diff --git a/java/org/owasp/webgoat/HammerHead.java b/java/org/owasp/webgoat/HammerHead.java
index 40f263244..14f446d32 100644
--- a/java/org/owasp/webgoat/HammerHead.java
+++ b/java/org/owasp/webgoat/HammerHead.java
@@ -64,7 +64,6 @@ public class HammerHead extends HttpServlet {
final Logger logger = LoggerFactory.getLogger(HammerHead.class);
-
private static final String WELCOMED = "welcomed";
/**
@@ -82,7 +81,7 @@ public class HammerHead extends HttpServlet {
*/
private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
- // private final static int sessionTimeoutSeconds = 1;
+ // private final static int sessionTimeoutSeconds = 1;
/**
* Properties file path
*/
@@ -121,10 +120,9 @@ public class HammerHead extends HttpServlet {
WebSession mySession = null;
try {
- // System.out.println( "HH Entering doPost: " );
- // System.out.println( " - HH request " + request);
- // System.out.println( " - HH principle: " +
- // request.getUserPrincipal() );
+ logger.debug("Entering doPost");
+ logger.debug("request: " + request);
+ logger.debug("principle: " + request.getUserPrincipal());
// setCacheHeaders(response, 0);
ServletContext context = getServletContext();
@@ -132,6 +130,7 @@ public class HammerHead extends HttpServlet {
// call makeScreen() and writeScreen()
mySession = updateSession(request, response, context);
if (response.isCommitted()) {
+ logger.debug("Response already committed, exiting");
return;
}
@@ -142,7 +141,8 @@ public class HammerHead extends HttpServlet {
// where the lesson "knows" what has happened. To track it at a
// latter point would
// require the lesson to have memory.
- screen = makeScreen(mySession); // This calls the lesson's
+ screen = makeScreen(mySession);
+ // This calls the lesson's
// handleRequest()
if (response.isCommitted()) {
return;
@@ -178,21 +178,20 @@ public class HammerHead extends HttpServlet {
request.setAttribute("client.browser", clientBrowser);
request.getSession().setAttribute("websession", mySession);
request.getSession().setAttribute("course", mySession.getCourse());
-
- request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
+ String viewPage = getViewPage(mySession);
+ logger.debug("Forwarding to view: " + viewPage);
+ request.getRequestDispatcher(viewPage).forward(request, response);
} catch (Throwable t) {
- t.printStackTrace();
- log("ERROR: " + t);
+ logger.error("Error handling request", t);
screen = new ErrorScreen(mySession, t);
} finally {
try {
this.writeScreen(mySession, screen, response);
} catch (Throwable thr) {
- thr.printStackTrace();
- log(request, "Could not write error screen: " + thr.getMessage());
+ logger.error("Could not write error screen", thr);
}
WebSession.returnConnection(mySession);
- // System.out.println( "HH Leaving doPost: " );
+ logger.debug("Leaving doPost: ");
}
}
@@ -240,6 +239,7 @@ public class HammerHead extends HttpServlet {
*/
@Override
public void init() throws ServletException {
+ logger.info("Initializing main webgoat servlet");
httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
@@ -280,7 +280,7 @@ public class HammerHead extends HttpServlet {
} else {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson == null && s.isHackedAdmin()) {
- // If admin was hacked, let the user see some of the
+ // If admin was hacked, let the user see some of the
// admin screens
lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
}
@@ -288,7 +288,7 @@ public class HammerHead extends HttpServlet {
if (lesson != null) {
screen = lesson;
- // We need to do some bookkeeping for the hackable admin
+ // We need to do some bookkeeping for the hackable admin
// interface.
// This is the only place we can tell if the user
// successfully hacked the hackable
@@ -307,7 +307,7 @@ public class HammerHead extends HttpServlet {
if (scr == WebSession.WELCOME) {
screen = new WelcomeAdminScreen(s);
} else {
- // Admin can see all roles.
+ // Admin can see all roles.
// FIXME: should be able to pass a list of roles.
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
if (lesson == null) {
@@ -320,7 +320,7 @@ public class HammerHead extends HttpServlet {
if (lesson != null) {
screen = lesson;
- // We need to do some bookkeeping for the hackable admin
+ // We need to do some bookkeeping for the hackable admin
// interface.
