dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating README and moving webapp dir to old

Browse Source
This commit is contained in:
Nanne Baars 2016-04-10 21:22:20 +02:00
parent 289da771c9
commit 9066e45725
46 changed files with 1349 additions and 1640 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.MD
View File

@ -44,15 +44,15 @@ first thing that all hackers claim.*
# Easy Run ( For non-developers )
Every successful build of the WebGoat Lessons Container and the WebGoat Lessons in our Continuous Integration Server
creates an "Easy Run" Executable JAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.
creates an "Easy Run" Executable WAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.
You can check for the "Last Modified" date of our "Easy Run" jar file [HERE](http://webgoat-war.s3-website-us-east-1.amazonaws.com/)
You can check for the "Last Modified" date of our "Easy Run" war file [HERE](http://webgoat-war.s3-website-us-east-1.amazonaws.com/)
The "Easy Run" JAR file offers a no hassle approach to testing and running WebGoat. Follow these instructions if you
wish to simply try/test/run the current development version of WebGoat
### Prerequisites:
* Java VM >= 1.6 installed ( JDK 1.7 recommended)
* Java VM 1.8 installed
## Easy Run Instructions:
@ -65,7 +65,7 @@ https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar
Open a command shell/window, browse to where you downloaded the easy run jar and type:
```Shell
java -jar webgoat-container-7.0.1-war-exec.jar
java -jar webgoat-container-7.0.1.war
```
#### 3. Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
@ -82,8 +82,8 @@ Follow these instructions if you wish to run Webgoat and modify the source code
### Prerequisites:
* Java >= 1.6 ( JDK 1.7 recommended )
* Maven > 2.0.9
* Java 8
* Maven > 3.2.1
* Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
* Git, or Git support in your IDE
@ -136,19 +136,19 @@ The __maven tomcat7:run-war__ goal runs the project in an embedded tomcat:
```Shell
cd WebGoat
mvn -pl webgoat-container tomcat7:run-war
mvn -pl webgoat-container spring-boot:run
```
Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
#### Option #2: Java executable JAR
The __maven package__ goal generates an executable .jar file:
The __maven install__ goal generates an executable .war file:
```Shell
cd WebGoat
mvn package
cd webgoat-container/target
java -jar webgoat-container-7.1-SNAPSHOT-war-exec.jar http://localhost:8080/WebGoat
java -jar webgoat-container-7.1-SNAPSHOT.war
```
Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
@ -168,18 +168,10 @@ Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and hap
## Reloading plugins and lessons
If you want to __reload all the plugin and lessons__, open a new browser tab and visit the following url:
[http://localhost:8080/WebGoat/service/reloadplugins.mvc](http://localhost:8080/WebGoat/service/reloadplugins.mvc)
After the plugin reload is complete, _reloading a message_ will appear and you can refresh the __main WebGoat browser tab__.
If you want to __reload all the plugin and lessons__, open up the developer tools available from the info menu. This will
show an extra set of links below the cookie overview.
## Debugging label properties
To be able to see which labels are loaded through a property file, open a new browser tab and visit the following url:
[http://localhost:8080/WebGoat/service/debug/labels.mvc](http://localhost:8080/WebGoat/service/debug/labels.mvc)
Switch back to the main WebGoat broswer tab and __reload the main WebGoat browser tab__.
After the reload is complete, all labels which where loaded from a property file will be __marked green__.
To be able to see which labels are loaded through a property file, open up the developer tools avalailable from the info menu
After the reload is complete, all labels which are loaded from a property file will be __marked green__.

1
pom.xml
View File

@ -152,7 +152,6 @@
<maven-release-plugin.version>2.5.2</maven-release-plugin.version>
<maven-source-plugin.version>2.4</maven-source-plugin.version>
<maven-surefire-plugin.version>2.19</maven-surefire-plugin.version>
<maven-war-plugin.version>2.6</maven-war-plugin.version>
<nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
<sauce_junit.version>2.1.20</sauce_junit.version>
<selenium-java.version>2.48.2</selenium-java.version>

211
webgoat-container/pom.xml
View File

@ -39,7 +39,7 @@
<attachArtifactClassifier>exec</attachArtifactClassifier>
<contextReloadable>true</contextReloadable>
<useSeparateTomcatClassLoader>true</useSeparateTomcatClassLoader>
<contextFile>${project.basedir}/src/main/webapp/WEB-INF/context.xml</contextFile>
<contextFile>${project.basedir}/src/main/old/WEB-INF/context.xml</contextFile>
</configuration>
<dependencies>
<dependency>
@ -147,77 +147,6 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>${maven-war-plugin.version}</version>
<configuration>
<!-- archiving the classes breaks the admin screen loads in course.java
the legacy lesson loader does not look in jar files for lessons -->
<archiveClasses>false</archiveClasses>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
<manifestEntries>
<Specification-Title>${project.name}</Specification-Title>
<Specification-Version>${project.version}</Specification-Version>
<Implementation-Version>${build.number}</Implementation-Version>
</manifestEntries>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>${build-helper-maven-plugin.version}</version>
<executions>
<execution>
<id>attach-artifacts</id>
<phase>package</phase>
<goals>
<goal>attach-artifact</goal>
</goals>
<configuration>
<artifacts>
<artifact>
<file>${project.build.directory}/webgoat-container-${project.version}.jar</file>
</artifact>
</artifacts>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.3-SNAPSHOT</version>
<configuration>
<server>local_tomcat</server>
<url>http://localhost:8080/manager/text</url>
<path>/WebGoat</path>
<attachArtifactClassifier>exec</attachArtifactClassifier>
<contextReloadable>true</contextReloadable>
<useSeparateTomcatClassLoader>true</useSeparateTomcatClassLoader>
<contextFile>${project.basedir}/src/main/webapp/WEB-INF/context.xml</contextFile>
</configuration>
<dependencies>
<dependency>
<groupId>org.owasp.webgoat</groupId>
<artifactId>webgoat-container</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
<executions>
<execution>
<id>tomcat-run</id>
<goals>
<goal>exec-war-only</goal>
</goals>
<phase>package</phase>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
@ -276,11 +205,6 @@
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.xeustechnologies</groupId>
<artifactId>jcl-core</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
@ -311,52 +235,6 @@
<artifactId>axis-ant</artifactId>
<version>${axis-ant.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>${commons-io.version}</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>${commons-collections.version}</version>
</dependency>
<dependency>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
<version>${commons-digester.version}</version>
<exclusions>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--<dependency>-->
<!--<groupId>commons-logging</groupId>-->
<!--<artifactId>commons-logging</artifactId>-->
<!--<version>${commons-logging.version}</version>-->
<!--</dependency>-->
<!--<dependency>-->
<!--<groupId>org.slf4j</groupId>-->
<!--<artifactId>jcl-over-slf4j</artifactId>-->
<!--<version>${jcl-over-slf4j.version}</version>-->
<!--</dependency>-->
<dependency>
<groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId>
<version>${commons-discovery.version}</version>
</dependency>
<dependency>
<groupId>javax.mail</groupId>
<artifactId>javax.mail-api</artifactId>
<version>${mail-api.version}</version>
</dependency>
<dependency>
<groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId>
@ -367,11 +245,6 @@
<artifactId>wsdl4j</artifactId>
<version>${wsdl4j.version}</version>
</dependency>
<dependency>
<groupId>java2html</groupId>
<artifactId>j2h</artifactId>
<version>${j2h.version}</version>
</dependency>
<dependency>
<groupId>ecs</groupId>
<artifactId>ecs</artifactId>
@ -382,39 +255,6 @@
<artifactId>javax.transaction-api</artifactId>
<version>${javax.transaction-api.version}</version>
</dependency>
<dependency>
<groupId>net.sourceforge.jtds</groupId>
<artifactId>jtds</artifactId>
<version>${jtds.version}</version>
</dependency>
<!--<dependency>-->
<!--<groupId>org.apache.tomcat</groupId>-->
<!--<artifactId>tomcat-catalina</artifactId>-->
<!--<version>${tomcat-catalina.version}</version>-->
<!--<scope>provided</scope>-->
<!--</dependency>-->
<!-- ************* spring MVC and related dependencies ************** -->
<!-- servlet API -->
<!--<dependency>-->
<!--<groupId>javax</groupId>-->
<!--<artifactId>javaee-api</artifactId>-->
<!--<version>${javaee-api.version}</version>-->
<!--<scope>provided</scope>-->
<!--</dependency>-->
<!-- Jackson -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<!-- Apache Commons Upload -->
<dependency>
@ -429,56 +269,7 @@
<version>${guava.version}</version>
</dependency>
<!-- JSTL -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>${jstl.version}</version>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>${standard.version}</version>
</dependency>
<!--<dependency>-->
<!--<groupId>log4j</groupId>-->
<!--<artifactId>log4j</artifactId>-->
<!--<version>${log4j.version}</version>-->
<!--<exclusions>-->
<!--<exclusion>-->
<!--<groupId>javax.jms</groupId>-->
<!--<artifactId>jms</artifactId>-->
<!--</exclusion>-->
<!--<exclusion>-->
<!--<groupId>com.sun.jdmk</groupId>-->
<!--<artifactId>jmxtools</artifactId>-->
<!--</exclusion>-->
<!--<exclusion>-->
<!--<groupId>com.sun.jmx</groupId>-->
<!--<artifactId>jmxri</artifactId>-->
<!--</exclusion>-->
<!--</exclusions>-->
<!--</dependency>-->
<dependency>
<groupId>org.apache.tiles</groupId>
<artifactId>tiles-core</artifactId>
<version>${tiles.version}</version>
<type>jar</type>
</dependency>
<!--<dependency>-->
<!--<groupId>org.slf4j</groupId>-->
<!--<artifactId>slf4j-api</artifactId>-->
<!--<version>${slf4j-api.version}</version>-->
<!--<type>jar</type>-->
<!--</dependency>-->
<!--<dependency>-->
<!--<groupId>org.slf4j</groupId>-->
<!--<artifactId>slf4j-log4j12</artifactId>-->
<!--<version>${slf4j-log4j12.version}</version>-->
<!--<type>jar</type>-->
<!--</dependency>-->
<!-- ************* END spring MVC and related dependencies ************** -->
<!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
<dependency>

