From 9130ab3e22c2d0619347e99756f4dcb45179b493 Mon Sep 17 00:00:00 2001 From: "wirth.marcel" Date: Tue, 8 Apr 2008 07:51:47 +0000 Subject: [PATCH] MultiLevelLogin 2 data stored now in session git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@303 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../webgoat/lessons/MultiLevelLogin1.java | 31 ++-- .../webgoat/lessons/MultiLevelLogin2.java | 150 ++++++++++++++---- 2 files changed, 135 insertions(+), 46 deletions(-) diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java b/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java index f34b2faaa..1644f8e0d 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java @@ -61,10 +61,11 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter private final static String PASSWORD = "pass"; private final static String HIDDEN_TAN = "hidden_tan"; private final static String TAN = "tan"; - + private final static String LOGGEDIN = "loggedin"; private final static String CORRECTTAN = "correctTan"; private final static String LOGGEDINUSER = "loggedInUser"; + /** * Creates Staged WebContent * @@ -74,9 +75,10 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter { return super.createStagedContent(s); } - + /** - * See if the user is logged in + * See if the user has logged in correctly + * * @param s * @return true if loggedIn */ @@ -85,15 +87,15 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter try { return s.get(LOGGEDIN).equals("true"); - } - catch (Exception e) + } catch (Exception e) { return false; } } - + /** - * See if the user has a used a valid tan + * See if the user had used a valid tan + * * @param s * @return treu if correctTan */ @@ -102,15 +104,15 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter try { return s.get(CORRECTTAN).equals("true"); - } - catch (Exception e) + } catch (Exception e) { return false; } } - + /** * Get the logged in user + * * @param s * @return the logged in user */ @@ -118,10 +120,9 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter { try { - String user = (String)s.get(LOGGEDINUSER); + String user = (String) s.get(LOGGEDINUSER); return user; - } - catch (Exception e) + } catch (Exception e) { return ""; } @@ -202,7 +203,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter // verify the password if (correctLogin(user, password, s)) { - s.add(LOGGEDIN, "true"); + s.add(LOGGEDIN, "true"); s.add(LOGGEDINUSER, user); } @@ -222,7 +223,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter } if (loggedIn(s) && correctTan(s)) { - s.add(LOGGEDIN, "false"); + s.add(LOGGEDIN, "false"); s.add(CORRECTTAN, "false"); createSuccessfulLoginContent(s, ec); diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java b/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java index 664f38e59..0ee3a4ffb 100644 --- a/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java +++ b/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java @@ -57,18 +57,108 @@ import org.owasp.webgoat.session.WebSession; public class MultiLevelLogin2 extends LessonAdapter { - private boolean loggedIn = false; - private boolean correctTan = false; - private String currentTan = ""; - private int currentTanNr = 0; - private final static String USER = "user"; private final static String PASSWORD = "pass"; private final static String TAN = "tan"; private final static String HIDDEN_USER = "hidden_user"; + private final static String LOGGEDIN = "loggedin"; + private final static String CORRECTTAN = "correctTan"; + private final static String CURRENTTAN = "currentTan"; + private final static String CURRENTTANPOS = "currentTanPos"; + // needed to see if lesson was successfull - private String LoggedInUser = ""; + private final static String LOGGEDINUSER = "loggedInUser"; + + //private String LoggedInUser = ""; + + /** + * See if the user is logged in + * + * @param s + * @return true if loggedIn + */ + private boolean loggedIn(WebSession