// This is the only place we can tell if the user
// successfully hacked the hackable
@@ -374,7 +374,7 @@ public class HammerHead extends HttpServlet {
HttpSession hs;
hs = request.getSession(true);
- // System.out.println( "HH Entering Session_id: " + hs.getId() );
+ // System.out.println( "HH Entering Session_id: " + hs.getId() );
// dumpSession( hs );
// Get our session object out of the HTTP session
WebSession session = null;
@@ -383,7 +383,7 @@ public class HammerHead extends HttpServlet {
if ((o != null) && o instanceof WebSession) {
session = (WebSession) o;
} else {
- // Create new custom session and save it in the HTTP session
+ // Create new custom session and save it in the HTTP session
// System.out.println( "HH Creating new WebSession: " );
session = new WebSession(webgoatContext, context);
// Ensure splash screen shows on any restart
@@ -396,7 +396,7 @@ public class HammerHead extends HttpServlet {
session.update(request, response, this.getServletName());
- // to authenticate
+ // to authenticate
// System.out.println( "HH Leaving Session_id: " + hs.getId() );
// dumpSession( hs );
return (session);
@@ -419,7 +419,7 @@ public class HammerHead extends HttpServlet {
screen = new ErrorScreen(s, "Page to display was null");
}
- // set the content-length of the response.
+ // set the content-length of the response.
// Trying to avoid chunked-encoding. (Aspect required)
response.setContentLength(screen.getContentLength());
response.setHeader("Content-Length", screen.getContentLength() + "");
diff --git a/java/org/owasp/webgoat/lessons/Category.java b/java/org/owasp/webgoat/lessons/Category.java
index 5683a4842..d9c51beb3 100644
--- a/java/org/owasp/webgoat/lessons/Category.java
+++ b/java/org/owasp/webgoat/lessons/Category.java
@@ -1,173 +1,166 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.List;
-
-
-/***************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2007 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at code.google.com, a repository for free software
- * projects.
- *
- * For details, please see http://code.google.com/p/webgoat/
- *
- * @author Bruce Mayhew WebGoat
- * @created October 28, 2003
- */
-public class Category implements Comparable
-{
-
- public final static Category INTRODUCTION = new Category("Introduction", new Integer(5));
-
- public final static Category GENERAL = new Category("General", new Integer(100));
-
- public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200));
-
- public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400));
-
- public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500));
-
- public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600));
-
- public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700));
-
- public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800));
-
- public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
-
- public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
-
- public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
-
- public final static Category DOS = new Category("Denial of Service", new Integer(1200));
-
- public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
-
- public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400));
-
- public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500));
-
- public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600));
-
- public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700));
-
- public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800));
-
- public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900));
-
- public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000));
-
- public final static Category CHALLENGE = new Category("Challenge", new Integer(3000));
-
- private static final List categories = new ArrayList();
-
- private String category;
-
- private Integer ranking;
-
- static
- {
- categories.add(INTRODUCTION);
- categories.add(PARAMETER_TAMPERING);
- categories.add(ACCESS_CONTROL);
- categories.add(AUTHENTICATION);
- categories.add(SESSION_MANAGEMENT);
- categories.add(XSS);
- categories.add(BUFFER_OVERFLOW);
- categories.add(INJECTION);
- categories.add(MALICIOUS_EXECUTION);
- categories.add(ERROR_HANDLING);
- categories.add(INSECURE_STORAGE);
- categories.add(DOS);
- categories.add(INSECURE_CONFIGURATION);
- categories.add(WEB_SERVICES);
- categories.add(AJAX_SECURITY);
- categories.add(ADMIN_FUNCTIONS);
- categories.add(GENERAL);
- categories.add(CODE_QUALITY);
- categories.add(CONCURRENCY);
- categories.add(INSECURE_COMMUNICATION);
- categories.add(CHALLENGE);
- }
-
- public static synchronized void addCategory(Category c)
- {
- categories.add(c);
- }
-
- public static synchronized Category getCategory(String name)
- {
- Iterator it = categories.iterator();
- while (it.hasNext())
- {
- Category c = it.next();
- if (c.getName().equals(name)) return c;
- }
- return null;
- }
-
- public Category(String category, Integer ranking)
- {
- this.category = category;
- this.ranking = ranking;
- }
-
- public int compareTo(Object obj)
- {
- int value = 1;
-
- if (obj instanceof Category)
- {
- value = this.getRanking().compareTo(((Category) obj).getRanking());
- }
-
- return value;
- }
-
- public Integer getRanking()
- {
- return ranking;
- }
-
- public Integer setRanking(Integer ranking)