2
webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
View File

@ -69,7 +69,7 @@ public class PluginReloadService extends BaseService {
String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
String targetPath = session.getServletContext().getRealPath("plugin_extracted");
//new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
webSession.getCourse().loadLessonFromPlugin(session.getServletContext());
webSession.getCourse().loadLessonFromPlugin();
Map<String, Object> result = new HashMap<String, Object>();
result.put("success", true);

71
webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java
View File

@ -1,71 +0,0 @@
package org.owasp.webgoat.servlets;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* @version $Id: $Id
* @author dm
*/
public class Controller extends HttpServlet {
private static final long serialVersionUID = 1L;
/** {@inheritDoc} */
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
/** {@inheritDoc} */
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
String userAgent = request.getHeader("user-agent");
String clientBrowser = "Not known!";
if (userAgent != null) {
clientBrowser = userAgent;
}
request.setAttribute("client.browser", clientBrowser);
request.getRequestDispatcher("/view.jsp").forward(request, response);
}
}

6
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -321,10 +321,8 @@ public class Course {
/**
* <p>loadLessonFromPlugin.</p>
*
* @param context a {@link javax.servlet.ServletContext} object.
*/
public void loadLessonFromPlugin(ServletContext context) {
public void loadLessonFromPlugin() {
Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
String pluginPath = null;
String targetPath = null;
@ -380,7 +378,7 @@ public class Course {
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
logger.info("Loading courses: " + path);
this.webgoatContext = webgoatContext;
loadLessonFromPlugin(context);
loadLessonFromPlugin();
LegacyLoader loader = new LegacyLoader();
lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties));
}

0
webgoat-container/src/main/webapp/META-INF/MANIFEST.MF → webgoat-container/src/main/old/META-INF/MANIFEST.MF
View File

0
webgoat-container/src/main/webapp/META-INF/context.xml → webgoat-container/src/main/old/META-INF/context.xml
View File

0
webgoat-container/src/main/webapp/WEB-INF/context.xml → webgoat-container/src/main/old/WEB-INF/context.xml
View File

0
webgoat-container/src/main/webapp/WEB-INF/mvc-dispatcher-servlet.xmlold → webgoat-container/src/main/old/WEB-INF/mvc-dispatcher-servlet.xmlold
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/about.jsp → webgoat-container/src/main/old/WEB-INF/pages/about.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/login.jsp → webgoat-container/src/main/old/WEB-INF/pages/login.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/logout.jsp → webgoat-container/src/main/old/WEB-INF/pages/logout.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp → webgoat-container/src/main/old/WEB-INF/pages/main_new.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/widgets/cookies_and_params.jsp → webgoat-container/src/main/old/WEB-INF/pages/widgets/cookies_and_params.jsp
View File

0
webgoat-container/src/main/webapp/WEB-INF/pages/widgets/hints.jsp → webgoat-container/src/main/old/WEB-INF/pages/widgets/hints.jsp
View File

138
webgoat-container/src/main/webapp/WEB-INF/server-config.wsdd → webgoat-container/src/main/old/WEB-INF/server-config.wsdd
View File

