dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use AbstractLesson.getLink() and getFormAction() more

Browse Source 
Rather than constructing URL's manually all the time, rather
make use of existing mechanisms to create the URL, and use
it consistently.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@184 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
2007-07-18 13:31:11 +00:00
parent e27aaccb45
commit 9ea97126b8
41 changed files with 61 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -795,9 +795,9 @@ public abstract class AbstractLesson extends Screen implements Comparable
}
protected String getFormAction()
public String getFormAction()
{
return "attack" + "?menu=" + getCategory().getRanking();
return getLink();
}

10
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -186,10 +186,8 @@ public class CSRF extends LessonAdapter {
for ( int i = 0; results.next(); i++ )
{
String link = "<a href='attack?" + NUMBER + "=" + results.getInt( NUM_COL ) +
"&Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +
"' style='cursor:hand'>" + results.getString( TITLE_COL ) + "</a>";
String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt( NUM_COL ) +
"' style='cursor:hand'>" + results.getString( TITLE_COL ) + "</a>";
TD td = new TD().addElement( link );
TR tr = new TR().addElement( td );
t.addElement( tr );
@ -297,9 +295,7 @@ public class CSRF extends LessonAdapter {
hints.add( "Enter some text and try to include an image in there." );
hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );
hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");
hints.add( "Include this URL in the message <pre>&lt;img src='http://localhost/WebGoat/attack?"+
"Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +
hints.add( "Include this URL in the message <pre>&lt;img src='" + getLink() +
"&transferFunds=5000' width=\"1\" height=\"1\" /&gt;</pre>");
return hints;

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
View File

@ -95,9 +95,7 @@ public class DOMInjection extends LessonAdapter
String lineSep = System.getProperty("line.separator");
String script = "<script>" + lineSep + "function validate() {"
+ lineSep + "var keyField = document.getElementById('key');"
+ lineSep + "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId()) + "&menu="
+ getDefaultCategory().getRanking().toString()
+ lineSep + "var url = '" + getLink()
+ "&from=ajax&key=' + encodeURIComponent(keyField.value);"
+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
+ lineSep + "req = new XMLHttpRequest();" + lineSep

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
View File

@ -135,10 +135,7 @@ public class JSONInjection extends LessonAdapter
+ lineSep
+ "if (toField.value.length < 3 ) { return; }"
+ lineSep
+ "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId())
+ "&menu="
+ getDefaultCategory().getRanking().toString()
+ "var url = '" + getLink()
+ "&from=ajax&"
+ TRAVEL_FROM
+ "=' + encodeURIComponent(fromField.value) +"

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
View File

@ -189,10 +189,7 @@ public class SilentTransactions extends LessonAdapter
+ lineSep
+ "function submitData(accountNo, balance) {"
+ lineSep
+ "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId())
+ "&menu="
+ getDefaultCategory().getRanking().toString()
+ "var url = '" + getLink()
+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; "
+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
+ lineSep + "req = new XMLHttpRequest();" + lineSep

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
View File

@ -159,10 +159,7 @@ public class XMLInjection extends LessonAdapter
+ lineSep
+ "if (accountIDField.value.length < 6 ) { return; }"
+ lineSep
+ "var url = '/WebGoat/attack?Screen="
+ String.valueOf(getScreenId())
+ "&menu="
+ getDefaultCategory().getRanking().toString()
+ "var url = '" + getLink()
+ "&from=ajax&"
+ ACCOUNTID
+ "=' + encodeURIComponent(accountIDField.value);"

37
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -360,42 +360,7 @@ public class WebSession
public String getRestartLink()
{
List<String> parameters = new ArrayList<String>();
String screenValue = request.getParameter(SCREEN);
if (screenValue != null)
parameters.add(SCREEN + "=" + screenValue);
String menuValue = request.getParameter(MENU);
if (menuValue != null)
parameters.add(MENU + "=" + menuValue);
parameters.add(RESTART + "=" + currentScreen);
return makeQuery("attack", parameters);
}
private String makeQuery(String resource, List parameters)
{
StringBuffer query = new StringBuffer(resource);
boolean isFirstParameter = true;
Iterator i = parameters.iterator();
while (i.hasNext())
{
String parameter = (String) i.next();
if (isFirstParameter)
{
query.append("?");
isFirstParameter = false;
}
else
query.append("&");
query.append(parameter);
}
return query.toString();
return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
}
public String getCurrentLink()