_limit INT,
@v_disciplined_date CHAR(8), @v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60), @v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60) @v_personal_description VARCHAR(60)
AS AS
UPDATE EMPLOYEE UPDATE EMPLOYEE
SET SET
first_name = @v_first_name, first_name = @v_first_name,
last_name = @v_last_name, last_name = @v_last_name,
ssn = @v_ssn, ssn = @v_ssn,
title = @v_title, title = @v_title,
phone = @v_phone, phone = @v_phone,
address1 = @v_address1, address1 = @v_address1,
address2 = @v_address2, address2 = @v_address2,
manager = @v_manager, manager = @v_manager,
start_date = @v_Start_date, start_date = @v_Start_date,
salary = @v_salary, salary = @v_salary,
ccn = @v_ccn, ccn = @v_ccn,
ccn_limit = @v_ccn_limit, ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date, disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes, disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description personal_description = @v_personal_description
WHERE WHERE
userid = @v_userid; userid = @v_userid;
go go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT, @v_userid INT,
@v_first_name VARCHAR(20), @v_first_name VARCHAR(20),
@v_last_name VARCHAR(20), @v_last_name VARCHAR(20),
@v_ssn VARCHAR(12), @v_ssn VARCHAR(12),
@v_title VARCHAR(20), @v_title VARCHAR(20),
@v_phone VARCHAR(13), @v_phone VARCHAR(13),
@v_address1 VARCHAR(80), @v_address1 VARCHAR(80),
@v_address2 VARCHAR(80), @v_address2 VARCHAR(80),
@v_manager INT, @v_manager INT,
@v_start_date CHAR(8), @v_start_date CHAR(8),
@v_salary INT, @v_salary INT,
@v_ccn VARCHAR(30), @v_ccn VARCHAR(30),
@v_ccn_limit INT, @v_ccn_limit INT,
@v_disciplined_date CHAR(8), @v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60), @v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60) @v_personal_description VARCHAR(60)
AS AS
UPDATE EMPLOYEE UPDATE EMPLOYEE
SET SET
first_name = @v_first_name, first_name = @v_first_name,
last_name = @v_last_name, last_name = @v_last_name,
ssn = @v_ssn, ssn = @v_ssn,
title = @v_title, title = @v_title,
phone = @v_phone, phone = @v_phone,
address1 = @v_address1, address1 = @v_address1,
address2 = @v_address2, address2 = @v_address2,
manager = @v_manager, manager = @v_manager,
start_date = @v_Start_date, start_date = @v_Start_date,
salary = @v_salary, salary = @v_salary,
ccn = @v_ccn, ccn = @v_ccn,
ccn_limit = @v_ccn_limit, ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date, disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes, disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description personal_description = @v_personal_description
WHERE WHERE
userid = @v_userid; userid = @v_userid;
go go
IF EXISTS IF EXISTS
( (
SELECT 1 SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN' WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest' AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION' AND ROUTINE_TYPE = 'FUNCTION'
) )
BEGIN BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END END
GO GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN ( CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT, @v_id INT,
@v_password VARCHAR(100) @v_password VARCHAR(100)
) RETURNS INTEGER ) RETURNS INTEGER
AS AS
BEGIN BEGIN
DECLARE @sql nvarchar(4000), @count int DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N''''; SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count return @count
END END
GO GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP ( CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT, @v_id INT,
@v_password VARCHAR(100) @v_password VARCHAR(100)
) RETURNS INTEGER ) RETURNS INTEGER
AS AS
BEGIN BEGIN
DECLARE @sql nvarchar(4000), @count int DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N''''; SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count return @count
END END
GO GO
IF EXISTS IF EXISTS
( (
SELECT 1 SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch' WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest' AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION' AND ROUTINE_TYPE = 'FUNCTION'
) )
BEGIN BEGIN
DROP FUNCTION webgoat_guest.RegexMatch DROP FUNCTION webgoat_guest.RegexMatch
END END
GO GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch') IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch; DROP ASSEMBLY RegexMatch;
GO GO
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE; CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO GO
CREATE FUNCTION webgoat_guest.RegexMatch ( CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX), @input NVARCHAR(MAX),
@pattern NVARCHAR(MAX) @pattern NVARCHAR(MAX)
) RETURNS BIT ) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch; AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO GO

730
webgoat-container/src/main/webapp/database/database.prp → webgoat-container/src/main/old/database/database.prp
View File

