Use AbstractLesson.getLink() and getFormAction() more
Rather than constructing URL's manually all the time, rather make use of existing mechanisms to create the URL, and use it consistently. git-svn-id: http://webgoat.googlecode.com/svn/trunk@184 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
		| @ -795,9 +795,9 @@ public abstract class AbstractLesson extends Screen implements Comparable | |||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|     protected String getFormAction() |     public String getFormAction() | ||||||
|     { |     { | ||||||
| 	return "attack" + "?menu=" + getCategory().getRanking(); | 	return getLink(); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | |||||||
| @ -186,10 +186,8 @@ public class CSRF extends LessonAdapter { | |||||||
|  |  | ||||||
| 				for ( int i = 0; results.next(); i++ ) | 				for ( int i = 0; results.next(); i++ ) | ||||||
| 				{ | 				{ | ||||||
| 					String link = "<a href='attack?" + NUMBER + "=" + results.getInt( NUM_COL ) + | 					String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt( NUM_COL ) + | ||||||
| 			        "&Screen=" + String.valueOf(getScreenId()) + | 					"' style='cursor:hand'>" +  results.getString( TITLE_COL ) + "</a>"; | ||||||
| 			        "&menu=" + getDefaultCategory().getRanking().toString() + |  | ||||||
| 			        "' style='cursor:hand'>" +  results.getString( TITLE_COL ) + "</a>"; |  | ||||||
| 					TD td = new TD().addElement( link ); | 					TD td = new TD().addElement( link ); | ||||||
| 					TR tr = new TR().addElement( td ); | 					TR tr = new TR().addElement( td ); | ||||||
| 					t.addElement( tr ); | 					t.addElement( tr ); | ||||||
| @ -297,9 +295,7 @@ public class CSRF extends LessonAdapter { | |||||||
| 		hints.add( "Enter some text and try to include an image in there." ); | 		hints.add( "Enter some text and try to include an image in there." ); | ||||||
| 		hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); | 		hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); | ||||||
| 		hints.add( "The format of an image in html is <pre><img src=\"[URL]\" width=\"1\" height=\"1\" /></pre>");		 | 		hints.add( "The format of an image in html is <pre><img src=\"[URL]\" width=\"1\" height=\"1\" /></pre>");		 | ||||||
| 		hints.add( "Include this URL in the message <pre><img src='http://localhost/WebGoat/attack?"+ | 		hints.add( "Include this URL in the message <pre><img src='" + getLink() + | ||||||
| 			        "Screen=" + String.valueOf(getScreenId()) + |  | ||||||
| 			        "&menu=" + getDefaultCategory().getRanking().toString() + |  | ||||||
| 			        "&transferFunds=5000' width=\"1\" height=\"1\" /></pre>"); | 			        "&transferFunds=5000' width=\"1\" height=\"1\" /></pre>"); | ||||||
| 		 | 		 | ||||||
| 		return hints; | 		return hints; | ||||||
|  | |||||||
| @ -95,9 +95,7 @@ public class DOMInjection extends LessonAdapter | |||||||
| 	String lineSep = System.getProperty("line.separator"); | 	String lineSep = System.getProperty("line.separator"); | ||||||
| 	String script = "<script>" + lineSep + "function validate() {" | 	String script = "<script>" + lineSep + "function validate() {" | ||||||
| 		+ lineSep + "var keyField = document.getElementById('key');" | 		+ lineSep + "var keyField = document.getElementById('key');" | ||||||
| 		+ lineSep + "var url = '/WebGoat/attack?Screen=" | 		+ lineSep + "var url = '" + getLink()  | ||||||
| 		+ String.valueOf(getScreenId()) + "&menu=" |  | ||||||
| 		+ getDefaultCategory().getRanking().toString() |  | ||||||
| 		+ "&from=ajax&key=' + encodeURIComponent(keyField.value);" | 		+ "&from=ajax&key=' + encodeURIComponent(keyField.value);" | ||||||
| 		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {" | 		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {" | ||||||
| 		+ lineSep + "req = new XMLHttpRequest();" + lineSep | 		+ lineSep + "req = new XMLHttpRequest();" + lineSep | ||||||
|  | |||||||
| @ -135,10 +135,7 @@ public class JSONInjection extends LessonAdapter | |||||||
| 		+ lineSep | 		+ lineSep | ||||||
| 		+ "if (toField.value.length < 3 ) { return; }" | 		+ "if (toField.value.length < 3 ) { return; }" | ||||||
| 		+ lineSep | 		+ lineSep | ||||||
| 		+ "var url = '/WebGoat/attack?Screen=" | 		+ "var url = '" + getLink()  | ||||||
| 		+ String.valueOf(getScreenId()) |  | ||||||
| 		+ "&menu=" |  | ||||||
| 		+ getDefaultCategory().getRanking().toString() |  | ||||||
| 		+ "&from=ajax&" | 		+ "&from=ajax&" | ||||||
| 		+ TRAVEL_FROM | 		+ TRAVEL_FROM | ||||||