- {
- return this.ranking = ranking;
- }
-
- public String getName()
- {
- return category;
- }
-
- public boolean equals(Object obj)
- {
- return (obj instanceof Category) && getName().equals(((Category) obj).getName());
- }
-
- public String toString()
- {
- return getName();
- }
-}
\ No newline at end of file
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Bruce Mayhew WebGoat
+ * @created October 28, 2003
+ */
+public class Category implements Comparable {
+
+ public final static Category INTRODUCTION = new Category("Introduction", new Integer(5));
+
+ public final static Category GENERAL = new Category("General", new Integer(100));
+
+ public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200));
+
+ public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400));
+
+ public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500));
+
+ public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600));
+
+ public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700));
+
+ public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800));
+
+ public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
+
+ public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
+
+ public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
+
+ public final static Category DOS = new Category("Denial of Service", new Integer(1200));
+
+ public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
+
+ public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400));
+
+ public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500));
+
+ public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600));
+
+ public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700));
+
+ public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800));
+
+ public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900));
+
+ public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000));
+
+ public final static Category CHALLENGE = new Category("Challenge", new Integer(3000));
+
+ private static final List categories = new ArrayList();
+
+ private String category;
+
+ private Integer ranking;
+
+ static {
+ categories.add(INTRODUCTION);
+ categories.add(PARAMETER_TAMPERING);
+ categories.add(ACCESS_CONTROL);
+ categories.add(AUTHENTICATION);
+ categories.add(SESSION_MANAGEMENT);
+ categories.add(XSS);
+ categories.add(BUFFER_OVERFLOW);
+ categories.add(INJECTION);
+ categories.add(MALICIOUS_EXECUTION);
+ categories.add(ERROR_HANDLING);
+ categories.add(INSECURE_STORAGE);
+ categories.add(DOS);
+ categories.add(INSECURE_CONFIGURATION);
+ categories.add(WEB_SERVICES);
+ categories.add(AJAX_SECURITY);
+ categories.add(ADMIN_FUNCTIONS);
+ categories.add(GENERAL);
+ categories.add(CODE_QUALITY);
+ categories.add(CONCURRENCY);
+ categories.add(INSECURE_COMMUNICATION);
+ categories.add(CHALLENGE);
+ }
+
+ public static synchronized void addCategory(Category c) {
+ categories.add(c);
+ }
+
+ public static synchronized Category getCategory(String name) {
+ Iterator it = categories.iterator();
+ while (it.hasNext()) {
+ Category c = it.next();
+ if (c.getName().equals(name)) {
+ return c;
+ }
+ }
+ return null;
+ }
+
+ public Category(String category, Integer ranking) {
+ this.category = category;
+ this.ranking = ranking;
+ }
+
+ @Override
+ public int compareTo(Object obj) {
+ int value = 1;
+
+ if (obj instanceof Category) {
+ value = this.getRanking().compareTo(((Category) obj).getRanking());
+ }
+
+ return value;
+ }
+
+ public Integer getRanking() {
+ return ranking;
+ }
+
+ public Integer setRanking(Integer ranking) {
+ return this.ranking = ranking;
+ }
+
+ public String getName() {
+ return category;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ return (obj instanceof Category) && getName().equals(((Category) obj).getName());
+ }
+
+ @Override
+ public String toString() {
+ return getName();
+ }
+}
diff --git a/java/org/owasp/webgoat/session/Course.java b/java/org/owasp/webgoat/session/Course.java
index 17358f799..6430b409c 100644
--- a/java/org/owasp/webgoat/session/Course.java
+++ b/java/org/owasp/webgoat/session/Course.java
@@ -1,452 +1,392 @@
-
-package org.owasp.webgoat.session;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-import java.util.Vector;
-import java.util.LinkedList;
-import javax.servlet.ServletContext;
-import org.owasp.webgoat.HammerHead;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
-
-
-
-/***************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2007 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at code.google.com, a repository for free software
- * projects.
- *
- * For details, please see http://code.google.com/p/webgoat/
- *
- * @author Bruce Mayhew WebGoat
- * @created October 28, 2003
- */
-public class Course
-{
-
- private List lessons = new LinkedList();
-
- private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
-
- private WebgoatProperties properties = null;
-
- private List files = new LinkedList();
-
- private WebgoatContext webgoatContext;
-
-
- public Course()
- {
- try
- {
- properties = new WebgoatProperties(PROPERTIES_FILENAME);
- } catch (IOException e)
- {
- System.out.println("Error loading WebGoat properties");
- e.printStackTrace();
- }
- }
-
-
-
-
- /**
- * Take an absolute file and return the filename.