@ -1,365 +1,365 @@
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! BASIC PROPERTIES ! BASIC PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! Path where index tables are held. Can be absolute or relative ! Path where index tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath. ! to the properties file. Defaults to tablePath.
! !
indexPath=./indexes indexPath=./indexes
! !
! Path where system tables are held. Can be absolute or relative to ! Path where system tables are held. Can be absolute or relative to
! the properties file. Defaults to tablePath. ! the properties file. Defaults to tablePath.
! !
systemPath=./system systemPath=./system
! !
! Path where database tables are held. Can be absolute or relative ! Path where database tables are held. Can be absolute or relative
! to the properties file. Defaults to "current" directory. ! to the properties file. Defaults to "current" directory.
! !
tablePath=./tables tablePath=./tables
! !
! Path where results set tables are held. Can be absolute or relative ! Path where results set tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath. ! to the properties file. Defaults to tablePath.
! !
tmpPath=./tmp tmpPath=./tmp
! !
! Non-zero means paths are relative to the properties file. ! Non-zero means paths are relative to the properties file.
! Default is absolute paths for files. ! Default is absolute paths for files.
! !
relativeToProperties=1 relativeToProperties=1
! !
! Alternative partitions can be defined so that tables can be placed ! Alternative partitions can be defined so that tables can be placed
! in multiple locations. Each partition is numbered: 1, 2, 3,... Tables ! in multiple locations. Each partition is numbered: 1, 2, 3,... Tables
! can be created on partitions using the syntax ! can be created on partitions using the syntax
! !
! CREATE TABLE <name> ON PARTITION <number>... ! CREATE TABLE <name> ON PARTITION <number>...
! !
! The partition count has to be supplied. ! The partition count has to be supplied.
! !
!partitionCount=2 !partitionCount=2
! !
! The locations of each partition must be supplied. These are always ! The locations of each partition must be supplied. These are always
! absolute path names. ! absolute path names.
! !
!partition1=d:/petes !partition1=d:/petes
!partition2=c:/temp !partition2=c:/temp
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! TUNING PROPERTIES ! TUNING PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! The amount of each column to cache, expressed either as an absolute ! The amount of each column to cache, expressed either as an absolute
! number of rows or as a percentage figure. Defaults to 256 or 10 respectively. ! number of rows or as a percentage figure. Defaults to 256 or 10 respectively.
! !
! This value applies only when tables are first created. It has no effect ! This value applies only when tables are first created. It has no effect
! when a table is being re-opened. ! when a table is being re-opened.
! !
cacheAmount=512 cacheAmount=512
! !
! CACHE_ROWS Must be one of CACHE_ROWS or CACHE_PERCENT. Determines whether ! CACHE_ROWS Must be one of CACHE_ROWS or CACHE_PERCENT. Determines whether
! to cache columns in tables based on an absolute number of rows, or the ! to cache columns in tables based on an absolute number of rows, or the
! percentage number of rows in the table. ! percentage number of rows in the table.
! !
! This value applies only when tables are first created. It has no effect ! This value applies only when tables are first created. It has no effect
! when a table is being re-opened. ! when a table is being re-opened.
! !
cacheCondition=CACHE_ROWS cacheCondition=CACHE_ROWS
! !
! The amount of the system tables to be cached. Defaults to 100. ! The amount of the system tables to be cached. Defaults to 100.
! !
! This value applies only when tables are first created. It has no effect ! This value applies only when tables are first created. It has no effect
! when a table is being re-opened. ! when a table is being re-opened.
! !
!systemCacheSize=10 !systemCacheSize=10
! !
! Similar to cacheCondition, but applies only to the system tables. ! Similar to cacheCondition, but applies only to the system tables.
! !
! This value applies only when tables are first created. It has no effect ! This value applies only when tables are first created. It has no effect
! when a table is being re-opened. ! when a table is being re-opened.
! !
!systemCacheCondition=CACHE_ROWS !systemCacheCondition=CACHE_ROWS
! !
! The percentage cache hit improvement required in order to move the ! The percentage cache hit improvement required in order to move the
! cache to a new location in a column. ! cache to a new location in a column.
! !
! (Currently not implemented). ! (Currently not implemented).
! !
cacheResetPercent=10 cacheResetPercent=10
! !
! Non-zero means that database changes do not get written to the ! Non-zero means that database changes do not get written to the
! database immediately. See tuning.html. ! database immediately. See tuning.html.
! !
fastUpdate=0 fastUpdate=0
! !
! Percentage of free space in an index that must be present before ! Percentage of free space in an index that must be present before
! the index reorganises itself. High values means frequent index ! the index reorganises itself. High values means frequent index
! reorganisation. Low values means slow index inserts. ! reorganisation. Low values means slow index inserts.
! !
indexLoad=5 indexLoad=5
! !
! The number of cache misses to include in calculations of the next ! The number of cache misses to include in calculations of the next
! base for the cache. ! base for the cache.
! !
! (Currently not implemented). ! (Currently not implemented).
! !
missesInCacheStats=100 missesInCacheStats=100
! !
! Non-zero means that results sets get instantiated on disk. By default ! Non-zero means that results sets get instantiated on disk. By default
! InstantDB holds results sets emtirely in memory (apart from Binary ! InstantDB holds results sets emtirely in memory (apart from Binary
! columns). For large results sets this can be a problem. This property ! columns). For large results sets this can be a problem. This property
! forces all results sets to be held on disk. ! forces all results sets to be held on disk.
! !
resultsOnDisk=0 resultsOnDisk=0
! !
! Similar to cacheCondition but applies only to disk based ! Similar to cacheCondition but applies only to disk based
! results sets. Default is CACHE_ROWS. ! results sets. Default is CACHE_ROWS.
! !
resultsSetCache=CACHE_ROWS resultsSetCache=CACHE_ROWS
! !
! Similar to cacheAmount but applies only to disk based ! Similar to cacheAmount but applies only to disk based