| 		+ "=' + encodeURIComponent(fromField.value) +" | 		+ "=' + encodeURIComponent(fromField.value) +" | ||||||
|  | |||||||
| @ -189,10 +189,7 @@ public class SilentTransactions extends LessonAdapter | |||||||
| 		+ lineSep | 		+ lineSep | ||||||
| 		+ "function submitData(accountNo, balance) {" | 		+ "function submitData(accountNo, balance) {" | ||||||
| 		+ lineSep | 		+ lineSep | ||||||
| 		+ "var url = '/WebGoat/attack?Screen=" | 		+ "var url = '" + getLink() | ||||||
| 		+ String.valueOf(getScreenId()) |  | ||||||
| 		+ "&menu=" |  | ||||||
| 		+ getDefaultCategory().getRanking().toString() |  | ||||||
| 		+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; " | 		+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; " | ||||||
| 		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {" | 		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {" | ||||||
| 		+ lineSep + "req = new XMLHttpRequest();" + lineSep | 		+ lineSep + "req = new XMLHttpRequest();" + lineSep | ||||||
|  | |||||||
| @ -159,10 +159,7 @@ public class XMLInjection extends LessonAdapter | |||||||
| 		+ lineSep | 		+ lineSep | ||||||
| 		+ "if (accountIDField.value.length < 6 ) { return; }" | 		+ "if (accountIDField.value.length < 6 ) { return; }" | ||||||
| 		+ lineSep | 		+ lineSep | ||||||
| 		+ "var url = '/WebGoat/attack?Screen=" | 		+ "var url = '" + getLink() | ||||||
| 		+ String.valueOf(getScreenId()) |  | ||||||
| 		+ "&menu=" |  | ||||||
| 		+ getDefaultCategory().getRanking().toString() |  | ||||||
| 		+ "&from=ajax&" | 		+ "&from=ajax&" | ||||||
| 		+ ACCOUNTID | 		+ ACCOUNTID | ||||||
| 		+ "=' + encodeURIComponent(accountIDField.value);" | 		+ "=' + encodeURIComponent(accountIDField.value);" | ||||||
|  | |||||||
| @ -360,42 +360,7 @@ public class WebSession | |||||||
|  |  | ||||||
| 	public String getRestartLink() | 	public String getRestartLink() | ||||||
| 	{ | 	{ | ||||||
| 		List<String> parameters = new ArrayList<String>(); | 		return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen(); | ||||||
| 		 |  | ||||||
| 		String screenValue = request.getParameter(SCREEN); |  | ||||||
| 		if (screenValue != null) |  | ||||||
| 			parameters.add(SCREEN + "=" + screenValue); |  | ||||||
| 		 |  | ||||||
| 		String menuValue = request.getParameter(MENU); |  | ||||||
| 		if (menuValue != null) |  | ||||||
| 			parameters.add(MENU + "=" + menuValue); |  | ||||||
| 		 |  | ||||||
| 		parameters.add(RESTART + "=" + currentScreen); |  | ||||||
| 		 |  | ||||||
| 		return makeQuery("attack", parameters); |  | ||||||
| 	} |  | ||||||
| 	 |  | ||||||
| 	private String makeQuery(String resource, List parameters) |  | ||||||
| 	{ |  | ||||||
| 		StringBuffer query = new StringBuffer(resource); |  | ||||||
| 		 |  | ||||||
| 		boolean isFirstParameter = true; |  | ||||||
| 		Iterator i = parameters.iterator(); |  | ||||||
| 		 |  | ||||||
| 		while (i.hasNext()) |  | ||||||
| 		{ |  | ||||||
| 			String parameter = (String) i.next(); |  | ||||||
| 			if (isFirstParameter) |  | ||||||
| 			{ |  | ||||||
| 				query.append("?"); |  | ||||||
| 				isFirstParameter = false; |  | ||||||
| 			} |  | ||||||
| 			else |  | ||||||
| 				query.append("&"); |  | ||||||
| 			query.append(parameter); |  | ||||||
| 		} |  | ||||||
| 		 |  | ||||||
| 		return query.toString(); |  | ||||||
| 	} | 	} | ||||||
| 	 | 	 | ||||||
| 	public String getCurrentLink() | 	public String getCurrentLink() | ||||||
|  | |||||||
| @ -1,5 +1,9 @@ | |||||||
| <%@ page language="java" contentType="text/html; charset=ISO-8859-1" | <%@ page language="java" contentType="text/html; charset=ISO-8859-1" | ||||||
|     pageEncoding="ISO-8859-1"%> |     pageEncoding="ISO-8859-1"%> | ||||||
|  | <%@page import="org.owasp.webgoat.session.WebSession"%> | ||||||
|  | <% | ||||||
|  | WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
|  | %> | ||||||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | ||||||
| <html> | <html> | ||||||
| <head> | <head> | ||||||
| @ -7,9 +11,7 @@ | |||||||
| <title>Configuration Page</title> | <title>Configuration Page</title> | ||||||
| </head> | </head> | ||||||
| <body> | <body> | ||||||
| <% response.sendRedirect("/WebGoat/attack?" + | <% response.sendRedirect(webSession.getCurrentLesson().getLink() + | ||||||
| 		        "Screen=" + request.getParameter("Screen") + |  | ||||||
| 		        "&menu=" + request.getParameter("menu") + |  | ||||||
| 		        "&succeeded=yes");  | 		        "&succeeded=yes");  | ||||||
| %> | %> | ||||||
|  |  | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | ||||||
