dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

corrected spelling and some formatting

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@360 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
brandon.devries
2008-08-11 14:39:09 +00:00
parent 17af39e428
commit 9c84df3d6c
22 changed files with 423 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
View File

@ -107,10 +107,7 @@ public class DangerousEval extends LessonAdapter
tr = new TR();
tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
tr.addElement(new TD().addElement("69.99").setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
"1")))
.setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
total = quantity * 69.99f;
runningTotal += total;
@ -119,10 +116,7 @@ public class DangerousEval extends LessonAdapter
tr = new TR();
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
tr.addElement(new TD().addElement("27.99").setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
"1")))
.setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
total = quantity * 27.99f;
runningTotal += total;
@ -131,10 +125,7 @@ public class DangerousEval extends LessonAdapter
tr = new TR();
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel<65> Centrino<6E>"));
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
"1")))
.setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
total = quantity * 1599.99f;
runningTotal += total;
@ -144,10 +135,7 @@ public class DangerousEval extends LessonAdapter
tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
tr.addElement(new TD().addElement("299.99").setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
"1")))
.setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1"))).setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
total = quantity * 299.99f;
runningTotal += total;
@ -232,16 +220,15 @@ public class DangerousEval extends LessonAdapter
hints.add("The lesson is similar to the standard reflected cross-site scripting lesson.");
hints.add("The access code parameter is vulnerable to a reflected cross-site scripting problem.");
hints.add("The usual &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; will not work in this lesson. Why?");
hints
.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the &lt; and &gt; characters.");
hints.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the &lt; and &gt; characters.");
hints.add("In order to pass this lesson, you must 'alert' the document.cookie.");
hints.add("Try 123');alert(document.cookie);('");
return hints;
}
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
// = new
// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1)
// {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
/**
* Gets the instructions attribute of the WeakAccessControl object

1
main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -31,6 +31,7 @@ import org.owasp.webgoat.session.WebSession;
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if

3
main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View File

@ -345,8 +345,7 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
if (action != null)
{
// System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: "
// +
// action.getActionName());
// + action.getActionName());
if (!action.requiresAuthentication())
{
// Access to Login does not require authentication.

2
main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -114,7 +114,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
StringBuffer msg = new StringBuffer();
msg.append("Bet you can't do it again! ");
msg.append("This lesson has detected your successfull attack ");
msg.append("This lesson has detected your successful attack ");
msg.append("and has now switched to a defensive mode. ");
msg.append("Try again to attack a parameterized query.");

3
main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
View File

@ -234,8 +234,7 @@ public class TraceXSS extends LessonAdapter
}
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
// = new
// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
// = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
private final static Integer DEFAULT_RANKING = new Integer(130);

5
main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
View File

@ -268,9 +268,8 @@ public class ReportCardScreen extends LessonAdapter
{
H2 h2 = new H2();
// FIXME: The session is the current session, not the session of the user we are reporting.
// String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? " [Normal User
// - Hacked Admin
// Access]" : " [Normal User]";
// String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ?
// " [Normal User - Hacked Admin Access]" : " [Normal User]";
String type = "";
h2.addElement(new StringElement("Results for: " + user + type));
return h2;

29
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java
View File

@ -1,4 +1,3 @@
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
import java.util.regex.Pattern;
@ -10,15 +9,25 @@ import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/*
* STAGE 5 FIXES Solution Summary: Edit FindProfile.java and change getRequestParameter(). Modify
* getRequestParameter() with lines denoted by // STAGE 5 - FIX. Solution Steps: 1. Talk about the
* different parser methods. We could have used the parser method that takes a regular expression.
* 2. Call validate on the request parameter. return validate(s.getParser().getRawParameter(name),
* (Pattern) patterns.get(name)); Note: patterns.get(name) is used to fetch the XSS validation
* pattern that is defined in FindProfile.Java protected static Map patterns = new HashMap(); static
* { patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}")); }
*/
// STAGE 5 FIXES
// Solution Summary: Edit FindProfile.java and change getRequestParameter().
// Modify getRequestParameter() with lines denoted by // STAGE 5 - FIX.
// Solution Steps:
// 1. Talk about the different parser methods. We could have used the parser method that takes a
// regular expression.
// 2. Call validate on the request parameter.
// return validate(s.getParser().getRawParameter(name), (Pattern) patterns.get(name));
//
// Note: patterns.get(name) is used to fetch the XSS validation pattern that is defined
// in FindProfile.Java
//
// protected static Map patterns = new HashMap();
// static
// {
// patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
// }
public class FindProfile_i extends FindProfile
{