! results sets. Default is 100. ! results sets. Default is 100.
! !
resultsSetCacheAmount=100 resultsSetCacheAmount=100
! !
! Number of rows to read into the disk read ahead buffer. ! Number of rows to read into the disk read ahead buffer.
! Recommended to be set somewhere around 128 to 256. ! Recommended to be set somewhere around 128 to 256.
! Default is 20. ! Default is 20.
! !
rowCacheSize=128 rowCacheSize=128
! !
! The read ahead buffer is effective at speeding up full ! The read ahead buffer is effective at speeding up full
! table scans. However for indexed lookups or multiple ! table scans. However for indexed lookups or multiple
! simultaneous scans it is better to read a single row at ! simultaneous scans it is better to read a single row at
! a time. Each table holds a small number of single row ! a time. Each table holds a small number of single row
! buffers to improve such operations. Default is 8. ! buffers to improve such operations. Default is 8.
! !
!singleRowCount=4 !singleRowCount=4
! !
! Sometimes the look ahead buffer can be held by a single ! Sometimes the look ahead buffer can be held by a single
! thread even though it is not retrieveing many values from it. ! thread even though it is not retrieveing many values from it.
! If too many lookups retrieve data from the single row ! If too many lookups retrieve data from the single row
! buffers then it is better to flush the look ahead buffer and ! buffers then it is better to flush the look ahead buffer and
! make it available for re-use. Default is 128. ! make it available for re-use. Default is 128.
! !
!flushAfterCacheMisses=64 !flushAfterCacheMisses=64
! !
! Number of rows to read ahead for system tables. By default ! Number of rows to read ahead for system tables. By default
! system tables cache everything, so it is wasteful to have large ! system tables cache everything, so it is wasteful to have large
! read ahead buffers since they will very rarely be used. This ! read ahead buffers since they will very rarely be used. This
! allows the size of the system read ahead buffers to be reduced ! allows the size of the system read ahead buffers to be reduced
! if necessary. Defaults to rowCacheSize. ! if necessary. Defaults to rowCacheSize.
! !
!systemRows=20 !systemRows=20
! !
! The control column in all tables normally has a large cache ! The control column in all tables normally has a large cache
! since this speeds up all operation on that table. This can be ! since this speeds up all operation on that table. This can be
! varied to either improve performance or to reduce space. ! varied to either improve performance or to reduce space.
! default is 8192. ! default is 8192.
! !
! This value applies only when tables are first created. It has no effect ! This value applies only when tables are first created. It has no effect
! when a table is being re-opened. ! when a table is being re-opened.
! !
!controlColCacheSize=512 !controlColCacheSize=512
! !
! By default, InstantDB only does a cursory search for deleted rows during ! By default, InstantDB only does a cursory search for deleted rows during
! UPDATE statements. Setting searchDeletes=1 causes more detailed searches ! UPDATE statements. Setting searchDeletes=1 causes more detailed searches
! for deleted rows. This slows down UPDATE executions, but reults in more ! for deleted rows. This slows down UPDATE executions, but reults in more
! compact tables. Default is 0. ! compact tables. Default is 0.
! !
searchDeletes=0 searchDeletes=0
! !
! The interval, in milliseconds, between checks for statement execution ! The interval, in milliseconds, between checks for statement execution
! timeouts. Default is 5000. ! timeouts. Default is 5000.
! !
!timerCheck=5000 !timerCheck=5000
! !
! The number of statements between checks on available memory. If set ! The number of statements between checks on available memory. If set
! to 100 (say), then every 100 statements, InstantDB will check to ! to 100 (say), then every 100 statements, InstantDB will check to
! see how much memory is still free. If too little is avilable (see ! see how much memory is still free. If too little is avilable (see
! below) then java.lang.System.gc() is called. ! below) then java.lang.System.gc() is called.
! !
! If set to zero (the default) then no memory checking takes place. ! If set to zero (the default) then no memory checking takes place.
! !
!garbageCollectStatements=100 !garbageCollectStatements=100
! !
! If InstantDB is performing period memory checks (see above) then ! If InstantDB is performing period memory checks (see above) then
! this is the value in percent of available memory that must be ! this is the value in percent of available memory that must be
! used before System.gc() gets called. ! used before System.gc() gets called.
! !
!garbageCollectPercent=70 !garbageCollectPercent=70
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! LOGGING AND DEBUGGING PROPERTIES ! LOGGING AND DEBUGGING PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! Non-zero means include SQL statements in the export file. ! Non-zero means include SQL statements in the export file.
! !
exportSQL=0 exportSQL=0
! !
! Non-zero means trace output also directed to console. ! Non-zero means trace output also directed to console.
! Defaults to 0. ! Defaults to 0.
! !
traceConsole=1 traceConsole=1
! !
! Relative or absolute path where exporting and tracing goes. ! Relative or absolute path where exporting and tracing goes.
! !
! NOTE - A relative path is relative to the current Java ! NOTE - A relative path is relative to the current Java
! runtime directory. It is *not* relative to this properties ! runtime directory. It is *not* relative to this properties
! file. This is regardless of the relativeToProperties ! file. This is regardless of the relativeToProperties
! setting above. ! setting above.
! !
traceFile=./trace.log traceFile=./trace.log
! !
! Bitmap of various items that can be traced. See debug.html. ! Bitmap of various items that can be traced. See debug.html.
! Defaults to 0. ! Defaults to 0.
! !
traceLevel=2 traceLevel=2
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! TRANSACTION AND RECOVERY PROPERTIES ! TRANSACTION AND RECOVERY PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! 0 means do not perform recovery on startup. ! 0 means do not perform recovery on startup.
! 1 means perform automatic recovery ! 1 means perform automatic recovery
! 2 (default) means prompt the user using standard in ! 2 (default) means prompt the user using standard in
! !
recoveryPolicy=1 recoveryPolicy=1
! !