@ -1,69 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<!--
<parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/>
-->
<parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="true"/>
<parameter name="sendXMLDeclaration" value="true"/>
<!--
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
-->
<parameter name="sendXsiTypes" value="true"/>
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
<handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<service name="WSDLScanning" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WSDLScanning"/>
</service>
<service name="SoapRequest" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.SoapRequest"/>
</service>
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService"/>
<parameter name="enableRemoteAdmin" value="false"/>
<parameter name="className" value="org.apache.axis.utils.Admin"/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion"/>
<parameter name="className" value="org.apache.axis.Version"/>
</service>
<service name="WsSqlInjection" provider="java:RPC">
<parameter name="allowedMethods" value="getCreditCard"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WsSqlInjection"/>
</service>
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<!--
<parameter name="attachments.Directory" value="C:\webgoat\tomcat\webapps\WebGoat\WEB-INF\attachments"/>
-->
<parameter name="dotNetSoapEncFix" value="true"/>
<parameter name="enableNamespacePrefixOptimization" value="true"/>
<parameter name="sendXMLDeclaration" value="true"/>
<!--
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
-->
<parameter name="sendXsiTypes" value="true"/>
<requestFlow>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="session"/>
</handler>
<handler type="java:org.apache.axis.handlers.JWSHandler">
<parameter name="scope" value="request"/>
<parameter name="extension" value=".jwr"/>
</handler>
</requestFlow>
</globalConfiguration>
<handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
<handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
<handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
<service name="WSDLScanning" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WSDLScanning"/>
</service>
<service name="SoapRequest" provider="java:RPC">
<parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
<parameter name="className" value="org.owasp.webgoat.plugin.SoapRequest"/>
</service>
<service name="AdminService" provider="java:MSG">
<parameter name="allowedMethods" value="AdminService"/>
<parameter name="enableRemoteAdmin" value="false"/>
<parameter name="className" value="org.apache.axis.utils.Admin"/>
<namespace>http://xml.apache.org/axis/wsdd/</namespace>
</service>
<service name="Version" provider="java:RPC">
<parameter name="allowedMethods" value="getVersion"/>
<parameter name="className" value="org.apache.axis.Version"/>
</service>
<service name="WsSqlInjection" provider="java:RPC">
<parameter name="allowedMethods" value="getCreditCard"/>
<parameter name="className" value="org.owasp.webgoat.plugin.WsSqlInjection"/>
</service>
<transport name="http">
<requestFlow>
<handler type="URLMapper"/>
<handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
</requestFlow>
<parameter name="qs:list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs:wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
<parameter name="qs.list" value="org.apache.axis.transport.http.QSListHandler"/>
<parameter name="qs.method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs:method" value="org.apache.axis.transport.http.QSMethodHandler"/>
<parameter name="qs.wsdl" value="org.apache.axis.transport.http.QSWSDLHandler"/>
</transport>
<transport name="local">
<responseFlow>
<handler type="LocalResponder"/>
</responseFlow>
</transport>
</deployment>

0
webgoat-container/src/main/webapp/WEB-INF/spring-security.xmlold → webgoat-container/src/main/old/WEB-INF/spring-security.xmlold
View File

0
webgoat-container/src/main/webapp/WEB-INF/web.xmlold → webgoat-container/src/main/old/WEB-INF/web.xmlold
View File

118
webgoat-container/src/main/webapp/WEB-INF/webgoat-class.properties → webgoat-container/src/main/old/WEB-INF/webgoat-class.properties
View File

@ -1,60 +1,60 @@
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
lesson.RoleBasedAccessControl.hidden=true
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
lesson.CrossSiteScripting.hidden=true
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
lesson.SQLInjection.hidden=true
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
lesson.RoleBasedAccessControl.hidden=true
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
lesson.CrossSiteScripting.hidden=true
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
lesson.SQLInjection.hidden=true
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true

114
webgoat-container/src/main/webapp/WEB-INF/webgoat-lab.properties → webgoat-container/src/main/old/WEB-INF/webgoat-lab.properties
View File

@ -1,57 +1,57 @@
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true
category.General.ranking=11
lesson.HttpBasics.ranking=10
lesson.HttpSplitting.ranking=20
lesson.ThreadSafetyProblem.ranking=30
category.Broken\ Authentication\ and\ Session\ Management.ranking=21
lesson.BasicAuthentication.ranking=10
lesson.WeakAuthenticationCookie.ranking=20
category.Broken\ Access\ Control.ranking=31
lesson.AccessControlMatrix.ranking=10
lesson.PathBasedAccessControl.ranking=20
category.Cross-Site\ Scripting\ (XSS).ranking=41
lesson.StoredXss.ranking=10
lesson.ReflectedXSS.ranking=20
lesson.CSRF.ranking=30
lesson.CsrfPromptByPass.ranking=40
lesson.CsrfTokenByPass.ranking=50
category.Unvalidated\ Parameters.ranking=51
lesson.HiddenFieldTampering.ranking=10
lesson.JavaScriptValidation.ranking=20
lesson.UncheckedEmail.ranking=30
category.Insecure\ Storage.ranking=61
lesson.Encoding.ranking=10
category.Injection\ Flaws.ranking=71
lesson.SqlNumericInjection.ranking=10
lesson.SqlStringInjection.ranking=20
lesson.CommandInjection.ranking=30
lesson.LogSpoofing.ranking=40
category.Improper\ Error\ Handling.ranking=81
lesson.FailOpenAuthentication.ranking=10
category.Code\ Quality.ranking=91
lesson.HtmlClues.ranking=10
category.Web\ Services.category.ranking=101
lesson.SoapRequest.ranking=10
lesson.WSDLScanning.ranking=20
lesson.WsSqlInjection.ranking=30
category.New\ Lesson.category.ranking=111
lesson.HowToAddNewLesson.ranking=10
lesson.WeakSessionID.hidden=true
lesson.BufferOverflow.hidden=true
lesson.BlindSqlInjection.hidden=true
lesson.DOS_Login.hidden=true
lesson.ForcedBrowsing.hidden=true
lesson.ForgotPassword.hidden=true
lesson.ParameterInjection.hidden=true
lesson.RemoteAdminFlaw.hidden=true
lesson.ChallengeScreen.hidden=true

4
webgoat-container/src/main/webapp/WEB-INF/webgoat-owasp.properties → webgoat-container/src/main/old/WEB-INF/webgoat-owasp.properties
View File

@ -1,2 +1,2 @@
#lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true
#lesson.BufferOverflow.hidden=true
lesson.BlindScript.hidden=true

264
webgoat-container/src/main/webapp/WEB-INF/webgoat_oracle.sql → webgoat-container/src/main/old/WEB-INF/webgoat_oracle.sql
View File

@ -1,132 +1,132 @@
DROP USER webgoat_guest CASCADE;
CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users;
GRANT CONNECT, RESOURCE TO webgoat_guest;
GRANT CREATE PROCEDURE TO webgoat_guest;
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
exit;
DROP USER webgoat_guest CASCADE;
CREATE USER webgoat_guest IDENTIFIED BY webgoat DEFAULT TABLESPACE users;
GRANT CONNECT, RESOURCE TO webgoat_guest;
GRANT CREATE PROCEDURE TO webgoat_guest;
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN_BACKUP(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767);cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';
EXECUTE IMMEDIATE stmt INTO cnt;
RETURN cnt;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
CREATE OR REPLACE PROCEDURE WEBGOAT_guest.UPDATE_EMPLOYEE_BACKUP(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
BEGIN
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
exit;

452
webgoat-container/src/main/webapp/WEB-INF/webgoat_sqlserver.sql → webgoat-container/src/main/old/WEB-INF/webgoat_sqlserver.sql
View File