49
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java
View File

@ -14,19 +14,31 @@ import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/*
* STAGE 2 FIXES Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile(). Modify
* parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. Talk about the
* different parser methods. a. parseEmployeeProfile(subjectId, s.getRequest()) - uses the request
* object directly. - calling validate() on the appropriate parameter b.
* parseEmployeeProfile(subjectId, s.getParser()) - uses the parser object to pull request data
* (centralized mechanism) 2. Fix the request object version of the call // STAGE 2 - FIX Replace
* the call to: String address1 = request.getParameter(CrossSiteScripting.ADDRESS1); With: final
* Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX String
* address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); //
* STAGE 2 - FIX 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX Change all calls
* in parseEmployeeProfile(subjectId, s.getParser()) to use the appropriate parser.method() call
*/
// STAGE 2 FIXES
// Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile().
// Modify parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX.
// Solution Steps:
// 1. Talk about the different parser methods.
// a. parseEmployeeProfile(subjectId, s.getRequest())
// - uses the request object directly.
// - calling validate() on the appropriate parameter
// b. parseEmployeeProfile(subjectId, s.getParser())
// - uses the parser object to pull request data (centralized mechanism)
//
// 2. Fix the request object version of the call // STAGE 2 - FIX
// Replace the call to:
// String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
//
// With:
// final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
// String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1);
// // STAGE 2 - FIX
//
//
// 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX
// Change all calls in parseEmployeeProfile(subjectId, s.getParser()) to use
// the appropriate parser.method() call
//
public class UpdateProfile_i extends UpdateProfile
{
@ -47,13 +59,12 @@ public class UpdateProfile_i extends UpdateProfile
// Validate this parameter against a regular expression pattern designed for street
// addresses.
final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 -
// FIX
String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE
// 2
// -
// FIX
// STAGE 2 - FIX
final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}");
String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1);
String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
String startDate = request.getParameter(CrossSiteScripting.START_DATE);

11
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java
View File

@ -5,10 +5,13 @@ import org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
/*
* STAGE 4 FIXES Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
* Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
*/
// STAGE 4 FIXES
//
//Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
//
//Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
//
//
public class ViewProfile_i extends ViewProfile
{