! Sets the level of transaction journalling. See trans.html. ! Sets the level of transaction journalling. See trans.html.
! Defaults to 1. ! Defaults to 1.
! !
! 0 - No journalling takes place. ! 0 - No journalling takes place.
! 1 - Normal journalling (default). ! 1 - Normal journalling (default).
! 2 - Full journalling. ! 2 - Full journalling.
! !
transLevel=1 transLevel=1
! !
! When doing an import, defines the number of rows imported ! When doing an import, defines the number of rows imported
! before the transaction is committed. Recommended value 8192. ! before the transaction is committed. Recommended value 8192.
! defaults to 100. ! defaults to 100.
! !
transImports=100 transImports=100
! !
! Sets the default transaction isolation level. This is a complex ! Sets the default transaction isolation level. This is a complex
! topic, but basically, the higher the level, the more locking ! topic, but basically, the higher the level, the more locking
! goes on. The allowed values are: ! goes on. The allowed values are:
! !
! TRANSACTION_READ_UNCOMMITTED = 1 ! TRANSACTION_READ_UNCOMMITTED = 1
! TRANSACTION_READ_COMMITTED = 2 ! TRANSACTION_READ_COMMITTED = 2
! TRANSACTION_REPEATABLE_READ = 4 ! TRANSACTION_REPEATABLE_READ = 4
! TRANSACTION_SERIALIZABLE = 8 (default) ! TRANSACTION_SERIALIZABLE = 8 (default)
! !
! SERIALIZABLE means that InstantDB takes exclusive access to all ! SERIALIZABLE means that InstantDB takes exclusive access to all
! tables in a transaction until the transaction completes. Even if ! tables in a transaction until the transaction completes. Even if
! the transaction only performs reads. ! the transaction only performs reads.
! !
! REPEATABLE_READ transactions takes read locks for SELECTs and ! REPEATABLE_READ transactions takes read locks for SELECTs and
! write locks for everything else. All locks released on transaction ! write locks for everything else. All locks released on transaction
! completion. ! completion.
! !
! READ_COMMITTED transactions are the same as REPEATABLE_READ ! READ_COMMITTED transactions are the same as REPEATABLE_READ
! except that read locks get freed on statement completion. ! except that read locks get freed on statement completion.
! !
! READ_UNCOMMITTED transactions do not take read locks. A result ! READ_UNCOMMITTED transactions do not take read locks. A result
! set can include data being modified by another transaction. ! set can include data being modified by another transaction.
! !
!defaultIsolationLevel=2 !defaultIsolationLevel=2
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! DATE, TIME AND CURRENCY PROPERTIES ! DATE, TIME AND CURRENCY PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! Number of digits after decimal point in currency outputs. Defaults to 2. ! Number of digits after decimal point in currency outputs. Defaults to 2.
! !
currencyDecimal=2 currencyDecimal=2
! !
! Currency symbol used in currency outputs. Defaults to $. ! Currency symbol used in currency outputs. Defaults to $.
! !
currencySymbol=$ currencySymbol=$
! !
! Default format for date columns. Defaults to "yyyy-mm-dd". ! Default format for date columns. Defaults to "yyyy-mm-dd".
! !
!dateFormat=yyyy-mm-dd !dateFormat=yyyy-mm-dd
! !
! Default format for timestamp columns. Defaults to "yyyy-mm-dd hh:nn:ss.lll". ! Default format for timestamp columns. Defaults to "yyyy-mm-dd hh:nn:ss.lll".
! !
!dateTimeFormat=yyyy-mm-dd hh:nn:ss.lll !dateTimeFormat=yyyy-mm-dd hh:nn:ss.lll
! !
! Default format for time columns. Defaults to "hh:nn:ss.lll". ! Default format for time columns. Defaults to "hh:nn:ss.lll".
! !
!timeFormat=hh:nn:ss.lll !timeFormat=hh:nn:ss.lll
! !
! If set, then all two digit dates less than its value are interpreted ! If set, then all two digit dates less than its value are interpreted
! as 21st century dates. ! as 21st century dates.
! !
!milleniumBoundary=50 !milleniumBoundary=50
! !
! Set to 1 causes the date string "now" to store a full timestamp. ! Set to 1 causes the date string "now" to store a full timestamp.
! Default is to store only the date for fields with now hour in the ! Default is to store only the date for fields with now hour in the
! format string. ! format string.
! !
nowMeansTime=0 nowMeansTime=0
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! STRING HANDLING PROPERTIES ! STRING HANDLING PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! If set to 1 then String hashes use the JDK Object.hashCode() function. ! If set to 1 then String hashes use the JDK Object.hashCode() function.
! By default, uses InstantDB's String hashing. ! By default, uses InstantDB's String hashing.
! !
altStringHashing=0 altStringHashing=0
! !
! Set to 1 to cause LIKE clauses to always perform case insensitive ! Set to 1 to cause LIKE clauses to always perform case insensitive
! comparisons. ! comparisons.
! !
likeIgnoreCase=0 likeIgnoreCase=0
! !
! Same as SET LITERAL STRICT_ON. Prevents string literals being interpreted ! Same as SET LITERAL STRICT_ON. Prevents string literals being interpreted
! as column names or numbers. Default is 0. ! as column names or numbers. Default is 0.
! !
strictLiterals=0 strictLiterals=0
! !
! Set this value to 1 (one) if you would like PreparedStatement.setString() ! Set this value to 1 (one) if you would like PreparedStatement.setString()
! to ignore "\" (backslash) characters when proceesing string constants. ! to ignore "\" (backslash) characters when proceesing string constants.
! When set, InstantDB will not attempt to interpret \ as the start of an ! When set, InstantDB will not attempt to interpret \ as the start of an
! escape sequence. Default is 0. ! escape sequence. Default is 0.
! !
!prepareIgnoresEscapes=1 !prepareIgnoresEscapes=1
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! MISCELLANEOUS PROPERTIES ! MISCELLANEOUS PROPERTIES
! !
!--------------------------------------------------------------------- !---------------------------------------------------------------------
! !
! Allows selected InstantDB keywords to be un-reserved. ! Allows selected InstantDB keywords to be un-reserved.
! e.g. ignoreKeywords=url,quote would allow the keywords ! e.g. ignoreKeywords=url,quote would allow the keywords
! url and quote to be used as table or column names. ! url and quote to be used as table or column names.
! !
! This faciliy is provided for compatatbility reasons only. ! This faciliy is provided for compatatbility reasons only.
! It's use is not recommended AND IS NOT SUPPORTED. ! It's use is not recommended AND IS NOT SUPPORTED.
! !
!ignoreKeywords !ignoreKeywords
! !
! Non-zero means database is opened in read only mode. ! Non-zero means database is opened in read only mode.
! !
readOnly=0 readOnly=0