- *
- * Ex. /etc/password becomes password
- *
- * @param s
- * @return the file name
- */
- private static String getFileName(String s)
- {
- String fileName = new File(s).getName();
-
- if (fileName.indexOf("/") != -1)
- {
- fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
- }
-
- if (fileName.indexOf(".") != -1)
- {
- fileName = fileName.substring(0, fileName.indexOf("."));
- }
-
- return fileName;
- }
-
- /**
- * Take a class name and return the equivalent file name
- *
- * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
- *
- * @param className
- * @return
- */
- private static String getSourceFile(String className)
- {
- StringBuffer sb = new StringBuffer();
-
- sb.append(className.replace(".", "/"));
- sb.append(".java");
-
- return sb.toString();
- }
-
- /**
- * Takes a file name and builds the class file name
- *
- * @param fileName
- * Description of the Parameter
- * @param path
- * Description of the Parameter
- * @return Description of the Return Value
- */
- private static String getClassFile(String fileName, String path)
- {
- String ext = ".class";
- fileName = fileName.trim();
-
- /**
- * We do not handle directories.
- * We do not handle files with different extensions
- */
- if (fileName.endsWith("/") || !fileName.endsWith(ext)) { return null; }
-
- // if the file is in /WEB-INF/classes strip the dir info off
- int index = fileName.indexOf("/WEB-INF/classes/");
- if (index != -1)
- {
- fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
- fileName = fileName.replace('/', '.');
- fileName = fileName.replace('\\', '.');
- }
- else
- {
- // Strip off the leading path info
- fileName = fileName.substring(path.length(), fileName.length() - ext.length());
- }
-
- return fileName;
- }
-
- /**
- * Gets the categories attribute of the Course object
- *
- * @return The categories value
- */
- public List getCategories()
- {
- List categories = new ArrayList();
- Iterator iter = lessons.iterator();
-
- while (iter.hasNext())
- {
- AbstractLesson lesson = (AbstractLesson) iter.next();
-
- if (!categories.contains(lesson.getCategory()))
- {
- categories.add(lesson.getCategory());
- }
- }
-
- Collections.sort(categories);
-
- return categories;
- }
-
- /**
- * Gets the firstLesson attribute of the Course object
- *
- * @return The firstLesson value
- */
- public AbstractLesson getFirstLesson()
- {
- List roles = new ArrayList();
- roles.add(AbstractLesson.USER_ROLE);
- // Category 0 is the admin function. We want the first real category
- // to be returned. This is noramally the General category and the Http Basics lesson
- return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0));
- }
-
- /**
- * Gets the lesson attribute of the Course object
- *
- * @param lessonId
- * Description of the Parameter
- * @param role
- * Description of the Parameter
- * @return The lesson value
- */
- public AbstractLesson getLesson(WebSession s, int lessonId, List roles)
- {
- if (s.isHackedAdmin())
- {
- roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
- }
- // System.out.println("getLesson() with roles: " + roles);
- Iterator iter = lessons.iterator();
-
- while (iter.hasNext())
- {
- AbstractLesson lesson = iter.next();
-
- // System.out.println("getLesson() at role: " + lesson.getRole());
- if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) { return lesson; }
- }
-
- return null;
- }
-
- public AbstractLesson getLesson(WebSession s, int lessonId, String role)
- {
- List roles = new Vector();
- roles.add(role);
- return getLesson(s, lessonId, roles);
- }
-
- public List getLessons(WebSession s, String role)
- {
- List roles = new Vector();
- roles.add(role);
- return getLessons(s, roles);
- }
-
- /**
- * Gets the lessons attribute of the Course object
- *
- * @param role
- * Description of the Parameter
- * @return The lessons value
- */
- public List getLessons(WebSession s, List roles)
- {
- if (s.isHackedAdmin())
- {
- roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
- }
- List lessonList = new ArrayList();
- Iterator categoryIter = getCategories().iterator();
-
- while (categoryIter.hasNext())
- {
- lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
- }
- return lessonList;
- }
-
- /**
- * Gets the lessons attribute of the Course object
- *
- * @param category
- * Description of the Parameter
- * @param role
- * Description of the Parameter
- * @return The lessons value
- */
- private List getLessons(Category category, List roles)
- {
- List lessonList = new ArrayList();
-
- Iterator iter = lessons.iterator();
- while (iter.hasNext())
- {
- AbstractLesson lesson = (AbstractLesson) iter.next();
-
- if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole()))
- {
- lessonList.add(lesson);
- }
- }
-
- Collections.sort(lessonList);
- // System.out.println(java.util.Arrays.asList(lessonList));
- return lessonList;
- }
-
- public List getLessons(WebSession s, Category category, String role)