| 		<div class="lesson_text"> | 		<div class="lesson_text"> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 				<Table> | 				<Table> | ||||||
| 				<TR><TD> | 				<TR><TD> | ||||||
| 						First Name: | 						First Name: | ||||||
|  | |||||||
| @ -10,7 +10,7 @@ | |||||||
| 		<br> | 		<br> | ||||||
| 		<br> | 		<br> | ||||||
| 		<p>Select from the list below	</p> | 		<p>Select from the list below	</p> | ||||||
| 		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|   <table width="60%" border="0" cellpadding="3"> |   <table width="60%" border="0" cellpadding="3"> | ||||||
|     <tr> |     <tr> | ||||||
|       <td>  <label> |       <td>  <label> | ||||||
|  | |||||||
| @ -6,7 +6,7 @@ | |||||||
| 			<%  | 			<%  | ||||||
| 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label> | 			    	<label> | ||||||
| 			      	<select name="<%=CrossSiteScripting.EMPLOYEE_ID%>"> | 			      	<select name="<%=CrossSiteScripting.EMPLOYEE_ID%>"> | ||||||
| 			      	<% | 			      	<% | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ | |||||||
| 			<% | 			<% | ||||||
| 			} | 			} | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label>Name | 			    	<label>Name | ||||||
| 					<input class="lesson_text_db" type="text" name="<%=CrossSiteScripting.SEARCHNAME%>"/> | 					<input class="lesson_text_db" type="text" name="<%=CrossSiteScripting.SEARCHNAME%>"/> | ||||||
| 		        </label> | 		        </label> | ||||||
|  | |||||||
| @ -116,7 +116,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.LISTSTAFF_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.LISTSTAFF_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=CrossSiteScripting.LISTSTAFF_ACTION%>"/> | 							<input type="submit" name="action" value="<%=CrossSiteScripting.LISTSTAFF_ACTION%>"/> | ||||||
| 						</form></td> | 						</form></td> | ||||||
| @ -128,7 +128,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=CrossSiteScripting.EDITPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=CrossSiteScripting.EDITPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -141,7 +141,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.DELETEPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.DELETEPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=CrossSiteScripting.DELETEPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=CrossSiteScripting.DELETEPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | ||||||
| 		<div class="lesson_text"> | 		<div class="lesson_text"> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 				<Table> | 				<Table> | ||||||
| 				<TR><TD> | 				<TR><TD> | ||||||
| 						First Name: | 						First Name: | ||||||
|  | |||||||
| @ -10,7 +10,7 @@ | |||||||
| 		<br> | 		<br> | ||||||
| 		<br> | 		<br> | ||||||
| 		<p>Select from the list below	</p> | 		<p>Select from the list below	</p> | ||||||
| 		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|   <table width="60%" border="0" cellpadding="3"> |   <table width="60%" border="0" cellpadding="3"> | ||||||
|     <tr> |     <tr> | ||||||
|       <td>  <label> |       <td>  <label> | ||||||
|  | |||||||
| @ -6,7 +6,7 @@ | |||||||
| 			<%  | 			<%  | ||||||
| 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label> | 			    	<label> | ||||||
| 			      	<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>"> | 			      	<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>"> | ||||||
| 			      	<% | 			      	<% | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ | |||||||
| 			<% | 			<% | ||||||
| 			} | 			} | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label>Name | 			    	<label>Name | ||||||
| 					<input class="lesson_text_db" type="text" name="<%=DBCrossSiteScripting.SEARCHNAME%>"/> | 					<input class="lesson_text_db" type="text" name="<%=DBCrossSiteScripting.SEARCHNAME%>"/> | ||||||
| 		        </label> | 		        </label> | ||||||
|  | |||||||
| @ -109,7 +109,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=DBCrossSiteScripting.LISTSTAFF_ACTION%>"/> | 							<input type="submit" name="action" value="<%=DBCrossSiteScripting.LISTSTAFF_ACTION%>"/> | ||||||
| 						</form></td> | 						</form></td> | ||||||
| @ -121,7 +121,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=DBCrossSiteScripting.EDITPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=DBCrossSiteScripting.EDITPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -134,7 +134,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession")); | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | ||||||
