Use AbstractLesson.getLink() and getFormAction() more
Rather than constructing URL's manually all the time, rather make use of existing mechanisms to create the URL, and use it consistently. git-svn-id: http://webgoat.googlecode.com/svn/trunk@184 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
parent
e27aaccb45
commit
9ea97126b8
@ -795,9 +795,9 @@ public abstract class AbstractLesson extends Screen implements Comparable
|
||||
}
|
||||
|
||||
|
||||
protected String getFormAction()
|
||||
public String getFormAction()
|
||||
{
|
||||
return "attack" + "?menu=" + getCategory().getRanking();
|
||||
return getLink();
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -186,10 +186,8 @@ public class CSRF extends LessonAdapter {
|
||||
|
||||
for ( int i = 0; results.next(); i++ )
|
||||
{
|
||||
String link = "<a href='attack?" + NUMBER + "=" + results.getInt( NUM_COL ) +
|
||||
"&Screen=" + String.valueOf(getScreenId()) +
|
||||
"&menu=" + getDefaultCategory().getRanking().toString() +
|
||||
"' style='cursor:hand'>" + results.getString( TITLE_COL ) + "</a>";
|
||||
String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt( NUM_COL ) +
|
||||
"' style='cursor:hand'>" + results.getString( TITLE_COL ) + "</a>";
|
||||
TD td = new TD().addElement( link );
|
||||
TR tr = new TR().addElement( td );
|
||||
t.addElement( tr );
|
||||
@ -297,9 +295,7 @@ public class CSRF extends LessonAdapter {
|
||||
hints.add( "Enter some text and try to include an image in there." );
|
||||
hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );
|
||||
hints.add( "The format of an image in html is <pre><img src=\"[URL]\" width=\"1\" height=\"1\" /></pre>");
|
||||
hints.add( "Include this URL in the message <pre><img src='http://localhost/WebGoat/attack?"+
|
||||
"Screen=" + String.valueOf(getScreenId()) +
|
||||
"&menu=" + getDefaultCategory().getRanking().toString() +
|
||||
hints.add( "Include this URL in the message <pre><img src='" + getLink() +
|
||||
"&transferFunds=5000' width=\"1\" height=\"1\" /></pre>");
|
||||
|
||||
return hints;
|
||||
|
||||
@ -95,9 +95,7 @@ public class DOMInjection extends LessonAdapter
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String script = "<script>" + lineSep + "function validate() {"
|
||||
+ lineSep + "var keyField = document.getElementById('key');"
|
||||
+ lineSep + "var url = '/WebGoat/attack?Screen="
|
||||
+ String.valueOf(getScreenId()) + "&menu="
|
||||
+ getDefaultCategory().getRanking().toString()
|
||||
+ lineSep + "var url = '" + getLink()
|
||||
+ "&from=ajax&key=' + encodeURIComponent(keyField.value);"
|
||||
+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
|
||||
+ lineSep + "req = new XMLHttpRequest();" + lineSep
|
||||
|
||||
@ -135,10 +135,7 @@ public class JSONInjection extends LessonAdapter
|
||||
+ lineSep
|
||||
+ "if (toField.value.length < 3 ) { return; }"
|
||||
+ lineSep
|
||||
+ "var url = '/WebGoat/attack?Screen="
|
||||
+ String.valueOf(getScreenId())
|
||||
+ "&menu="
|
||||
+ getDefaultCategory().getRanking().toString()
|
||||
+ "var url = '" + getLink()
|
||||
+ "&from=ajax&"
|
||||
+ TRAVEL_FROM
|
||||
+ "=' + encodeURIComponent(fromField.value) +"
|
||||
|
||||
@ -189,10 +189,7 @@ public class SilentTransactions extends LessonAdapter
|
||||
+ lineSep
|
||||
+ "function submitData(accountNo, balance) {"
|
||||
+ lineSep
|
||||
+ "var url = '/WebGoat/attack?Screen="
|
||||
+ String.valueOf(getScreenId())
|
||||
+ "&menu="
|
||||
+ getDefaultCategory().getRanking().toString()
|
||||
+ "var url = '" + getLink()
|
||||
+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; "
|
||||
+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
|
||||
+ lineSep + "req = new XMLHttpRequest();" + lineSep
|
||||
|
||||
@ -159,10 +159,7 @@ public class XMLInjection extends LessonAdapter
|
||||
+ lineSep
|
||||
+ "if (accountIDField.value.length < 6 ) { return; }"
|
||||
+ lineSep
|
||||
+ "var url = '/WebGoat/attack?Screen="
|
||||
+ String.valueOf(getScreenId())
|
||||
+ "&menu="
|
||||
+ getDefaultCategory().getRanking().toString()
|
||||
+ "var url = '" + getLink()
|
||||
+ "&from=ajax&"
|
||||
+ ACCOUNTID
|
||||
+ "=' + encodeURIComponent(accountIDField.value);"
|
||||
|
||||
@ -360,42 +360,7 @@ public class WebSession
|
||||
|
||||
public String getRestartLink()
|
||||
{
|
||||
List<String> parameters = new ArrayList<String>();
|
||||
|
||||
String screenValue = request.getParameter(SCREEN);
|
||||
if (screenValue != null)
|
||||
parameters.add(SCREEN + "=" + screenValue);
|
||||
|
||||
String menuValue = request.getParameter(MENU);
|
||||
if (menuValue != null)
|
||||
parameters.add(MENU + "=" + menuValue);
|
||||
|
||||
parameters.add(RESTART + "=" + currentScreen);
|
||||
|
||||
return makeQuery("attack", parameters);
|
||||
}
|
||||
|
||||
private String makeQuery(String resource, List parameters)
|
||||
{
|
||||
StringBuffer query = new StringBuffer(resource);
|
||||
|
||||
boolean isFirstParameter = true;
|
||||