@ -1,226 +1,226 @@
EXEC sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
USE master;
go
DROP LOGIN webgoat_guest;
go
DROP database webgoat;
go
CREATE database webgoat;
go
USE webgoat;
go
CREATE SCHEMA webgoat_guest;
go
CREATE LOGIN webgoat_guest with password = '_webgoat';
go
CREATE USER webgoat_guest with default_schema = webgoat_guest;
go
GRANT CONTROL TO webgoat_guest;
go
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE'
)
BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.RegexMatch
END
GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX),
@pattern NVARCHAR(MAX)
) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO
EXEC sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
USE master;
go
DROP LOGIN webgoat_guest;
go
DROP database webgoat;
go
CREATE database webgoat;
go
USE webgoat;
go
CREATE SCHEMA webgoat_guest;
go
CREATE LOGIN webgoat_guest with password = '_webgoat';
go
CREATE USER webgoat_guest with default_schema = webgoat_guest;
go
GRANT CONTROL TO webgoat_guest;
go
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE'
)
BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.RegexMatch
END
GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'C:\AspectClass\Database\Labs\tomcat\webapps\WebGoat\WEB-INF\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX),
@pattern NVARCHAR(MAX)
) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO

730
webgoat-container/src/main/webapp/database/database.prp → webgoat-container/src/main/old/database/database.prp
View File