169
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java
View File

@ -5,55 +5,128 @@ import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
/* STAGE 2 FIXES
Solution Summary (1. or 2.)
1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
a validation step. Oracle 10G now supports regular expressions.
2. Apply a column constraint can also work IFF the existing data is clean
/*
* STAGE 2 FIXES Solution Summary (1. or 2.) 1. Modify the UPDATE_EMPLOYEE stored procedure in the
* database and add a validation step. Oracle 10G now supports regular expressions. 2. Apply a
* column constraint can also work IFF the existing data is clean Solution Steps: 1. Talk about the
* different database approaches. a. Apply validation in the UPDATE stored proc - Possible to bypass
* by not using that stored proc b. Apply a table column constraint - Cannot be bypassed. The DB
* enforces the constraint under all conditions 2. Fix the stored proc Define the pattern. Validate
* the field against the pattern. Raise an exception if invalid. CREATE OR REPLACE PROCEDURE
* UPDATE_EMPLOYEE( v_userid IN employee.userid%type, v_first_name IN employee.first_name%type,
* v_last_name IN employee.last_name%type, v_ssn IN employee.ssn%type, v_title IN
* employee.title%type, v_phone IN employee.phone%type, v_address1 IN employee.address1%type,
* v_address2 IN employee.address2%type, v_manager IN employee.manager%type, v_start_date IN
* employee.start_date%type, v_salary IN employee.salary%type, v_ccn IN employee.ccn%type,
* v_ccn_limit IN employee.ccn_limit%type, v_disciplined_date IN employee.disciplined_date%type,
* v_disciplined_notes IN employee.disciplined_notes%type, v_personal_description IN
* employee.personal_description%type ) AS P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
* BEGIN IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN RAISE VALUE_ERROR; END IF; UPDATE EMPLOYEE
* SET first_name = v_first_name, last_name = v_last_name, ssn = v_ssn, title = v_title, phone =
* v_phone, address1 = v_address1, address2 = v_address2, manager = v_manager, start_date =
* v_Start_date, salary = v_salary, ccn = v_ccn, ccn_limit = v_ccn_limit, disciplined_date =
* v_disciplined_date, disciplined_notes = v_disciplined_notes, personal_description =
* v_personal_description WHERE userid = v_userid; END; / 3. Apply a table column constraint ALTER
* TABLE EMPLOYEE ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\.
* ]{0,80}$')); FOR SQL SERVER, the following is required: DROP PROCEDURE
* webgoat_guest.UPDATE_EMPLOYEE GO CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
* @v_userid INT,
* @v_first_name VARCHAR(20),
* @v_last_name VARCHAR(20),
* @v_ssn VARCHAR(12),
* @v_title VARCHAR(20),
* @v_phone VARCHAR(13),
* @v_address1 VARCHAR(80),
* @v_address2 VARCHAR(80),
* @v_manager INT,
* @v_start_date CHAR(8),
* @v_salary INT,
* @v_ccn VARCHAR(30),
* @v_ccn_limit INT,
* @v_disciplined_date CHAR(8),
* @v_disciplined_notes VARCHAR(60),
* @v_personal_description VARCHAR(60) AS IF [webgoat_guest].RegexMatch(@v_address1,
* N'^[a-zA-Z0-9,\. ]{0,80}$') = 0 BEGIN RAISERROR('Illegal characters in address1', 11, 1) RETURN
* END UPDATE EMPLOYEE SET first_name = @v_first_name, last_name = @v_last_name, ssn = @v_ssn, title
* = @v_title, phone = @v_phone, address1 = @v_address1, address2 = @v_address2, manager =
* @v_manager, start_date = @v_Start_date, salary = @v_salary, ccn = @v_ccn, ccn_limit =
* @v_ccn_limit, disciplined_date = @v_disciplined_date, disciplined_notes = @v_disciplined_notes,
* personal_description = @v_personal_description WHERE userid = @v_userid; GO
*/
Solution Steps:
1. Talk about the different database approaches.
a. Apply validation in the UPDATE stored proc
- Possible to bypass by not using that stored proc
b. Apply a table column constraint
- Cannot be bypassed. The DB enforces the constraint under all conditions
2. Fix the stored proc
Define the pattern.
Validate the field against the pattern.
Raise an exception if invalid.
CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
BEGIN
IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN
RAISE VALUE_ERROR;
END IF;
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
3. Apply a table column constraint
ALTER TABLE EMPLOYEE
ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
FOR SQL SERVER, the following is required:
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
IF [webgoat_guest].RegexMatch(@v_address1, N'^[a-zA-Z0-9,\. ]{0,80}$') = 0
BEGIN
RAISERROR('Illegal characters in address1', 11, 1)
RETURN
END
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
GO
*/
public class UpdateProfile_i extends UpdateProfile
{

54
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java
View File

@ -2,16 +2,44 @@
package org.owasp.webgoat.lessons.instructor.DBSQLInjection;
/*
* The solution is to choose Neville's userid, and enter a password like: ' OR '1'='1 Modify the
* Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables For ORACLE: CREATE OR
* REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
* cnt NUMBER; BEGIN SELECT COUNT() INTO cnt FROM EMPLOYEE WHERE USERID = v_id AND PASSWORD =
* v_password; RETURN cnt; END; / OR CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id
* NUMBER, v_password VARCHAR) RETURN NUMBER AS stmt VARCHAR(32767); cnt NUMBER; BEGIN stmt :=
* 'SELECT COUNT () FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2'; EXECUTE IMMEDIATE stmt INTO
* cnt USING v_id, v_password; RETURN cnt; END; / For SQL SERVER CREATE FUNCTION
* webgoat_guest.EMPLOYEE_LOGIN (
* @v_id INT,
* @v_password VARCHAR(100) ) RETURNS INTEGER AS BEGIN DECLARE @count int SELECT @count = COUNT()
* FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password; return @count END
*/
* The solution is to choose Neville's userid, and enter a password like:
* ' OR '1'='1
* Modify the Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables
*
*
* For ORACLE:
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
cnt NUMBER;
BEGIN
SELECT COUNT(*) INTO cnt FROM EMPLOYEE
WHERE USERID = v_id
AND PASSWORD = v_password;
RETURN cnt;
END;
/
* OR
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
stmt VARCHAR(32767); cnt NUMBER;
BEGIN
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2';
EXECUTE IMMEDIATE stmt INTO cnt USING v_id, v_password;
RETURN cnt;
END;
/
* For SQL SERVER
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @count int
SELECT @count = COUNT(*) FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password;
return @count
END
*/