| 		<div class="lesson_text"> | 		<div class="lesson_text"> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 				<Table> | 				<Table> | ||||||
| 				<TR><TD> | 				<TR><TD> | ||||||
| 						First Name: | 						First Name: | ||||||
|  | |||||||
| @ -11,7 +11,7 @@ | |||||||
| 		<br> | 		<br> | ||||||
| 		<p>Select from the list below	</p> | 		<p>Select from the list below	</p> | ||||||
|  |  | ||||||
| 		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|   <table width="60%" border="0" cellpadding="3"> |   <table width="60%" border="0" cellpadding="3"> | ||||||
|     <tr> |     <tr> | ||||||
|       <td>  <label> |       <td>  <label> | ||||||
|  | |||||||
| @ -6,7 +6,7 @@ | |||||||
| 			<%  | 			<%  | ||||||
| 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label> | 			    	<label> | ||||||
| 			      	<select name="<%=DBSQLInjection.EMPLOYEE_ID%>"> | 			      	<select name="<%=DBSQLInjection.EMPLOYEE_ID%>"> | ||||||
| 			      	<% | 			      	<% | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ | |||||||
| 			<% | 			<% | ||||||
| 			} | 			} | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label>Name | 			    	<label>Name | ||||||
| 					<input class="lesson_text_db" type="text" name="<%=DBSQLInjection.SEARCHNAME%>"/> | 					<input class="lesson_text_db" type="text" name="<%=DBSQLInjection.SEARCHNAME%>"/> | ||||||
| 		        </label> | 		        </label> | ||||||
|  | |||||||
| @ -109,7 +109,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.LISTSTAFF_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.LISTSTAFF_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %>                	 | 					 %>                	 | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=DBSQLInjection.LISTSTAFF_ACTION%>"/> | 							<input type="submit" name="action" value="<%=DBSQLInjection.LISTSTAFF_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -122,7 +122,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.EDITPROFILE_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.EDITPROFILE_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %> | 					 %> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=DBSQLInjection.EDITPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=DBSQLInjection.EDITPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -135,7 +135,7 @@ | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.DELETEPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBSQLInjection.DELETEPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=DBSQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=DBSQLInjection.DELETEPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=DBSQLInjection.DELETEPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div> | 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div> | ||||||
| 		<div class="lesson_text"> | 		<div class="lesson_text"> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| <Table border="0" cellpadding="0" cellspacing="0"> | <Table border="0" cellpadding="0" cellspacing="0"> | ||||||
| 				<TR><TD width="110"> | 				<TR><TD width="110"> | ||||||
| 						First Name: | 						First Name: | ||||||
|  | |||||||
| @ -11,7 +11,7 @@ | |||||||
| 		<br> | 		<br> | ||||||
| 		<p>Select from the list below	</p> | 		<p>Select from the list below	</p> | ||||||
|  |  | ||||||
| 		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|   <table width="60%" border="0" cellpadding="3"> |   <table width="60%" border="0" cellpadding="3"> | ||||||
|     <tr> |     <tr> | ||||||
|       <td>  <label> |       <td>  <label> | ||||||
|  | |||||||
| @ -6,7 +6,7 @@ | |||||||
| 			<%  | 			<%  | ||||||
| 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label> | 			    	<label> | ||||||
| 			      	<select name="<%=GoatHillsFinancial.EMPLOYEE_ID%>"> | 			      	<select name="<%=GoatHillsFinancial.EMPLOYEE_ID%>"> | ||||||
| 			      	<% | 			      	<% | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ | |||||||
| 			<% | 			<% | ||||||
| 			} | 			} | ||||||
| 			%> | 			%> | ||||||
| 				<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 				<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label>Name | 			    	<label>Name | ||||||
| 					<input class="lesson_text_db" type="text" name="<%=GoatHillsFinancial.SEARCHNAME%>"/> | 					<input class="lesson_text_db" type="text" name="<%=GoatHillsFinancial.SEARCHNAME%>"/> | ||||||
| 		        </label> | 		        </label> | ||||||
|  | |||||||