0
webgoat-container/src/main/webapp/index.jsp → webgoat-container/src/main/old/index.jsp
View File

0
webgoat-container/src/main/webapp/lesson_content.jsp → webgoat-container/src/main/old/lesson_content.jsp
View File

0
webgoat-container/src/main/webapp/lessons/ConfManagement/config.jsp → webgoat-container/src/main/old/lessons/ConfManagement/config.jsp
View File

584
webgoat-container/src/main/webapp/main.jsp → webgoat-container/src/main/old/main.jsp
View File

@ -1,292 +1,292 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java" <%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %> errorPage="" %>
<% <%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION)); WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
Course course = webSession.getCourse(); Course course = webSession.getCourse();
AbstractLesson currentLesson = webSession.getCurrentLesson(); AbstractLesson currentLesson = webSession.getCurrentLesson();
LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class); LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%> <%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title><%=currentLesson.getTitle()%></title> <title><%=currentLesson.getTitle()%></title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/lesson.css" type="text/css" /> <link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" /> <link rel="stylesheet" href="css/menu.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" /> <link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
</head> </head>
<% <%
final String menuPrefix = WebSession.MENU; final String menuPrefix = WebSession.MENU;
final String submenuPrefix = "submenu"; final String submenuPrefix = "submenu";
final String mbutPrefix = "mbut"; final String mbutPrefix = "mbut";
String printHint = ""; String printHint = "";
String printParameters = ""; String printParameters = "";
String printCookies = ""; String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">"; String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories(); List categories = course.getCategories();
StringBuffer buildList = new StringBuffer(); StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator(); Iterator iter1 = categories.iterator();
while (iter1.hasNext()) { while (iter1.hasNext()) {
Category category = (Category) iter1.next(); Category category = (Category) iter1.next();
buildList.append("'"); buildList.append("'");
buildList.append(menuPrefix); buildList.append(menuPrefix);
buildList.append(category.getRanking()); buildList.append(category.getRanking());
buildList.append("','"); buildList.append("','");
buildList.append(submenuPrefix); buildList.append(submenuPrefix);
buildList.append(category.getRanking()); buildList.append(category.getRanking());
buildList.append("','"); buildList.append("','");
buildList.append(mbutPrefix); buildList.append(mbutPrefix);
buildList.append(category.getRanking()); buildList.append(category.getRanking());
buildList.append("'"); buildList.append("'");
if (iter1.hasNext()) { if (iter1.hasNext()) {
buildList.append(","); buildList.append(",");
} }
}%> }%>
<body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>); <body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
trigMM1url('<%= menuPrefix%>', 1); trigMM1url('<%= menuPrefix%>', 1);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg'); MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();"> initIframe();">
<div id="wrap"> <div id="wrap">
<% <%
int topCord = 140; int topCord = 140;
int zIndex = 105; int zIndex = 105;
Iterator iter2 = categories.iterator(); Iterator iter2 = categories.iterator();
while (iter2.hasNext()) { while (iter2.hasNext()) {
Category category = (Category) iter2.next(); Category category = (Category) iter2.next();
%> %>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1); <div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
return false" onfocus="if (this.blur) return false" onfocus="if (this.blur)
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div> this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<% <%
topCord = topCord + 30; topCord = topCord + 30;
zIndex = zIndex + 1; zIndex = zIndex + 1;
} }
int topSubMenu = 72; int topSubMenu = 72;
Iterator iter3 = categories.iterator(); Iterator iter3 = categories.iterator();
while (iter3.hasNext()) { while (iter3.hasNext()) {
Category category = (Category) iter3.next(); Category category = (Category) iter3.next();
List lessons = webSession.getLessons(category); List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator(); Iterator iter4 = lessons.iterator();
%> %>
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>"> <div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><% <table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu = topSubMenu + 30; topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1; zIndex = zIndex + 1;
while (iter4.hasNext()) { while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next(); AbstractLesson lesson = (AbstractLesson) iter4.next();
%><tr> %><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td> <td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
</tr> </tr>
<% if (lesson instanceof RandomLessonAdapter) { <% if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson; RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages(); String[] stages = rla.getStages();
if (stages != null) if (stages != null)
for (int i = 0; i < stages.length; i++) { for (int i = 0; i < stages.length; i++) {
%> %>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "/" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a> <tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "/" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a>
</td></tr> </td></tr>
<% <%
} }
} }
%> %>
<% <%
} }
%> %>
</table> </table>
</div><% </div><%
}%> }%>
<div id="top"></div> <div id="top"></div>
<div id="topLeft"> <div id="topLeft">
<div align="left"> <div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0) { <% if (currentLesson.getAvailableLanguages().size() != 0) {
%> %>
<form method="get" action="attack" style="display: inline;"> <form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1" Choose another language: <select name="language" size="1"
onChange="changeLanguage();"> onChange="changeLanguage();">
<% <%
for (String lang : currentLesson.getAvailableLanguages()) { for (String lang : currentLesson.getAvailableLanguages()) {
%> %>
<option value="<%=lang%>" <option value="<%=lang%>"
<% if (webSession.getCurrrentLanguage().equals(lang)) { <% if (webSession.getCurrrentLanguage().equals(lang)) {
out.println("selected"); out.println("selected");
}%>><%=lang%> }%>><%=lang%>
</option> </option>
<% <%
} }
%> %>