26
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java
View File

@ -57,15 +57,23 @@ public class EditProfile_i extends EditProfile
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
.getString("title"), answer_results.getString("phone"), answer_results
.getString("address1"), answer_results.getString("address2"), answer_results
.getInt("manager"), answer_results.getString("start_date"), answer_results
.getInt("salary"), answer_results.getString("ccn"), answer_results
.getInt("ccn_limit"), answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"), answer_results
.getString("personal_description"));
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " +
* profile.getFirstName() + " " + profile.getLastName() + " (" +

47
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java
View File

@ -21,25 +21,34 @@ import org.owasp.webgoat.session.WebSession;
*
*/
/*
* STAGE 2 FIXES Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
* Modify handleRequest() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. This solution
* adds an access control check in the controller. Point out that their architecture may require the
* check to occur in the business function. 2. Look at the RoleBasedAccessControl class identify
* where execution happens of an action. a. action.handleRequest(s); is not protected by an access
* control check. b. look at handleRequest(s) to determine where access control check should occur.
* c. add protection by a programmatic authorization check before dispatching to the action: 1. Add
* an isAuthorized() call before dispatching to the action, and throw an unauthorized exception.
* Tell student this exception exists. Use eclipse command completion to find the isAuthorized()
* call on the action. From command completion - determine calling arguments of isAuthorized() int
* userId = action.getUserId(s); if (action.isAuthorized(s, userId, action.getActionName())) {
* action.handleRequest(s); } else throw new UnauthorizedException(); Repeat stage 1 and note that
* the function fails with a "Not authorized" message. Tom will be in the list again, because the DB
* is reset when lesson restarts. Adding the access check in the
* RoleBasedAccessControl:handleRequest() is putting the check in the <20>Controller<65> The access check
* can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the
* <20>Business Function<6F>
*/
/* STAGE 2 FIXES
Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
Modify handleRequest() with lines denoted by // STAGE 2 - FIX.
Solution Steps:
1. This solution adds an access control check in the controller.
Point out that their architecture may require the check to occur in the business function.
2. Look at the RoleBasedAccessControl class identify where execution happens of an action.
a. action.handleRequest(s); is not protected by an access control check.
b. look at handleRequest(s) to determine where access control check should occur.
c. add protection by a programmatic authorization check before dispatching to the action:
1. Add an isAuthorized() call before dispatching to the action,
and throw an unauthorized exception. Tell student this exception exists.
Use eclipse command completion to find the isAuthorized() call on the action.
From command completion - determine calling arguments of isAuthorized()
int userId = action.getUserId(s);
if (action.isAuthorized(s, userId, action.getActionName()))
{
action.handleRequest(s);
}
else
throw new UnauthorizedException();
Repeat stage 1 and note that the function fails with a "Not authorized" message.
Tom will be in the list again, because the DB is reset when lesson restarts.
Adding the access check in the RoleBasedAccessControl:handleRequest() is putting the check in the <20>Controller<65>
The access check can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the <20>Business Function<6F>
*/
public class RoleBasedAccessControl_i extends RoleBasedAccessControl
{

