dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use AbstractLesson.getLink() and getFormAction() more

Browse Source 
Rather than constructing URL's manually all the time, rather
make use of existing mechanisms to create the URL, and use
it consistently.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@184 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
2007-07-18 13:31:11 +00:00
parent e27aaccb45
commit 9ea97126b8
41 changed files with 61 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -795,9 +795,9 @@ public abstract class AbstractLesson extends Screen implements Comparable
}
protected String getFormAction()
public String getFormAction()
{
return "attack" + "?menu=" + getCategory().getRanking();
return getLink();
}

10
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -186,10 +186,8 @@ public class CSRF extends LessonAdapter {
for ( int i = 0; results.next(); i++ )
{
String link = "<a href='attack?" + NUMBER + "=" + results.getInt( NUM_COL ) +
"&Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +
"' style='cursor:hand'>" + results.getString( TITLE_COL ) + "</a>";
String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt( NUM_COL ) +
"' style='cursor:hand'>" + results.getString( TITLE_COL ) + "</a>";
TD td = new TD().addElement( link );
TR tr = new TR().addElement( td );
t.addElement( tr );
@ -297,9 +295,7 @@ public class CSRF extends LessonAdapter {
hints.add( "Enter some text and try to include an image in there." );
hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );
hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");
hints.add( "Include this URL in the message <pre>&lt;img src='http://localhost/WebGoat/attack?"+
"Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +
hints.add( "Include this URL in the message <pre>&lt;img src='" + getLink() +
"&transferFunds=5000' width=\"1\" height=\"1\" /&gt;</pre>");
return hints;

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
View File

@ -95,9 +95,7 @@ public class DOMInjection extends LessonAdapter
String lineSep = System.getProperty("line.separator");
String script = "<script>" + lineSep + "function validate() {"
+ lineSep + "var keyField = document.getElementById('key');"
+ lineSep + "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId()) + "&menu="
+ getDefaultCategory().getRanking().toString()
+ lineSep + "var url = '" + getLink()
+ "&from=ajax&key=' + encodeURIComponent(keyField.value);"
+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
+ lineSep + "req = new XMLHttpRequest();" + lineSep

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
View File

@ -135,10 +135,7 @@ public class JSONInjection extends LessonAdapter
+ lineSep
+ "if (toField.value.length < 3 ) { return; }"
+ lineSep
+ "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId())
+ "&menu="
+ getDefaultCategory().getRanking().toString()
+ "var url = '" + getLink()
+ "&from=ajax&"
+ TRAVEL_FROM
+ "=' + encodeURIComponent(fromField.value) +"

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
View File

@ -189,10 +189,7 @@ public class SilentTransactions extends LessonAdapter
+ lineSep
+ "function submitData(accountNo, balance) {"
+ lineSep
+ "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId())
+ "&menu="
+ getDefaultCategory().getRanking().toString()
+ "var url = '" + getLink()
+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; "
+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
+ lineSep + "req = new XMLHttpRequest();" + lineSep

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
View File

@ -159,10 +159,7 @@ public class XMLInjection extends LessonAdapter
+ lineSep
+ "if (accountIDField.value.length < 6 ) { return; }"
+ lineSep
+ "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId())
+ "&menu="
+ getDefaultCategory().getRanking().toString()
+ "var url = '" + getLink()
+ "&from=ajax&"
+ ACCOUNTID
+ "=' + encodeURIComponent(accountIDField.value);"

37
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -360,42 +360,7 @@ public class WebSession
public String getRestartLink()
{
List<String> parameters = new ArrayList<String>();
String screenValue = request.getParameter(SCREEN);
if (screenValue != null)
parameters.add(SCREEN + "=" + screenValue);
String menuValue = request.getParameter(MENU);
if (menuValue != null)
parameters.add(MENU + "=" + menuValue);
parameters.add(RESTART + "=" + currentScreen);
return makeQuery("attack", parameters);
}
private String makeQuery(String resource, List parameters)
{
StringBuffer query = new StringBuffer(resource);
boolean isFirstParameter = true;
Iterator i = parameters.iterator();
while (i.hasNext())
{
String parameter = (String) i.next();
if (isFirstParameter)
{
query.append("?");
isFirstParameter = false;
}
else
query.append("&");
query.append(parameter);
}
return query.toString();
return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
}
public String getCurrentLink()

10
webgoat/main/project/WebContent/lessons/ConfManagement/config.jsp
View File

@ -1,5 +1,9 @@
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
pageEncoding="ISO-8859-1"%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
@ -7,9 +11,7 @@
<title>Configuration Page</title>
</head>
<body>
<% response.sendRedirect("/WebGoat/attack?" +
"Screen=" + request.getParameter("Screen") +
"&menu=" + request.getParameter("menu") +
<% response.sendRedirect(webSession.getCurrentLesson().getLink() +
"&succeeded=yes");
%>

2
webgoat/main/project/WebContent/lessons/CrossSiteScripting/EditProfile.jsp
View File

@ -7,7 +7,7 @@
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table>
<TR><TD>
First Name:

2
webgoat/main/project/WebContent/lessons/CrossSiteScripting/ListStaff.jsp
View File

@ -10,7 +10,7 @@
<br>
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>

2
webgoat/main/project/WebContent/lessons/CrossSiteScripting/Login.jsp
View File

@ -6,7 +6,7 @@
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>
<select name="<%=CrossSiteScripting.EMPLOYEE_ID%>">
<%

2
webgoat/main/project/WebContent/lessons/CrossSiteScripting/SearchStaff.jsp
View File

@ -12,7 +12,7 @@
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=CrossSiteScripting.SEARCHNAME%>"/>
</label>