</select></form> </select></form>
<% <%
} else { } else {
%> %>
Internationalization is not available for this lesson Internationalization is not available for this lesson
<% <%
} }
%> %>
</div></div> </div></div>
<div align="right" id="topRight"> <div align="right" id="topRight">
<a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()" <a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45" src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()" height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseout="MM_swapImgRestore()" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img
src="images/buttons/help.jpg" alt="Help" name="help" width="22" src="images/buttons/help.jpg" alt="Help" name="help" width="22"
height="22" border="0" id="help" /></a> height="22" border="0" id="help" /></a>
</div> </div>
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div> <div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<div id="hMenuBar"> <div id="hMenuBar">
<% <%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) { if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
%> %>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/> <img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
</a> </a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)"
onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/> <img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a> </a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)"
onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/> <img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a> </a>
<%}%> <%}%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)"
onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/> <img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/>
</a> </a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)"
onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/> <img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
</a> </a>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)" <a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)"
onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/> <img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a> </a>
<% <%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) { if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
%> %>
<a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source'); <a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
return false;" target="javaWin" return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/> <img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a> </a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution'); <a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
return false;" target="javaWin" return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)" onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/> <img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
</a> </a>
<%}%> <%}%>
</div> </div>
<div id="twoCol"> <div id="twoCol">
<div id="menuSpacer"></div> <div id="menuSpacer"></div>
<div id="lessonAreaTop"> <div id="lessonAreaTop">
<% <%
if (currentLesson != null) { if (currentLesson != null) {
%> %>
<div id="training_wrap"> <div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=labelManager.get("SolutionVideos")%></a></div> <div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=labelManager.get("SolutionVideos")%></a></div>
<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=labelManager.get("RestartLesson")%></a></div> <div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=labelManager.get("RestartLesson")%></a></div>
</div> </div>
<% <%
} }
%> %>
</div> </div>
<div id="lessonArea"> <div id="lessonArea">
<% <%
if (webSession.getHint() != null) { if (webSession.getHint() != null) {
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>"; printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
out.println(printHint); out.println(printHint);
} }
if (webSession.getParams() != null) { if (webSession.getParams() != null) {
Iterator i = webSession.getParams().iterator(); Iterator i = webSession.getParams().iterator();
while (i.hasNext()) { while (i.hasNext()) {
Parameter p = (Parameter) i.next(); Parameter p = (Parameter) i.next();
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>"; printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
out.println(printParameters); out.println(printParameters);
} }
} }
if (webSession.getCookies() != null) { if (webSession.getCookies() != null) {
Iterator i = webSession.getCookies().iterator(); Iterator i = webSession.getCookies().iterator();
while (i.hasNext()) { while (i.hasNext()) {
Cookie c = (Cookie) i.next(); Cookie c = (Cookie) i.next();
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>"; printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
out.println(printCookies); out.println(printCookies);
} }
}%> }%>
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%> <div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%>
<br/> <br/>
<br/> <br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a> <a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a>
</div> </div>
<div id="lessonContent"> <div id="lessonContent">
<% <%
AbstractLesson lesson = webSession.getCurrentLesson(); AbstractLesson lesson = webSession.getCurrentLesson();
if (lesson instanceof RandomLessonAdapter) { if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson; RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%> %>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div> <div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
<% <%
} }
%> %>
<%=webSession.getInstructions()%></div> <%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div> <div id="message" class="info"><%=webSession.getMessage()%></div>
<% <%
if (currentLesson.getTemplatePage(webSession) != null) { if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() ); //System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession)); //System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%> %>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" /> <jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<% <%
} else { } else {
%> %>
<div id="lessonContent"><%=currentLesson.getContent()%></div> <div id="lessonContent"><%=currentLesson.getContent()%></div>
<% <%
} }
%> %>
</div> </div>
</div> </div>
<div id="bottom"> <div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> | <div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> | <a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> |
<a href="reportBug.jsp">Report Bug</a> <a href="reportBug.jsp">Report Bug</a>
</div> </div>
</div> </div>
</div> </div>
</body> </body>
</html> </html>