@ -1,365 +1,365 @@
!---------------------------------------------------------------------
!
! BASIC PROPERTIES
!
!---------------------------------------------------------------------
!
! Path where index tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath.
!
indexPath=./indexes
!
! Path where system tables are held. Can be absolute or relative to
! the properties file. Defaults to tablePath.
!
systemPath=./system
!
! Path where database tables are held. Can be absolute or relative
! to the properties file. Defaults to "current" directory.
!
tablePath=./tables
!
! Path where results set tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath.
!
tmpPath=./tmp
!
! Non-zero means paths are relative to the properties file.
! Default is absolute paths for files.
!
relativeToProperties=1
!
! Alternative partitions can be defined so that tables can be placed
! in multiple locations. Each partition is numbered: 1, 2, 3,... Tables
! can be created on partitions using the syntax
!
! CREATE TABLE <name> ON PARTITION <number>...
!
! The partition count has to be supplied.
!
!partitionCount=2
!
! The locations of each partition must be supplied. These are always
! absolute path names.
!
!partition1=d:/petes
!partition2=c:/temp
!---------------------------------------------------------------------
!
! TUNING PROPERTIES
!
!---------------------------------------------------------------------
!
! The amount of each column to cache, expressed either as an absolute
! number of rows or as a percentage figure. Defaults to 256 or 10 respectively.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
cacheAmount=512
!
! CACHE_ROWS Must be one of CACHE_ROWS or CACHE_PERCENT. Determines whether
! to cache columns in tables based on an absolute number of rows, or the
! percentage number of rows in the table.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
cacheCondition=CACHE_ROWS
!
! The amount of the system tables to be cached. Defaults to 100.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!systemCacheSize=10
!
! Similar to cacheCondition, but applies only to the system tables.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!systemCacheCondition=CACHE_ROWS
!
! The percentage cache hit improvement required in order to move the
! cache to a new location in a column.
!
! (Currently not implemented).
!
cacheResetPercent=10
!
! Non-zero means that database changes do not get written to the
! database immediately. See tuning.html.
!
fastUpdate=0
!
! Percentage of free space in an index that must be present before
! the index reorganises itself. High values means frequent index
! reorganisation. Low values means slow index inserts.
!
indexLoad=5
!
! The number of cache misses to include in calculations of the next
! base for the cache.
!
! (Currently not implemented).
!
missesInCacheStats=100
!
! Non-zero means that results sets get instantiated on disk. By default
! InstantDB holds results sets emtirely in memory (apart from Binary
! columns). For large results sets this can be a problem. This property
! forces all results sets to be held on disk.
!
resultsOnDisk=0
!
! Similar to cacheCondition but applies only to disk based
! results sets. Default is CACHE_ROWS.
!
resultsSetCache=CACHE_ROWS
!
! Similar to cacheAmount but applies only to disk based
! results sets. Default is 100.
!
resultsSetCacheAmount=100
!
! Number of rows to read into the disk read ahead buffer.
! Recommended to be set somewhere around 128 to 256.
! Default is 20.
!
rowCacheSize=128
!
! The read ahead buffer is effective at speeding up full
! table scans. However for indexed lookups or multiple
! simultaneous scans it is better to read a single row at
! a time. Each table holds a small number of single row
! buffers to improve such operations. Default is 8.
!
!singleRowCount=4
!
! Sometimes the look ahead buffer can be held by a single
! thread even though it is not retrieveing many values from it.
! If too many lookups retrieve data from the single row
! buffers then it is better to flush the look ahead buffer and
! make it available for re-use. Default is 128.
!
!flushAfterCacheMisses=64
!
! Number of rows to read ahead for system tables. By default
! system tables cache everything, so it is wasteful to have large
! read ahead buffers since they will very rarely be used. This
! allows the size of the system read ahead buffers to be reduced
! if necessary. Defaults to rowCacheSize.
!
!systemRows=20
!
! The control column in all tables normally has a large cache
! since this speeds up all operation on that table. This can be
! varied to either improve performance or to reduce space.
! default is 8192.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!controlColCacheSize=512
!
! By default, InstantDB only does a cursory search for deleted rows during
! UPDATE statements. Setting searchDeletes=1 causes more detailed searches
! for deleted rows. This slows down UPDATE executions, but reults in more
! compact tables. Default is 0.
!
searchDeletes=0
!
! The interval, in milliseconds, between checks for statement execution
! timeouts. Default is 5000.
!
!timerCheck=5000
!
! The number of statements between checks on available memory. If set
! to 100 (say), then every 100 statements, InstantDB will check to
! see how much memory is still free. If too little is avilable (see
! below) then java.lang.System.gc() is called.
!
! If set to zero (the default) then no memory checking takes place.
!
!garbageCollectStatements=100
!
! If InstantDB is performing period memory checks (see above) then
! this is the value in percent of available memory that must be
! used before System.gc() gets called.
!
!garbageCollectPercent=70
!---------------------------------------------------------------------
!
! LOGGING AND DEBUGGING PROPERTIES
!
!---------------------------------------------------------------------
!
! Non-zero means include SQL statements in the export file.
!
exportSQL=0
!
! Non-zero means trace output also directed to console.
! Defaults to 0.
!
traceConsole=1
!
! Relative or absolute path where exporting and tracing goes.
!
! NOTE - A relative path is relative to the current Java
! runtime directory. It is *not* relative to this properties
! file. This is regardless of the relativeToProperties
! setting above.
!
traceFile=./trace.log
!
! Bitmap of various items that can be traced. See debug.html.
! Defaults to 0.
!
traceLevel=2
!---------------------------------------------------------------------
!
! TRANSACTION AND RECOVERY PROPERTIES
!
!---------------------------------------------------------------------
!
! 0 means do not perform recovery on startup.
! 1 means perform automatic recovery
! 2 (default) means prompt the user using standard in
!
recoveryPolicy=1
!
! Sets the level of transaction journalling. See trans.html.
! Defaults to 1.
!
! 0 - No journalling takes place.
! 1 - Normal journalling (default).
! 2 - Full journalling.
!
transLevel=1
!
! When doing an import, defines the number of rows imported
! before the transaction is committed. Recommended value 8192.
! defaults to 100.
!
transImports=100
!
! Sets the default transaction isolation level. This is a complex
! topic, but basically, the higher the level, the more locking
! goes on. The allowed values are:
!
! TRANSACTION_READ_UNCOMMITTED = 1
! TRANSACTION_READ_COMMITTED = 2
! TRANSACTION_REPEATABLE_READ = 4
! TRANSACTION_SERIALIZABLE = 8 (default)
!
! SERIALIZABLE means that InstantDB takes exclusive access to all
! tables in a transaction until the transaction completes. Even if
! the transaction only performs reads.
!
! REPEATABLE_READ transactions takes read locks for SELECTs and
! write locks for everything else. All locks released on transaction
! completion.
!
! READ_COMMITTED transactions are the same as REPEATABLE_READ
! except that read locks get freed on statement completion.
!
! READ_UNCOMMITTED transactions do not take read locks. A result
! set can include data being modified by another transaction.
!
!defaultIsolationLevel=2
!---------------------------------------------------------------------
!
! DATE, TIME AND CURRENCY PROPERTIES
!
!---------------------------------------------------------------------
!
! Number of digits after decimal point in currency outputs. Defaults to 2.
!
currencyDecimal=2
!
! Currency symbol used in currency outputs. Defaults to $.
!
currencySymbol=$
!
! Default format for date columns. Defaults to "yyyy-mm-dd".
!
!dateFormat=yyyy-mm-dd
!
! Default format for timestamp columns. Defaults to "yyyy-mm-dd hh:nn:ss.lll".
!
!dateTimeFormat=yyyy-mm-dd hh:nn:ss.lll
!
! Default format for time columns. Defaults to "hh:nn:ss.lll".
!
!timeFormat=hh:nn:ss.lll
!
! If set, then all two digit dates less than its value are interpreted
! as 21st century dates.
!
!milleniumBoundary=50
!
! Set to 1 causes the date string "now" to store a full timestamp.
! Default is to store only the date for fields with now hour in the
! format string.
!
nowMeansTime=0
!---------------------------------------------------------------------
!
! STRING HANDLING PROPERTIES
!
!---------------------------------------------------------------------
!
! If set to 1 then String hashes use the JDK Object.hashCode() function.
! By default, uses InstantDB's String hashing.
!
altStringHashing=0
!
! Set to 1 to cause LIKE clauses to always perform case insensitive
! comparisons.
!
likeIgnoreCase=0
!
! Same as SET LITERAL STRICT_ON. Prevents string literals being interpreted
! as column names or numbers. Default is 0.
!
strictLiterals=0
!
! Set this value to 1 (one) if you would like PreparedStatement.setString()
! to ignore "\" (backslash) characters when proceesing string constants.
! When set, InstantDB will not attempt to interpret \ as the start of an
! escape sequence. Default is 0.
!
!prepareIgnoresEscapes=1
!---------------------------------------------------------------------
!
! MISCELLANEOUS PROPERTIES
!
!---------------------------------------------------------------------
!
! Allows selected InstantDB keywords to be un-reserved.
! e.g. ignoreKeywords=url,quote would allow the keywords
! url and quote to be used as table or column names.
!
! This faciliy is provided for compatatbility reasons only.
! It's use is not recommended AND IS NOT SUPPORTED.
!
!ignoreKeywords
!
! Non-zero means database is opened in read only mode.
!
readOnly=0
!---------------------------------------------------------------------