| @ -113,7 +113,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.LISTSTAFF_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.LISTSTAFF_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %> | 					 %> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=GoatHillsFinancial.LISTSTAFF_ACTION%>"/> | 							<input type="submit" name="action" value="<%=GoatHillsFinancial.LISTSTAFF_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -125,7 +125,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.EDITPROFILE_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.EDITPROFILE_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %> | 					 %> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=GoatHillsFinancial.EDITPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=GoatHillsFinancial.EDITPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -138,7 +138,7 @@ | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.DELETEPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.DELETEPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=GoatHillsFinancial.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=GoatHillsFinancial.DELETEPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=GoatHillsFinancial.DELETEPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| <br><br><br>An error has occurred. | <br><br><br>An error has occurred. | ||||||
| <br><br><br> | <br><br><br> | ||||||
| <form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | <form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|  |  | ||||||
|  <input type="submit" name="action" value="<%=GoatHillsFinancial.LOGIN_ACTION%>"/> |  <input type="submit" name="action" value="<%=GoatHillsFinancial.LOGIN_ACTION%>"/> | ||||||
| </form> | </form> | ||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div> | 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div> | ||||||
| 		<div class="lesson_text"> | 		<div class="lesson_text"> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| <Table border="0" cellpadding="0" cellspacing="0"> | <Table border="0" cellpadding="0" cellspacing="0"> | ||||||
| 				<TR><TD width="110"> | 				<TR><TD width="110"> | ||||||
| 						First Name: | 						First Name: | ||||||
|  | |||||||
| @ -11,7 +11,7 @@ | |||||||
| 		<br> | 		<br> | ||||||
| 		<p>Select from the list below	</p> | 		<p>Select from the list below	</p> | ||||||
|  |  | ||||||
| 		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|   <table width="60%" border="0" cellpadding="3"> |   <table width="60%" border="0" cellpadding="3"> | ||||||
|     <tr> |     <tr> | ||||||
|       <td>  <label> |       <td>  <label> | ||||||
|  | |||||||
| @ -6,7 +6,7 @@ | |||||||
| 			<%  | 			<%  | ||||||
| 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label> | 			    	<label> | ||||||
| 			      	<select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>"> | 			      	<select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>"> | ||||||
| 			      	<% | 			      	<% | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ | |||||||
| 			<% | 			<% | ||||||
| 			} | 			} | ||||||
| 			%> | 			%> | ||||||
| 				<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 				<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label>Name | 			    	<label>Name | ||||||
| 					<input class="lesson_text_db" type="text" name="<%=RoleBasedAccessControl.SEARCHNAME%>"/> | 					<input class="lesson_text_db" type="text" name="<%=RoleBasedAccessControl.SEARCHNAME%>"/> | ||||||
| 		        </label> | 		        </label> | ||||||
|  | |||||||
| @ -113,7 +113,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.LISTSTAFF_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.LISTSTAFF_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %> | 					 %> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/> | 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -125,7 +125,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.EDITPROFILE_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.EDITPROFILE_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %> | 					 %> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -138,7 +138,7 @@ | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.DELETEPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.DELETEPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
|  | |||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| <br><br><br>An error has occurred. | <br><br><br>An error has occurred. | ||||||
| <br><br><br> | <br><br><br> | ||||||
| <form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | <form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|  |  | ||||||