Iterator i = parameters.iterator();
|
||||
|
||||
while (i.hasNext())
|
||||
{
|
||||
String parameter = (String) i.next();
|
||||
if (isFirstParameter)
|
||||
{
|
||||
query.append("?");
|
||||
isFirstParameter = false;
|
||||
}
|
||||
else
|
||||
query.append("&");
|
||||
query.append(parameter);
|
||||
}
|
||||
|
||||
return query.toString();
|
||||
return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
|
||||
}
|
||||
|
||||
public String getCurrentLink()
|
||||
|
||||
@ -1,5 +1,9 @@
|
||||
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
|
||||
pageEncoding="ISO-8859-1"%>
|
||||
pageEncoding="ISO-8859-1"%>
|
||||
<%@page import="org.owasp.webgoat.session.WebSession"%>
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
<head>
|
||||
@ -7,9 +11,7 @@
|
||||
<title>Configuration Page</title>
|
||||
</head>
|
||||
<body>
|
||||
<% response.sendRedirect("/WebGoat/attack?" +
|
||||
"Screen=" + request.getParameter("Screen") +
|
||||
"&menu=" + request.getParameter("menu") +
|
||||
<% response.sendRedirect(webSession.getCurrentLesson().getLink() +
|
||||
"&succeeded=yes");
|
||||
%>
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
|
||||
<div class="lesson_text">
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<Table>
|
||||
<TR><TD>
|
||||
First Name:
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
<br>
|
||||
<br>
|
||||
<p>Select from the list below </p>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<table width="60%" border="0" cellpadding="3">
|
||||
<tr>
|
||||
<td> <label>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>
|
||||
<select name="<%=CrossSiteScripting.EMPLOYEE_ID%>">
|
||||
<%
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>Name
|
||||
<input class="lesson_text_db" type="text" name="<%=CrossSiteScripting.SEARCHNAME%>"/>
|
||||
</label>
|
||||
|
||||
@ -116,7 +116,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.LISTSTAFF_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=CrossSiteScripting.LISTSTAFF_ACTION%>"/>
|
||||
</form></td>
|
||||
@ -128,7 +128,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=CrossSiteScripting.EDITPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
@ -141,7 +141,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.DELETEPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=CrossSiteScripting.DELETEPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
|
||||
<div class="lesson_text">
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<Table>
|
||||
<TR><TD>
|
||||
First Name:
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
<br>
|
||||
<br>
|
||||
<p>Select from the list below </p>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<table width="60%" border="0" cellpadding="3">
|
||||
<tr>
|
||||
<td> <label>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>
|
||||
<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>">
|
||||
<%
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>Name
|
||||
<input class="lesson_text_db" type="text" name="<%=DBCrossSiteScripting.SEARCHNAME%>"/>
|
||||
</label>
|
||||
|
||||
@ -109,7 +109,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LISTSTAFF_ACTION%>"/>
|
||||
</form></td>
|
||||
@ -121,7 +121,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=DBCrossSiteScripting.EDITPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
@ -134,7 +134,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
|
||||
<div class="lesson_text">
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<Table>
|
||||
<TR><TD>
|
||||
First Name:
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
<br>
|
||||
<p>Select from the list below </p>
|
||||
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<table width="60%" border="0" cellpadding="3">
|
||||
<tr>
|
||||
<td> <label>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>
|
||||
<select name="<%=DBSQLInjection.EMPLOYEE_ID%>">
|
||||
<%
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>Name
|
||||
<input class="lesson_text_db" type="text" name="<%=DBSQLInjection.SEARCHNAME%>"/>
|
||||
</label>
|
||||
|
||||
@ -109,7 +109,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.LISTSTAFF_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=DBSQLInjection.LISTSTAFF_ACTION%>"/>
|
||||
</form>
|
||||
@ -122,7 +122,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.EDITPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=DBSQLInjection.EDITPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
@ -135,7 +135,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.DELETEPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=DBSQLInjection.DELETEPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
|
||||
<div class="lesson_text">
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<Table border="0" cellpadding="0" cellspacing="0">
|
||||
<TR><TD width="110">
|
||||
First Name:
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
<br>
|
||||
<p>Select from the list below </p>
|
||||