!
! BASIC PROPERTIES
!
!---------------------------------------------------------------------
!
! Path where index tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath.
!
indexPath=./indexes
!
! Path where system tables are held. Can be absolute or relative to
! the properties file. Defaults to tablePath.
!
systemPath=./system
!
! Path where database tables are held. Can be absolute or relative
! to the properties file. Defaults to "current" directory.
!
tablePath=./tables
!
! Path where results set tables are held. Can be absolute or relative
! to the properties file. Defaults to tablePath.
!
tmpPath=./tmp
!
! Non-zero means paths are relative to the properties file.
! Default is absolute paths for files.
!
relativeToProperties=1
!
! Alternative partitions can be defined so that tables can be placed
! in multiple locations. Each partition is numbered: 1, 2, 3,... Tables
! can be created on partitions using the syntax
!
! CREATE TABLE <name> ON PARTITION <number>...
!
! The partition count has to be supplied.
!
!partitionCount=2
!
! The locations of each partition must be supplied. These are always
! absolute path names.
!
!partition1=d:/petes
!partition2=c:/temp
!---------------------------------------------------------------------
!
! TUNING PROPERTIES
!
!---------------------------------------------------------------------
!
! The amount of each column to cache, expressed either as an absolute
! number of rows or as a percentage figure. Defaults to 256 or 10 respectively.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
cacheAmount=512
!
! CACHE_ROWS Must be one of CACHE_ROWS or CACHE_PERCENT. Determines whether
! to cache columns in tables based on an absolute number of rows, or the
! percentage number of rows in the table.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
cacheCondition=CACHE_ROWS
!
! The amount of the system tables to be cached. Defaults to 100.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!systemCacheSize=10
!
! Similar to cacheCondition, but applies only to the system tables.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!systemCacheCondition=CACHE_ROWS
!
! The percentage cache hit improvement required in order to move the
! cache to a new location in a column.
!
! (Currently not implemented).
!
cacheResetPercent=10
!
! Non-zero means that database changes do not get written to the
! database immediately. See tuning.html.
!
fastUpdate=0
!
! Percentage of free space in an index that must be present before
! the index reorganises itself. High values means frequent index
! reorganisation. Low values means slow index inserts.
!
indexLoad=5
!
! The number of cache misses to include in calculations of the next
! base for the cache.
!
! (Currently not implemented).
!
missesInCacheStats=100
!
! Non-zero means that results sets get instantiated on disk. By default
! InstantDB holds results sets emtirely in memory (apart from Binary
! columns). For large results sets this can be a problem. This property
! forces all results sets to be held on disk.
!
resultsOnDisk=0
!
! Similar to cacheCondition but applies only to disk based
! results sets. Default is CACHE_ROWS.
!
resultsSetCache=CACHE_ROWS
!
! Similar to cacheAmount but applies only to disk based
! results sets. Default is 100.
!
resultsSetCacheAmount=100
!
! Number of rows to read into the disk read ahead buffer.
! Recommended to be set somewhere around 128 to 256.
! Default is 20.
!
rowCacheSize=128
!
! The read ahead buffer is effective at speeding up full
! table scans. However for indexed lookups or multiple
! simultaneous scans it is better to read a single row at
! a time. Each table holds a small number of single row
! buffers to improve such operations. Default is 8.
!
!singleRowCount=4
!
! Sometimes the look ahead buffer can be held by a single
! thread even though it is not retrieveing many values from it.
! If too many lookups retrieve data from the single row
! buffers then it is better to flush the look ahead buffer and
! make it available for re-use. Default is 128.
!
!flushAfterCacheMisses=64
!
! Number of rows to read ahead for system tables. By default
! system tables cache everything, so it is wasteful to have large
! read ahead buffers since they will very rarely be used. This
! allows the size of the system read ahead buffers to be reduced
! if necessary. Defaults to rowCacheSize.
!
!systemRows=20
!
! The control column in all tables normally has a large cache
! since this speeds up all operation on that table. This can be
! varied to either improve performance or to reduce space.
! default is 8192.
!
! This value applies only when tables are first created. It has no effect
! when a table is being re-opened.
!
!controlColCacheSize=512
!
! By default, InstantDB only does a cursory search for deleted rows during
! UPDATE statements. Setting searchDeletes=1 causes more detailed searches
! for deleted rows. This slows down UPDATE executions, but reults in more
! compact tables. Default is 0.
!
searchDeletes=0
!
! The interval, in milliseconds, between checks for statement execution
! timeouts. Default is 5000.
!
!timerCheck=5000
!
! The number of statements between checks on available memory. If set
! to 100 (say), then every 100 statements, InstantDB will check to
! see how much memory is still free. If too little is avilable (see
! below) then java.lang.System.gc() is called.
!
! If set to zero (the default) then no memory checking takes place.
!
!garbageCollectStatements=100
!
! If InstantDB is performing period memory checks (see above) then
! this is the value in percent of available memory that must be
! used before System.gc() gets called.
!
!garbageCollectPercent=70
!---------------------------------------------------------------------
!
! LOGGING AND DEBUGGING PROPERTIES
!
!---------------------------------------------------------------------
!
! Non-zero means include SQL statements in the export file.
!
exportSQL=0
!
! Non-zero means trace output also directed to console.
! Defaults to 0.
!
traceConsole=1
!
! Relative or absolute path where exporting and tracing goes.
!
! NOTE - A relative path is relative to the current Java
! runtime directory. It is *not* relative to this properties
! file. This is regardless of the relativeToProperties
! setting above.
!
traceFile=./trace.log
!
! Bitmap of various items that can be traced. See debug.html.
! Defaults to 0.
!
traceLevel=2
!---------------------------------------------------------------------
!
! TRANSACTION AND RECOVERY PROPERTIES
!
!---------------------------------------------------------------------
!
! 0 means do not perform recovery on startup.
! 1 means perform automatic recovery
! 2 (default) means prompt the user using standard in
!
recoveryPolicy=1
!
! Sets the level of transaction journalling. See trans.html.
! Defaults to 1.
!
! 0 - No journalling takes place.
! 1 - Normal journalling (default).
! 2 - Full journalling.
!
transLevel=1
!
! When doing an import, defines the number of rows imported
! before the transaction is committed. Recommended value 8192.
! defaults to 100.
!
transImports=100
!
! Sets the default transaction isolation level. This is a complex
! topic, but basically, the higher the level, the more locking
! goes on. The allowed values are:
!
! TRANSACTION_READ_UNCOMMITTED = 1
! TRANSACTION_READ_COMMITTED = 2
! TRANSACTION_REPEATABLE_READ = 4
! TRANSACTION_SERIALIZABLE = 8 (default)
!
! SERIALIZABLE means that InstantDB takes exclusive access to all
! tables in a transaction until the transaction completes. Even if
! the transaction only performs reads.
!
! REPEATABLE_READ transactions takes read locks for SELECTs and
! write locks for everything else. All locks released on transaction
! completion.
!
! READ_COMMITTED transactions are the same as REPEATABLE_READ
! except that read locks get freed on statement completion.
!
! READ_UNCOMMITTED transactions do not take read locks. A result
! set can include data being modified by another transaction.
!
!defaultIsolationLevel=2
!---------------------------------------------------------------------
!
! DATE, TIME AND CURRENCY PROPERTIES
!
!---------------------------------------------------------------------
!
! Number of digits after decimal point in currency outputs. Defaults to 2.
!
currencyDecimal=2
!
! Currency symbol used in currency outputs. Defaults to $.
!
currencySymbol=$
!
! Default format for date columns. Defaults to "yyyy-mm-dd".
!
!dateFormat=yyyy-mm-dd
!
! Default format for timestamp columns. Defaults to "yyyy-mm-dd hh:nn:ss.lll".
!
!dateTimeFormat=yyyy-mm-dd hh:nn:ss.lll
!
! Default format for time columns. Defaults to "hh:nn:ss.lll".
!
!timeFormat=hh:nn:ss.lll
!
! If set, then all two digit dates less than its value are interpreted
! as 21st century dates.
!
!milleniumBoundary=50
!
! Set to 1 causes the date string "now" to store a full timestamp.
! Default is to store only the date for fields with now hour in the
! format string.
!
nowMeansTime=0
!---------------------------------------------------------------------
!
! STRING HANDLING PROPERTIES
!
!---------------------------------------------------------------------
!
! If set to 1 then String hashes use the JDK Object.hashCode() function.
! By default, uses InstantDB's String hashing.
!
altStringHashing=0
!
! Set to 1 to cause LIKE clauses to always perform case insensitive
! comparisons.
!
likeIgnoreCase=0
!
! Same as SET LITERAL STRICT_ON. Prevents string literals being interpreted
! as column names or numbers. Default is 0.
!
strictLiterals=0
!
! Set this value to 1 (one) if you would like PreparedStatement.setString()
! to ignore "\" (backslash) characters when proceesing string constants.
! When set, InstantDB will not attempt to interpret \ as the start of an
! escape sequence. Default is 0.
!
!prepareIgnoresEscapes=1
!---------------------------------------------------------------------
!
! MISCELLANEOUS PROPERTIES
!
!---------------------------------------------------------------------
!
! Allows selected InstantDB keywords to be un-reserved.
! e.g. ignoreKeywords=url,quote would allow the keywords
! url and quote to be used as table or column names.
!
! This faciliy is provided for compatatbility reasons only.
! It's use is not recommended AND IS NOT SUPPORTED.
!
!ignoreKeywords
!
! Non-zero means database is opened in read only mode.
!
readOnly=0