110
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java
View File

@ -10,32 +10,40 @@ import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;
/*
* STAGE 4 FIXES 1. Find the code location where this flaw of directly retrieving the profile
* without data-level access control checking exists: public void handleRequest( WebSession s ) { <EFBFBD>
* Employee employee = getEmployeeProfile(s, userId, employeeId); <20> } public Employee
* getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException
* { <20> return getEmployeeProfile(s, employeeId, subjectUserId); <20> } 2. The solution requires a
* data-level access control check to ensure the user has the rights to access the data they are
* requesting. a. There is a common method you can take advantage of: isAuthorizedForEmployee(s,
* userId, subjectUserId) Either tell the student this exists or have them look in
* DefaultLessonAction. Note that this is not required to implement data access control but is for
* detection of violations. b. Uncomment the modified query retrieving the user data to have data
* access control String query =
* "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
* "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; 3. Bundle
* the entire logic with this call and throw an unauthorized exception if
* (isAuthorizedForEmployee(s, userId, subjectUserId)) { ... //String query =
* "SELECT * FROM employee WHERE userid = " + subjectUserId; String query =
* "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
* "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4
* - FIX ... } else { throw new UnauthorizedException(); } 4. Repeat stage 3 and note that the
* function fails with a "Not authorized" message. Adding the access check in the query is providing
* data-level access control. The access check from isAuthorizedForEmployee is used to detect a
* violation. The same logic could've been applied after the query but isAuthorizedForEmployee
* provides a nice centralized abstraction of that logic.
*/
/* STAGE 4 FIXES
1. Find the code location where this flaw of directly retrieving the profile without data-level access control checking exists:
public void handleRequest( WebSession s )
{ <EFBFBD>
Employee employee = getEmployeeProfile(s, userId, employeeId);
<09> }
public Employee getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException { <09>
return getEmployeeProfile(s, employeeId, subjectUserId);
<09> }
2. The solution requires a data-level access control check to ensure the user has the rights to access the data they are requesting.
a. There is a common method you can take advantage of:
isAuthorizedForEmployee(s, userId, subjectUserId)
Either tell the student this exists or have them look in DefaultLessonAction.
Note that this is not required to implement data access control but is for detection of violations.
b. Uncomment the modified query retrieving the user data to have data access control
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
3. Bundle the entire logic with this call and throw an unauthorized exception
if (isAuthorizedForEmployee(s, userId, subjectUserId))
{ ...
//String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4 - FIX
...
}
else
{
throw new UnauthorizedException();
}
4. Repeat stage 3 and note that the function fails with a "Not authorized" message.
Adding the access check in the query is providing data-level access control.
The access check from isAuthorizedForEmployee is used to detect a violation.
The same logic could've been applied after the query but isAuthorizedForEmployee provides a nice centralized abstraction of that logic.
*/
public class ViewProfile_i extends ViewProfile
{
@ -58,8 +66,10 @@ public class ViewProfile_i extends ViewProfile
// Query the database for the profile data of the given employee
try
{
// String query = "SELECT * FROM employee WHERE userid = " + subjectUserId; // STAGE
// 4 - FIX
// STAGE 4 - FIX
// String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
// Switch to this query to add Data Access Control
//
@ -67,11 +77,9 @@ public class ViewProfile_i extends ViewProfile
// - qualify on ownership.employer_id to see only the current userId records
// - qualify on ownership.employee_id to see the current selected employee profile
// STAGE 4 - FIX
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE
// 4
// -
// FIX
+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
try
{
@ -81,21 +89,29 @@ public class ViewProfile_i extends ViewProfile
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
.getString("title"), answer_results.getString("phone"), answer_results
.getString("address1"), answer_results.getString("address2"), answer_results
.getInt("manager"), answer_results.getString("start_date"), answer_results
.getInt("salary"), answer_results.getString("ccn"), answer_results
.getInt("ccn_limit"), answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"), answer_results
.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " +
* profile.getFirstName() + " " + profile.getLastName() + " (" +
* profile.getId() + ")");
*/}
} catch (SQLException sqle)
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/ }
}
catch ( SQLException sqle )
{
s.setMessage("Error getting employee profile");
sqle.printStackTrace();

41
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java
View File

@ -10,19 +10,25 @@ import org.owasp.webgoat.lessons.SQLInjection.Login;
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
import org.owasp.webgoat.session.WebSession;
/*
* Solution Summary: Edit Login.java and change login(). Modify login() with lines denoted by //
* STAGE 2 - FIX. Solution Steps: 1. Change dynamic query to parameterized query. a. Replace the
* dynamic varaibles with the "?" String query =
* "SELECT * FROM employee WHERE userid = ? and password = ?" b. Create a preparedStatement using
* the new query PreparedStatement answer_statement =
* SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
* ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
* answer_statement.setString(1, userId); // STAGE 2 - FIX answer_statement.setString(2, password);
* // STAGE 2 - FIX d. Execute the preparedStatement ResultSet answer_results =
* answer_statement.executeQuery();
*/
Solution Summary: Edit Login.java and change login().
Modify login() with lines denoted by // STAGE 2 - FIX.
Solution Steps:
1. Change dynamic query to parameterized query.
a. Replace the dynamic varaibles with the "?"
String query = "SELECT * FROM employee WHERE userid = ? and password = ?"
b. Create a preparedStatement using the new query
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
c. Set the values of the parameterized query
answer_statement.setString(1, userId); // STAGE 2 - FIX
answer_statement.setString(2, password); // STAGE 2 - FIX
d. Execute the preparedStatement
ResultSet answer_results = answer_statement.executeQuery();
*/
public class Login_i extends Login
{
@ -38,16 +44,15 @@ public class Login_i extends Login
try
{
String query = "SELECT * FROM employee WHERE userid = ? and password = ?"; // STAGE 2 -
// FIX
// STAGE 2 - FIX
String query = "SELECT * FROM employee WHERE userid = ? and password = ?";
try
{
// STAGE 2 - FIX
PreparedStatement answer_statement = WebSession.getConnection(s)
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
// 2
// -
// FIX
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
answer_statement.setString(1, userId); // STAGE 2 - FIX
answer_statement.setString(2, password); // STAGE 2 - FIX
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 2 - FIX