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<table width="60%" border="0" cellpadding="3">
|
||||
<tr>
|
||||
<td> <label>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>
|
||||
<select name="<%=GoatHillsFinancial.EMPLOYEE_ID%>">
|
||||
<%
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>Name
|
||||
<input class="lesson_text_db" type="text" name="<%=GoatHillsFinancial.SEARCHNAME%>"/>
|
||||
</label>
|
||||
|
||||
@ -113,7 +113,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.LISTSTAFF_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=GoatHillsFinancial.LISTSTAFF_ACTION%>"/>
|
||||
</form>
|
||||
@ -125,7 +125,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.EDITPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=GoatHillsFinancial.EDITPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
@ -138,7 +138,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.DELETEPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=GoatHillsFinancial.DELETEPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<br><br><br>An error has occurred.
|
||||
<br><br><br>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
|
||||
<input type="submit" name="action" value="<%=GoatHillsFinancial.LOGIN_ACTION%>"/>
|
||||
</form>
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
|
||||
<div class="lesson_text">
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<Table border="0" cellpadding="0" cellspacing="0">
|
||||
<TR><TD width="110">
|
||||
First Name:
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
<br>
|
||||
<p>Select from the list below </p>
|
||||
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<table width="60%" border="0" cellpadding="3">
|
||||
<tr>
|
||||
<td> <label>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>
|
||||
<select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>">
|
||||
<%
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>Name
|
||||
<input class="lesson_text_db" type="text" name="<%=RoleBasedAccessControl.SEARCHNAME%>"/>
|
||||
</label>
|
||||
|
||||
@ -113,7 +113,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.LISTSTAFF_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/>
|
||||
</form>
|
||||
@ -125,7 +125,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.EDITPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
@ -138,7 +138,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.DELETEPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<br><br><br>An error has occurred.
|
||||
<br><br><br>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
|
||||
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/>
|
||||
</form>
|
||||
@ -7,7 +7,7 @@
|
||||
%>
|
||||
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
|
||||
<div class="lesson_text">
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<Table>
|
||||
<TR><TD>
|
||||
First Name:
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
<br>
|
||||
<p>Select from the list below </p>
|
||||
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<table width="60%" border="0" cellpadding="3">
|
||||
<tr>
|
||||
<td> <label>
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
<%
|
||||
WebSession webSession = ((WebSession)session.getAttribute("websession"));
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>
|
||||
<select name="<%=SQLInjection.EMPLOYEE_ID%>">
|
||||
<%
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
<%
|
||||
}
|
||||
%>
|
||||
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<label>Name
|
||||
<input class="lesson_text_db" type="text" name="<%=SQLInjection.SEARCHNAME%>"/>
|
||||
</label>
|
||||
|
||||
@ -109,7 +109,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.LISTSTAFF_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=SQLInjection.LISTSTAFF_ACTION%>"/>
|
||||
</form>
|
||||
@ -122,7 +122,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.EDITPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=SQLInjection.EDITPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
@ -135,7 +135,7 @@
|
||||
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.DELETEPROFILE_ACTION))
|
||||
{
|
||||
%>
|
||||
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
|
||||
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
|
||||
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
|
||||
<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/>
|
||||
</form>
|
||||
|
||||
@ -141,7 +141,7 @@ StringBuffer buildList = new StringBuffer();
|
||||
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)"
|
||||
onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)"
|
||||
onmouseout="MM_nbGroup('out')">
|
||||
<img src="images/buttons/params.jpg" alt="Show Params" name="attack?show=Params" width="92" height="20" border="0" id="params"/>
|
||||
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="92" height="20" border="0" id="params"/>
|
||||
</a>
|
||||
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)"
|
||||
onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user