0
webgoat-container/src/main/webapp/index.jsp → webgoat-container/src/main/old/index.jsp
View File

0
webgoat-container/src/main/webapp/lesson_content.jsp → webgoat-container/src/main/old/lesson_content.jsp
View File

0
webgoat-container/src/main/webapp/lessons/ConfManagement/config.jsp → webgoat-container/src/main/old/lessons/ConfManagement/config.jsp
View File

584
webgoat-container/src/main/webapp/main.jsp → webgoat-container/src/main/old/main.jsp
View File

@ -1,292 +1,292 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %>
<%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
Course course = webSession.getCourse();
AbstractLesson currentLesson = webSession.getCurrentLesson();
LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title><%=currentLesson.getTitle()%></title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
</head>
<%
final String menuPrefix = WebSession.MENU;
final String submenuPrefix = "submenu";
final String mbutPrefix = "mbut";
String printHint = "";
String printParameters = "";
String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories();
StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator();
while (iter1.hasNext()) {
Category category = (Category) iter1.next();
buildList.append("'");
buildList.append(menuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(submenuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(mbutPrefix);
buildList.append(category.getRanking());
buildList.append("'");
if (iter1.hasNext()) {
buildList.append(",");
}
}%>
<body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
trigMM1url('<%= menuPrefix%>', 1);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();">
<div id="wrap">
<%
int topCord = 140;
int zIndex = 105;
Iterator iter2 = categories.iterator();
while (iter2.hasNext()) {
Category category = (Category) iter2.next();
%>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
return false" onfocus="if (this.blur)
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<%
topCord = topCord + 30;
zIndex = zIndex + 1;
}
int topSubMenu = 72;
Iterator iter3 = categories.iterator();
while (iter3.hasNext()) {
Category category = (Category) iter3.next();
List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator();
%>
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1;
while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next();
%><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
</tr>
<% if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null)
for (int i = 0; i < stages.length; i++) {
%>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "/" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a>
</td></tr>
<%
}
}
%>
<%
}
%>
</table>
</div><%
}%>
<div id="top"></div>
<div id="topLeft">
<div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0) {
%>
<form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1"
onChange="changeLanguage();">
<%
for (String lang : currentLesson.getAvailableLanguages()) {
%>
<option value="<%=lang%>"
<% if (webSession.getCurrrentLanguage().equals(lang)) {
out.println("selected");
}%>><%=lang%>
</option>
<%
}
%>
</select></form>
<%
} else {
%>
Internationalization is not available for this lesson
<%
}
%>
</div></div>
<div align="right" id="topRight">
<a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img
src="images/buttons/help.jpg" alt="Help" name="help" width="22"
height="22" border="0" id="help" /></a>
</div>
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<div id="hMenuBar">
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)"
onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)"
onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a>
<%}%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)"
onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)"
onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
</a>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)"
onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a>
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
%>
<a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
</a>
<%}%>
</div>
<div id="twoCol">
<div id="menuSpacer"></div>
<div id="lessonAreaTop">
<%
if (currentLesson != null) {
%>
<div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=labelManager.get("SolutionVideos")%></a></div>
<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=labelManager.get("RestartLesson")%></a></div>
</div>
<%
}
%>
</div>
<div id="lessonArea">
<%
if (webSession.getHint() != null) {
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
out.println(printHint);
}
if (webSession.getParams() != null) {
Iterator i = webSession.getParams().iterator();
while (i.hasNext()) {
Parameter p = (Parameter) i.next();
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
out.println(printParameters);
}
}
if (webSession.getCookies() != null) {
Iterator i = webSession.getCookies().iterator();
while (i.hasNext()) {
Cookie c = (Cookie) i.next();
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
out.println(printCookies);
}
}%>
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%>
<br/>
<br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a>
</div>
<div id="lessonContent">
<%
AbstractLesson lesson = webSession.getCurrentLesson();
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
<%
}
%>
<%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%
if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<%
} else {
%>
<div id="lessonContent"><%=currentLesson.getContent()%></div>
<%
}
%>
</div>
</div>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> |
<a href="reportBug.jsp">Report Bug</a>
</div>
</div>
</div>
</body>
</html>
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %>
<%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
Course course = webSession.getCourse();
AbstractLesson currentLesson = webSession.getCurrentLesson();
LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title><%=currentLesson.getTitle()%></title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
</head>
<%
final String menuPrefix = WebSession.MENU;
final String submenuPrefix = "submenu";
final String mbutPrefix = "mbut";
String printHint = "";
String printParameters = "";
String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories();
StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator();
while (iter1.hasNext()) {
Category category = (Category) iter1.next();
buildList.append("'");
buildList.append(menuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(submenuPrefix);
buildList.append(category.getRanking());
buildList.append("','");
buildList.append(mbutPrefix);
buildList.append(category.getRanking());
buildList.append("'");
if (iter1.hasNext()) {
buildList.append(",");
}
}%>
<body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
trigMM1url('<%= menuPrefix%>', 1);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();">
<div id="wrap">
<%
int topCord = 140;
int zIndex = 105;
Iterator iter2 = categories.iterator();
while (iter2.hasNext()) {
Category category = (Category) iter2.next();
%>
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
return false" onfocus="if (this.blur)
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
<%
topCord = topCord + 30;
zIndex = zIndex + 1;
}
int topSubMenu = 72;
Iterator iter3 = categories.iterator();
while (iter3.hasNext()) {
Category category = (Category) iter3.next();
List lessons = webSession.getLessons(category);
Iterator iter4 = lessons.iterator();
%>
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1;
while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next();
%><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
</tr>
<% if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
String[] stages = rla.getStages();
if (stages != null)
for (int i = 0; i < stages.length; i++) {
%>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "/" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a>
</td></tr>
<%
}
}
%>
<%
}
%>
</table>
</div><%
}%>
<div id="top"></div>
<div id="topLeft">
<div align="left">
<% if (currentLesson.getAvailableLanguages().size() != 0) {
%>
<form method="get" action="attack" style="display: inline;">
Choose another language: <select name="language" size="1"
onChange="changeLanguage();">
<%
for (String lang : currentLesson.getAvailableLanguages()) {
%>
<option value="<%=lang%>"
<% if (webSession.getCurrrentLanguage().equals(lang)) {
out.println("selected");
}%>><%=lang%>
</option>
<%
}
%>
</select></form>
<%
} else {
%>
Internationalization is not available for this lesson
<%
}
%>
</div></div>
<div align="right" id="topRight">
<a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseout="MM_swapImgRestore()"
onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img
src="images/buttons/help.jpg" alt="Help" name="help" width="22"
height="22" border="0" id="help" /></a>
</div>
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<div id="hMenuBar">
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)"
onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)"
onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a>
<%}%>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)"
onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)"
onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
</a>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)"
onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
</a>
<%
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
%>
<a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
</a>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
return false;" target="javaWin"
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
</a>
<%}%>
</div>
<div id="twoCol">
<div id="menuSpacer"></div>
<div id="lessonAreaTop">
<%
if (currentLesson != null) {
%>
<div id="training_wrap">
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=labelManager.get("SolutionVideos")%></a></div>
<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=labelManager.get("RestartLesson")%></a></div>
</div>
<%
}
%>
</div>
<div id="lessonArea">
<%
if (webSession.getHint() != null) {
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
out.println(printHint);
}
if (webSession.getParams() != null) {
Iterator i = webSession.getParams().iterator();
while (i.hasNext()) {
Parameter p = (Parameter) i.next();
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
out.println(printParameters);
}
}
if (webSession.getCookies() != null) {
Iterator i = webSession.getCookies().iterator();
while (i.hasNext()) {
Cookie c = (Cookie) i.next();
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
out.println(printCookies);
}
}%>
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%>
<br/>
<br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a>
</div>
<div id="lessonContent">
<%
AbstractLesson lesson = webSession.getCurrentLesson();
if (lesson instanceof RandomLessonAdapter) {
RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
%>
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
<%
}
%>
<%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%
if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
%>
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
<%
} else {
%>
<div id="lessonContent"><%=currentLesson.getContent()%></div>
<%
}
%>
</div>
</div>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> |
<a href="reportBug.jsp">Report Bug</a>
</div>
</div>
</div>
</body>
</html>

0
webgoat-container/src/main/webapp/plugin_lessons/ReadMe.txt → webgoat-container/src/main/old/plugin_lessons/ReadMe.txt
View File

BIN
webgoat-container/src/main/old/plugin_lessons/command-injection-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/common-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/cross-site-scripting-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/csrf-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/csrf-prompt-by-pass-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/goat-hills-financial-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/soap-request-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/ws-sql-injection-1.0.jar Normal file
View File

Binary file not shown.

BIN
webgoat-container/src/main/old/plugin_lessons/wsdl-scanning-1.0.jar Normal file
View File

Binary file not shown.