0
webgoat-container/src/main/webapp/plugin_lessons/ReadMe.txt → webgoat-container/src/main/old/plugin_lessons/ReadMe.txt
View File

BIN
webgoat-container/src/main/old/plugin_lessons/command-injection-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/common-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/cross-site-scripting-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/csrf-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/csrf-prompt-by-pass-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/goat-hills-financial-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/soap-request-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/ws-sql-injection-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/wsdl-scanning-1.0.jar Normal file
View File

Binary file not shown.

0
webgoat-container/src/main/webapp/reportBug.jsp → webgoat-container/src/main/old/reportBug.jsp
View File

56
webgoat-container/src/main/webapp/sideWindow.jsp → webgoat-container/src/main/old/sideWindow.jsp
View File

@ -1,28 +1,28 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java" <%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.WebSession" import="org.owasp.webgoat.session.WebSession"
errorPage="" %> errorPage="" %>
<% <%
WebSession webSession = ((WebSession)session.getAttribute("websession")); WebSession webSession = ((WebSession)session.getAttribute("websession"));
%> %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Untitled Document</title> <title>Untitled Document</title>
<link href="css/webgoat.css" rel="stylesheet" type="text/css" /> <link href="css/webgoat.css" rel="stylesheet" type="text/css" />
</head> </head>
<body> <body>
<div id=#wrap> <div id=#wrap>
<% <%
String source = webSession.getSource(); String source = webSession.getSource();
if (source != null) if (source != null)
{ {
String printSource = "<div id=\"source\">" + source + "</div><br>"; String printSource = "<div id=\"source\">" + source + "</div><br>";
out.println(printSource); out.println(printSource);
} }
%> %>
</div> </div>
</body> </body>
</html> </html>

0
webgoat-container/src/main/webapp/users/ReadMe.txt → webgoat-container/src/main/old/users/ReadMe.txt
View File

0
webgoat-container/src/main/webapp/webgoat.jsp → webgoat-container/src/main/old/webgoat.jsp
View File

200
webgoat-container/src/main/webapp/webgoat_challenge.jsp → webgoat-container/src/main/old/webgoat_challenge.jsp
View File