|  <input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/> |  <input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/> | ||||||
| </form> | </form> | ||||||
| @ -7,7 +7,7 @@ | |||||||
| %> | %> | ||||||
| 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | 		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div> | ||||||
| 		<div class="lesson_text"> | 		<div class="lesson_text"> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 				<Table> | 				<Table> | ||||||
| 				<TR><TD> | 				<TR><TD> | ||||||
| 						First Name: | 						First Name: | ||||||
|  | |||||||
| @ -11,7 +11,7 @@ | |||||||
| 		<br> | 		<br> | ||||||
| 		<p>Select from the list below	</p> | 		<p>Select from the list below	</p> | ||||||
|  |  | ||||||
| 		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
|   <table width="60%" border="0" cellpadding="3"> |   <table width="60%" border="0" cellpadding="3"> | ||||||
|     <tr> |     <tr> | ||||||
|       <td>  <label> |       <td>  <label> | ||||||
|  | |||||||
| @ -6,7 +6,7 @@ | |||||||
| 			<%  | 			<%  | ||||||
| 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | 			WebSession webSession = ((WebSession)session.getAttribute("websession")); | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label> | 			    	<label> | ||||||
| 			      	<select name="<%=SQLInjection.EMPLOYEE_ID%>"> | 			      	<select name="<%=SQLInjection.EMPLOYEE_ID%>"> | ||||||
| 			      	<% | 			      	<% | ||||||
|  | |||||||
| @ -12,7 +12,7 @@ | |||||||
| 			<% | 			<% | ||||||
| 			} | 			} | ||||||
| 			%> | 			%> | ||||||
| 			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 			    	<label>Name | 			    	<label>Name | ||||||
| 					<input class="lesson_text_db" type="text" name="<%=SQLInjection.SEARCHNAME%>"/> | 					<input class="lesson_text_db" type="text" name="<%=SQLInjection.SEARCHNAME%>"/> | ||||||
| 		        </label> | 		        </label> | ||||||
|  | |||||||
| @ -109,7 +109,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.LISTSTAFF_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.LISTSTAFF_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %>                	 | 					 %>                	 | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=SQLInjection.LISTSTAFF_ACTION%>"/> | 							<input type="submit" name="action" value="<%=SQLInjection.LISTSTAFF_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -122,7 +122,7 @@ | |||||||
| 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.EDITPROFILE_ACTION)) | 					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.EDITPROFILE_ACTION)) | ||||||
| 					 { | 					 { | ||||||
| 					 %> | 					 %> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=SQLInjection.EDITPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=SQLInjection.EDITPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
| @ -135,7 +135,7 @@ | |||||||
| 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.DELETEPROFILE_ACTION)) | 					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.DELETEPROFILE_ACTION)) | ||||||
| 					{ | 					{ | ||||||
| 					%> | 					%> | ||||||
| 						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>"> | 						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>"> | ||||||
| 							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | 							<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>"> | ||||||
| 							<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/> | 							<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/> | ||||||
| 						</form> | 						</form> | ||||||
|  | |||||||
| @ -141,7 +141,7 @@ StringBuffer buildList = new StringBuffer(); | |||||||
| 				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)"  | 				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)"  | ||||||
| 				onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)"  | 				onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)"  | ||||||
| 				onmouseout="MM_nbGroup('out')"> | 				onmouseout="MM_nbGroup('out')"> | ||||||
| 				<img src="images/buttons/params.jpg" alt="Show Params" name="attack?show=Params" width="92" height="20" border="0" id="params"/> | 				<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="92" height="20" border="0" id="params"/> | ||||||
| 				</a> | 				</a> | ||||||
| 				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)"  | 				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)"  | ||||||
| 				onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)"  | 				onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)"  | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user