0
webgoat-container/src/main/webapp/reportBug.jsp → webgoat-container/src/main/old/reportBug.jsp
View File

56
webgoat-container/src/main/webapp/sideWindow.jsp → webgoat-container/src/main/old/sideWindow.jsp
View File

@ -1,28 +1,28 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.WebSession"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Untitled Document</title>
<link href="css/webgoat.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id=#wrap>
<%
String source = webSession.getSource();
if (source != null)
{
String printSource = "<div id=\"source\">" + source + "</div><br>";
out.println(printSource);
}
%>
</div>
</body>
</html>
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.WebSession"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Untitled Document</title>
<link href="css/webgoat.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id=#wrap>
<%
String source = webSession.getSource();
if (source != null)
{
String printSource = "<div id=\"source\">" + source + "</div><br>";
out.println(printSource);
}
%>
</div>
</body>
</html>

0
webgoat-container/src/main/webapp/users/ReadMe.txt → webgoat-container/src/main/old/users/ReadMe.txt
View File

0
webgoat-container/src/main/webapp/webgoat.jsp → webgoat-container/src/main/old/webgoat.jsp
View File

200
webgoat-container/src/main/webapp/webgoat_challenge.jsp → webgoat-container/src/main/old/webgoat_challenge.jsp
View File

@ -1,100 +1,100 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<!-- This modal content is included into the main_new.jsp -->
<div class="modal-content">
<div class="modal-header">
<h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3>
</div>
<div class="modal-body modal-scroll">
<p>Thanks for hacking The Goat!</p>
<p>WebGoat is a demonstration of common web application flaws. The
associated exercises are intended to provide hands-on experience with
techniques aimed at demonstrating and testing application penetration.
</p>
<p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p>
<p>
Version: ${version},&nbsp;Build: ${build}
</p>
<div class="row">
<div class="col-md-6">
<p>Contact us:
<ul>
<li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: ${contactEmail}</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>WebGoat Authors
<ul>
<li>Bruce Mayhew (Project Lead)</li>
<li>Jeff Williams (Original Idea)</li>
<li>Richard Lawson (Architect)</li>
<li>Jason White (Architect)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>WebGoat Design Team
<ul>
<li>Richard Lawson</li>
<li>Bruce Mayhew</li>
<li>Jason White</li>
<li>Ali Looney (User Interface)</li>
<li>Jeff Wayman (Website and Docs)</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>Active Contributors
<ul>
<li>Nanne Baars (Developer)</li>
<li>Dave Cowden (Everything)</li>
<li>Keith Gasser (Survey/Security)</li>
<li>Devin Mayhew (Setup/Admin)</li>
<li>Li Simon (Developer)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>Past Contributors
<ul>
<li>David Anderson (Developer/Design)</li>
<li>Christopher Blum (Lessons)</li>
<li>Laurence Casey (Graphics)</li>
<li>Brian Ciomei (Bug fixes)</li>
<li>Rogan Dawes (Lessons)</li>
<li>Erwin Geirnaert (Solutions)</li>
<li>Aung Knant (Documentation)</li>
<li>Ryan Knell (Lessons)</li>
<li>Christine Koppeit (Build)</li>
<li>Sherif Kousa (Lessons/Documentation)</li>
<li>Reto Lippuner (Lessons)</li>
<li>PartNet (Lessons)</li>
<li>Yiannis Pavlosoglou (Lessons)</li>
<li>Eric Sheridan (Lessons)</li>
<li>Alex Smolen (Lessons)</li>
<li>Chuck Willis (Lessons)</li>
<li>Marcel Wirth (Lessons)</li>
</ul>
</p>
<p>Did we miss you? Our sincere apologies, as we know there have
been many contributors over the years. If your name does not
appear in any of the lists above, please send us a note. We'll
get you added with no further sacrifices required.</p>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div>
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage=""%>
<!-- This modal content is included into the main_new.jsp -->
<div class="modal-content">
<div class="modal-header">
<h3 class="modal-title" id="myModalLabel">About WebGoat - Provided by the OWASP Foundation</h3>
</div>
<div class="modal-body modal-scroll">
<p>Thanks for hacking The Goat!</p>
<p>WebGoat is a demonstration of common web application flaws. The
associated exercises are intended to provide hands-on experience with
techniques aimed at demonstrating and testing application penetration.
</p>
<p>From the entire WebGoat team, we appreciate your interest and efforts
in making applications not just better, but safer and more secure for
everyone. We, as well as our sacrificial goat, thank you.</p>
<p>
Version: ${version},&nbsp;Build: ${build}
</p>
<div class="row">
<div class="col-md-6">
<p>Contact us:
<ul>
<li>WebGoat mailing list: ${emailList}</li>
<li>Bruce Mayhew: ${contactEmail}</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>WebGoat Authors
<ul>
<li>Bruce Mayhew (Project Lead)</li>
<li>Jeff Williams (Original Idea)</li>
<li>Richard Lawson (Architect)</li>
<li>Jason White (Architect)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>WebGoat Design Team
<ul>
<li>Richard Lawson</li>
<li>Bruce Mayhew</li>
<li>Jason White</li>
<li>Ali Looney (User Interface)</li>
<li>Jeff Wayman (Website and Docs)</li>
</ul>
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p>Active Contributors
<ul>
<li>Nanne Baars (Developer)</li>
<li>Dave Cowden (Everything)</li>
<li>Keith Gasser (Survey/Security)</li>
<li>Devin Mayhew (Setup/Admin)</li>
<li>Li Simon (Developer)</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>Past Contributors
<ul>
<li>David Anderson (Developer/Design)</li>
<li>Christopher Blum (Lessons)</li>
<li>Laurence Casey (Graphics)</li>
<li>Brian Ciomei (Bug fixes)</li>
<li>Rogan Dawes (Lessons)</li>
<li>Erwin Geirnaert (Solutions)</li>
<li>Aung Knant (Documentation)</li>
<li>Ryan Knell (Lessons)</li>
<li>Christine Koppeit (Build)</li>
<li>Sherif Kousa (Lessons/Documentation)</li>
<li>Reto Lippuner (Lessons)</li>
<li>PartNet (Lessons)</li>
<li>Yiannis Pavlosoglou (Lessons)</li>
<li>Eric Sheridan (Lessons)</li>
<li>Alex Smolen (Lessons)</li>
<li>Chuck Willis (Lessons)</li>
<li>Marcel Wirth (Lessons)</li>
</ul>
</p>
<p>Did we miss you? Our sincere apologies, as we know there have
been many contributors over the years. If your name does not
appear in any of the lists above, please send us a note. We'll
get you added with no further sacrifices required.</p>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div>

0
webgoat-container/src/main/webapp/WEB-INF/lib/placeholder.txt
View File

4
webgoat_developer_bootstrap.sh
View File

@ -164,7 +164,7 @@ developer_bootstrap() {
horizontal_rule
echo "$COL_MAGENTA"
echo "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET"
echo " Please be patient.... The startup of the server can take from 30s to 3 minutes."
echo " Please be patient.... The startup of the server takes about 5 seconds..."
echo " WebGoat will be ready for you when you see the following message on the command prompt:"
echo "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET"
echo "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET"
@ -179,7 +179,7 @@ developer_bootstrap() {
sleep 5
# Starting WebGoat
mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war
mvn -q -pl webgoat-container spring-boot:run
}
# Start main script