6
webgoat/main/project/WebContent/lessons/CrossSiteScripting/ViewProfile.jsp
View File

@ -116,7 +116,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=CrossSiteScripting.LISTSTAFF_ACTION%>"/>
</form></td>
@ -128,7 +128,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=CrossSiteScripting.EDITPROFILE_ACTION%>"/>
</form>
@ -141,7 +141,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=CrossSiteScripting.DELETEPROFILE_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp
View File

@ -7,7 +7,7 @@
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table>
<TR><TD>
First Name:

2
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp
View File

@ -10,7 +10,7 @@
<br>
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>

2
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp
View File

@ -6,7 +6,7 @@
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>
<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>">
<%

2
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp
View File

@ -12,7 +12,7 @@
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=DBCrossSiteScripting.SEARCHNAME%>"/>
</label>

6
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp
View File

@ -109,7 +109,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LISTSTAFF_ACTION%>"/>
</form></td>
@ -121,7 +121,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.EDITPROFILE_ACTION%>"/>
</form>
@ -134,7 +134,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/DBSQLInjection/EditProfile.jsp
View File

@ -7,7 +7,7 @@
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table>
<TR><TD>
First Name:

2
webgoat/main/project/WebContent/lessons/DBSQLInjection/ListStaff.jsp
View File

@ -11,7 +11,7 @@
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>

2
webgoat/main/project/WebContent/lessons/DBSQLInjection/Login.jsp
View File

@ -6,7 +6,7 @@
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>
<select name="<%=DBSQLInjection.EMPLOYEE_ID%>">
<%

2
webgoat/main/project/WebContent/lessons/DBSQLInjection/SearchStaff.jsp
View File

@ -12,7 +12,7 @@
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=DBSQLInjection.SEARCHNAME%>"/>
</label>

6
webgoat/main/project/WebContent/lessons/DBSQLInjection/ViewProfile.jsp
View File

@ -109,7 +109,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.LISTSTAFF_ACTION%>"/>
</form>
@ -122,7 +122,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.EDITPROFILE_ACTION%>"/>
</form>
@ -135,7 +135,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBSQLInjection.DELETEPROFILE_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/GoatHillsFinancial/EditProfile.jsp
View File

@ -7,7 +7,7 @@
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table border="0" cellpadding="0" cellspacing="0">
<TR><TD width="110">
First Name:

2
webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ListStaff.jsp
View File

@ -11,7 +11,7 @@
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>

2
webgoat/main/project/WebContent/lessons/GoatHillsFinancial/Login.jsp
View File

@ -6,7 +6,7 @@
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>
<select name="<%=GoatHillsFinancial.EMPLOYEE_ID%>">
<%

2
webgoat/main/project/WebContent/lessons/GoatHillsFinancial/SearchStaff.jsp
View File

@ -12,7 +12,7 @@
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=GoatHillsFinancial.SEARCHNAME%>"/>
</label>

6
webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ViewProfile.jsp
View File

@ -113,7 +113,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=GoatHillsFinancial.LISTSTAFF_ACTION%>"/>
</form>
@ -125,7 +125,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=GoatHillsFinancial.EDITPROFILE_ACTION%>"/>
</form>
@ -138,7 +138,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=GoatHillsFinancial.DELETEPROFILE_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/GoatHillsFinancial/error.jsp
View File

@ -7,7 +7,7 @@
%>
<br><br><br>An error has occurred.
<br><br><br>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="submit" name="action" value="<%=GoatHillsFinancial.LOGIN_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/EditProfile.jsp
View File

@ -7,7 +7,7 @@
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table border="0" cellpadding="0" cellspacing="0">
<TR><TD width="110">
First Name:

2
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/ListStaff.jsp
View File

@ -11,7 +11,7 @@
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>

2
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/Login.jsp
View File

@ -6,7 +6,7 @@
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>
<select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>">
<%

2
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/SearchStaff.jsp
View File

@ -12,7 +12,7 @@
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=RoleBasedAccessControl.SEARCHNAME%>"/>
</label>

6
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp
View File

@ -113,7 +113,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/>
</form>
@ -125,7 +125,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/>
</form>
@ -138,7 +138,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/error.jsp
View File

@ -7,7 +7,7 @@
%>
<br><br><br>An error has occurred.
<br><br><br>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/lessons/SQLInjection/EditProfile.jsp
View File

@ -7,7 +7,7 @@
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table>
<TR><TD>
First Name:

2
webgoat/main/project/WebContent/lessons/SQLInjection/ListStaff.jsp
View File

@ -11,7 +11,7 @@
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>

2
webgoat/main/project/WebContent/lessons/SQLInjection/Login.jsp
View File

@ -6,7 +6,7 @@
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>
<select name="<%=SQLInjection.EMPLOYEE_ID%>">
<%

2
webgoat/main/project/WebContent/lessons/SQLInjection/SearchStaff.jsp
View File

@ -12,7 +12,7 @@
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=SQLInjection.SEARCHNAME%>"/>
</label>

6
webgoat/main/project/WebContent/lessons/SQLInjection/ViewProfile.jsp
View File

@ -109,7 +109,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=SQLInjection.LISTSTAFF_ACTION%>"/>
</form>
@ -122,7 +122,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=SQLInjection.EDITPROFILE_ACTION%>"/>
</form>
@ -135,7 +135,7 @@
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/>
</form>

2
webgoat/main/project/WebContent/main.jsp
View File

@ -141,7 +141,7 @@ StringBuffer buildList = new StringBuffer();
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)"
onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/params.jpg" alt="Show Params" name="attack?show=Params" width="92" height="20" border="0" id="params"/>
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="92" height="20" border="0" id="params"/>
</a>
<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)"
onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)"