86
main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java
View File

@ -11,24 +11,32 @@ import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
/*
* Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). Modify
* getEmployeeProfile() with lines denoted by // STAGE 4 - FIX. Solution Steps: 1. Change dynamic
* query to parameterized query. a. Replace the dynamic variables with the "?" Old: String query =
* "SELECT employee.* " +
* "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
* "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; New:
* String query = "SELECT employee.* " +
* "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
* "ownership.employer_id = ? and ownership.employee_id = ?"; b. Create a preparedStatement using
* the new query PreparedStatement answer_statement =
* SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
* ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
* answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX answer_statement.setInt(2,
* Integer.parseInt(subjectUserId)); // STAGE 4 - FIX d. Execute the preparedStatement ResultSet
* answer_results = answer_statement.executeQuery();
*/
Solution Summary: Edit ViewProfile.java and change getEmployeeProfile().
Modify getEmployeeProfile() with lines denoted by // STAGE 4 - FIX.
Solution Steps:
1. Change dynamic query to parameterized query.
a. Replace the dynamic variables with the "?"
Old: String query = "SELECT employee.* " +
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
New: String query = "SELECT employee.* " +
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
"ownership.employer_id = ? and ownership.employee_id = ?";
b. Create a preparedStatement using the new query
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
c. Set the values of the parameterized query
answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
d. Execute the preparedStatement
ResultSet answer_results = answer_statement.executeQuery();
*/
public class ViewProfile_i extends ViewProfile
{
@ -53,30 +61,38 @@ public class ViewProfile_i extends ViewProfile
try
{
PreparedStatement answer_statement = WebSession.getConnection(s)
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
// 4
// -
// FIX
// STAGE 4 - FIX
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
if (answer_results.next())
{
// Note: Do NOT get the password field.
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
.getString("title"), answer_results.getString("phone"), answer_results
.getString("address1"), answer_results.getString("address2"), answer_results
.getInt("manager"), answer_results.getString("start_date"), answer_results
.getInt("salary"), answer_results.getString("ccn"), answer_results
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
.getString("disciplined_notes"), answer_results.getString("personal_description"));
/*
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
* " " + profile.getLastName() + " (" + profile.getId() + ")");
*/}
} catch (SQLException sqle)
profile = new Employee(
answer_results.getInt("userid"),
answer_results.getString("first_name"),
answer_results.getString("last_name"),
answer_results.getString("ssn"),
answer_results.getString("title"),
answer_results.getString("phone"),
answer_results.getString("address1"),
answer_results.getString("address2"),
answer_results.getInt("manager"),
answer_results.getString("start_date"),
answer_results.getInt("salary"),
answer_results.getString("ccn"),
answer_results.getInt("ccn_limit"),
answer_results.getString("disciplined_date"),
answer_results.getString("disciplined_notes"),
answer_results.getString("personal_description"));
/* System.out.println("Retrieved employee from db: " +
profile.getFirstName() + " " + profile.getLastName() +
" (" + profile.getId() + ")");
*/ }
}
catch ( SQLException sqle )
{
s.setMessage("Error getting employee profile");
sqle.printStackTrace();

3
main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -129,7 +129,8 @@ public class Course
fileName = fileName.trim();
/**
* We do not handle directories. We do not handle files with different extensions
* We do not handle directories.
* We do not handle files with different extensions
*/
if (fileName.endsWith("/") || !fileName.endsWith(ext)) { return null; }

8
main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
View File

@ -184,8 +184,7 @@ public class UserTracker
usermap.put(screen.getTitle(), tracker);
}
// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
// tracker.hashCode() + "
// for " + screen );
// tracker.hashCode() + " for " + screen );
return tracker;
}
@ -261,9 +260,8 @@ public class UserTracker
LessonTracker tracker = getLessonTracker(s, screen);
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH
// " +
// tracker.hashCode() );
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen +
// " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());