@ -1,100 +1,100 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java" <%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%> errorPage=""%>
<!-- This modal content is included into the main_new.jsp --> <!-- This modal content is included into the main_new.jsp -->
<div class="modal-content"> <div class="modal-content">
<div class="modal-header"> <div class="modal-header">
<h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3> <h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3>
</div> </div>
<div class="modal-body modal-scroll"> <div class="modal-body modal-scroll">
<p>Thanks for hacking The Goat!</p> <p>Thanks for hacking The Goat!</p>
<p>WebGoat is a demonstration of common web application flaws. The <p>WebGoat is a demonstration of common web application flaws. The
associated exercises are intended to provide hands-on experience with associated exercises are intended to provide hands-on experience with
techniques aimed at demonstrating and testing application penetration. techniques aimed at demonstrating and testing application penetration.
</p> </p>
<p>From the entire WebGoat team, we appreciate your interest and efforts <p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p> everyone. We, as well as our sacrificial goat, thank you.</p>
<p> <p>
Version: ${version},&nbsp;Build: ${build} Version: ${version},&nbsp;Build: ${build}
</p> </p>
<div class="row"> <div class="row">
<div class="col-md-6"> <div class="col-md-6">
<p>Contact us: <p>Contact us:
<ul> <ul>
<li>WebGoat mailing list: ${emailList}</li> <li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: ${contactEmail}</li> <li>Bruce Mayhew: ${contactEmail}</li>
</ul> </ul>
</p> </p>
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="col-md-6"> <div class="col-md-6">
<p>WebGoat Authors <p>WebGoat Authors
<ul> <ul>
<li>Bruce Mayhew (Project Lead)</li> <li>Bruce Mayhew (Project Lead)</li>
<li>Jeff Williams (Original Idea)</li> <li>Jeff Williams (Original Idea)</li>
<li>Richard Lawson (Architect)</li> <li>Richard Lawson (Architect)</li>
<li>Jason White (Architect)</li> <li>Jason White (Architect)</li>
</ul> </ul>
</p> </p>
</div> </div>
<div class="col-md-6"> <div class="col-md-6">
<p>WebGoat Design Team <p>WebGoat Design Team
<ul> <ul>
<li>Richard Lawson</li> <li>Richard Lawson</li>
<li>Bruce Mayhew</li> <li>Bruce Mayhew</li>
<li>Jason White</li> <li>Jason White</li>
<li>Ali Looney (User Interface)</li> <li>Ali Looney (User Interface)</li>
<li>Jeff Wayman (Website and Docs)</li> <li>Jeff Wayman (Website and Docs)</li>
</ul> </ul>
</p> </p>
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="col-md-6"> <div class="col-md-6">
<p>Active Contributors <p>Active Contributors
<ul> <ul>
<li>Nanne Baars (Developer)</li> <li>Nanne Baars (Developer)</li>
<li>Dave Cowden (Everything)</li> <li>Dave Cowden (Everything)</li>
<li>Keith Gasser (Survey/Security)</li> <li>Keith Gasser (Survey/Security)</li>
<li>Devin Mayhew (Setup/Admin)</li> <li>Devin Mayhew (Setup/Admin)</li>
<li>Li Simon (Developer)</li> <li>Li Simon (Developer)</li>
</ul> </ul>
</p> </p>
</div> </div>
<div class="col-md-6"> <div class="col-md-6">
<p>Past Contributors <p>Past Contributors
<ul> <ul>
<li>David Anderson (Developer/Design)</li> <li>David Anderson (Developer/Design)</li>
<li>Christopher Blum (Lessons)</li> <li>Christopher Blum (Lessons)</li>
<li>Laurence Casey (Graphics)</li> <li>Laurence Casey (Graphics)</li>
<li>Brian Ciomei (Bug fixes)</li> <li>Brian Ciomei (Bug fixes)</li>
<li>Rogan Dawes (Lessons)</li> <li>Rogan Dawes (Lessons)</li>
<li>Erwin Geirnaert (Solutions)</li> <li>Erwin Geirnaert (Solutions)</li>
<li>Aung Knant (Documentation)</li> <li>Aung Knant (Documentation)</li>
<li>Ryan Knell (Lessons)</li> <li>Ryan Knell (Lessons)</li>
<li>Christine Koppeit (Build)</li> <li>Christine Koppeit (Build)</li>
<li>Sherif Kousa (Lessons/Documentation)</li> <li>Sherif Kousa (Lessons/Documentation)</li>
<li>Reto Lippuner (Lessons)</li> <li>Reto Lippuner (Lessons)</li>
<li>PartNet (Lessons)</li> <li>PartNet (Lessons)</li>
<li>Yiannis Pavlosoglou (Lessons)</li> <li>Yiannis Pavlosoglou (Lessons)</li>
<li>Eric Sheridan (Lessons)</li> <li>Eric Sheridan (Lessons)</li>
<li>Alex Smolen (Lessons)</li> <li>Alex Smolen (Lessons)</li>
<li>Chuck Willis (Lessons)</li> <li>Chuck Willis (Lessons)</li>
<li>Marcel Wirth (Lessons)</li> <li>Marcel Wirth (Lessons)</li>
</ul> </ul>
</p> </p>
<p>Did we miss you? Our sincere apologies, as we know there have <p>Did we miss you? Our sincere apologies, as we know there have
been many contributors over the years. If your name does not been many contributors over the years. If your name does not
appear in any of the lists above, please send us a note. We'll appear in any of the lists above, please send us a note. We'll
get you added with no further sacrifices required.</p> get you added with no further sacrifices required.</p>
</div> </div>
</div> </div>
</div> </div>
<div class="modal-footer"> <div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button> <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div> </div>
</div> </div>

0
webgoat-container/src/main/webapp/WEB-INF/lib/placeholder.txt
View File

4
webgoat_developer_bootstrap.sh
View File

@ -164,7 +164,7 @@ developer_bootstrap() {
horizontal_rule horizontal_rule
echo "$COL_MAGENTA" echo "$COL_MAGENTA"
echo "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET" echo "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET"
echo " Please be patient.... The startup of the server can take from 30s to 3 minutes." echo " Please be patient.... The startup of the server takes about 5 seconds..."
echo " WebGoat will be ready for you when you see the following message on the command prompt:" echo " WebGoat will be ready for you when you see the following message on the command prompt:"
echo "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET" echo "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET"
echo "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET" echo "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET"
@ -179,7 +179,7 @@ developer_bootstrap() {
sleep 5 sleep 5
# Starting WebGoat # Starting WebGoat
mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war mvn -q -pl webgoat-container spring-boot:run
} }
# Start main script # Start main script