s) + { + try + { + return s.get(LOGGEDIN).equals("true"); + } catch (Exception e) + { + return false; + } + } + + /** + * See if the user had used a valid tan + * + * @param s + * @return true if correctTan + */ + private boolean correctTan(WebSession s) + { + try + { + return s.get(CORRECTTAN).equals("true"); + } catch (Exception e) + { + return false; + } + } + + /** + * Get the currentTan + * + * @param s + * @return the logged in user + */ + private String getCurrentTan(WebSession s) + { + try + { + String currentTan = (String) s.get(CURRENTTAN); + return currentTan; + } catch (Exception e) + { + return ""; + } + } + + /** + * Get the currentTanPossition + * + * @param s + * @return the logged in user + */ + private Integer getCurrentTanPosition(WebSession s) + { + try + { + Integer tanPos = (Integer) s.get(CURRENTTANPOS); + return tanPos; + } catch (Exception e) + { + return 0; + } + } + + /** + * Get the logged in user + * + * @param s + * @return the logged in user + */ + private String getLoggedInUser(WebSession s) + { + try + { + String user = (String) s.get(LOGGEDINUSER); + return user; + } catch (Exception e) + { + return ""; + } + } /** * Creates WebContent @@ -133,57 +223,56 @@ public class MultiLevelLogin2 extends LessonAdapter ElementContainer ec = new ElementContainer(); // verify that tan is correct and user is logged in - if (loggedIn && correctTan(tan)) + if (loggedIn(s) && correctTan(tan, s)) { - correctTan = true; + s.add(CORRECTTAN, "true"); } // user is loggedIn but enters wrong tan - else if (loggedIn && !correctTan(tan)) + else if (loggedIn(s) && !correctTan(tan, s)) { - loggedIn = false; + s.add(LOGGEDIN, "false"); } if (correctLogin(user, password, s)) { - loggedIn = true; - LoggedInUser = user; - currentTanNr = getTanPosition(user, s); - currentTan = getTan(user, currentTanNr, s); + s.add(LOGGEDIN, "true"); + s.add(LOGGEDINUSER, user); + s.add(CURRENTTANPOS, getTanPosition(user, s)); + // currentTanNr = getTanPosition(user, s); + // currentTan = getTan(user, currentTanNr, s); + s.add(CURRENTTAN, getTan(user, getCurrentTanPosition(s), s)); } // if restart button is clicked owe have to reset log in if (!s.getParser().getStringParameter("Restart", "").equals("")) { - loggedIn = false; - correctTan = false; - currentTanNr = 0; - resetTans(s); } // Logout Button is pressed if (s.getParser().getRawParameter("logout", "").equals("true")) { - loggedIn = false; - correctTan = false; + + s.add(LOGGEDIN, "false"); + s.add(CORRECTTAN, "false"); } - if (loggedIn && correctTan) + if (loggedIn(s) && correctTan(s)) { - loggedIn = false; - correctTan = false; + s.add(LOGGEDIN, "false"); + s.add(CORRECTTAN, "false"); createSuccessfulLoginContent(s, ec, hiddenUser); } - else if (loggedIn) + else if (loggedIn(s)) { - if (currentTanNr > 5) + if (getCurrentTanPosition(s) > 5) { createNoTanLeftContent(ec); } else { - createAskForTanContent(s, ec, currentTanNr, user); + createAskForTanContent(s, ec, getCurrentTanPosition(s), user); } } else @@ -202,8 +291,6 @@ public class MultiLevelLogin2 extends LessonAdapter createLogInContent(ec, errorMessage); } - System.out.println("Logged In: " + loggedIn); - return ec; } @@ -350,7 +437,7 @@ public class MultiLevelLogin2 extends LessonAdapter tr4.addElement(new TD("Credit Card Number:")); tr4.addElement(new TD(results.getString("cc_number"))); - if (!user.equals(LoggedInUser)) + if (!user.equals(getLoggedInUser(s))) { makeSuccess(s); } @@ -551,9 +638,10 @@ public class MultiLevelLogin2 extends LessonAdapter * @param tan * @return true if the tan is correct */ - private boolean correctTan(String tan) + private boolean correctTan(String tan, WebSession s) { - if (!currentTan.equals("")) { return tan.equals(String.valueOf(currentTan)); } + // if (!getCurrentTan(s).equals("")) { return tan.equals(String.valueOf(currentTan)); } + if (!getCurrentTan(s).equals("")) { return tan.equals(getCurrentTan(s)); } return false; }