- {
- List roles = new Vector();
- roles.add(role);
- return getLessons(s, category, roles);
- }
-
- public List getLessons(WebSession s, Category category, List roles)
- {
- if (s.isHackedAdmin())
- {
- roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
- }
- return getLessons(category, roles);
- }
-
- /**
- * Load all of the filenames into a temporary cache
- *
- * @param context
- * @param path
- */
- private void loadFiles(ServletContext context, String path)
- {
- Set resourcePaths = context.getResourcePaths(path);
- Iterator itr = resourcePaths.iterator();
-
- while (itr.hasNext())
- {
- String file = (String) itr.next();
-
- if (file.length() != 1 && file.endsWith("/"))
- {
- loadFiles(context, file);
- }
- else
- {
- files.add(file);
- }
- }
- }
-
- /**
- * Instantiate all the lesson objects into a cache
- *
- * @param path
- */
- private void loadLessons(String path)
- {
- Iterator itr = files.iterator();
-
- while (itr.hasNext())
- {
- String file = (String) itr.next();
- String className = getClassFile(file, path);
-
- if (className != null && !className.endsWith("_i"))
- {
- try
- {
- Class c = Class.forName(className);
- Object o = c.newInstance();
-
- if (o instanceof AbstractLesson)
- {
- AbstractLesson lesson = (AbstractLesson) o;
- lesson.setWebgoatContext(webgoatContext);
-
- lesson.update(properties);
-
- if (lesson.getHidden() == false)
- {
- lessons.add(lesson);
- }
- }
- } catch (Exception e)
- {
- // System.out.println("Warning: " + e.getMessage());
- }
- }
- }
- }
-
- private String getLanguageFromFileName(String first, String absoluteFile){
- int p1 = absoluteFile.indexOf("/",absoluteFile.indexOf(first)+1);
- int p2 = absoluteFile.indexOf("/",p1+1);
- String langStr=absoluteFile.substring(p1+1,p2);
-
-
- return new String(langStr);
- }
-
- /**
- * For each lesson, set the source file and lesson file
- */
- private void loadResources()
- {
- Iterator lessonItr = lessons.iterator();
-
- while (lessonItr.hasNext())
- {
- AbstractLesson lesson = (AbstractLesson) lessonItr.next();
- String className = lesson.getClass().getName();
- String classFile = getSourceFile(className);
-
- Iterator fileItr = files.iterator();
-
- while (fileItr.hasNext())
- {
- String absoluteFile = (String) fileItr.next();
- String fileName = getFileName(absoluteFile);
- // System.out.println("Course: looking at file: " + absoluteFile);
-
- if (absoluteFile.endsWith(classFile))
- {
- // System.out.println("Set source file for " + classFile);
- lesson.setSourceFileName(absoluteFile);
- }
-
- if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
- && className.endsWith(fileName))
- {
- // System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for
- // lesson " +
- // lesson.getClass().getName());
- // System.out.println("fileName: " + fileName + " == className: " + className );
- String language = getLanguageFromFileName("/lesson_plans",absoluteFile);
- lesson.setLessonPlanFileName(language, absoluteFile);
- this.webgoatContext.getWebgoatI18N().loadLanguage(language);
- }
- if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
- && className.endsWith(fileName))
- {
- // System.out.println("DEBUG: setting lesson solution file " + absoluteFile + "
- // for lesson " +
- // lesson.getClass().getName());
- // System.out.println("fileName: " + fileName + " == className: " + className );
- lesson.setLessonSolutionFileName(absoluteFile);
- }
- }
- }
- }
-
- /**
- * Description of the Method
- *
- * @param path
- * Description of the Parameter
- * @param context
- * Description of the Parameter
- */
- public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path)
- {
- this.webgoatContext = webgoatContext;
- loadFiles(context, path);
- loadLessons(path);
- loadResources();
- }
-}
+package org.owasp.webgoat.session;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.Vector;
+import java.util.LinkedList;
+import javax.servlet.ServletContext;
+import org.owasp.webgoat.HammerHead;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Category;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Bruce Mayhew WebGoat
+ * @created October 28, 2003
+ */
+public class Course {
+
+ private List lessons = new LinkedList();
+
+ private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
+
+ private WebgoatProperties properties = null;
+
+ private List files = new LinkedList();
+
+ private WebgoatContext webgoatContext;
+
+ public Course() {
+ try {
+ properties = new WebgoatProperties(PROPERTIES_FILENAME);
+ } catch (IOException e) {
+ System.out.println("Error loading WebGoat properties");
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ * Take an absolute file and return the filename.
+ *
+ * Ex. /etc/password becomes password
+ *
+ * @param s
+ * @return the file name
+ */
+ private static String getFileName(String s) {
+ String fileName = new File(s).getName();
+
+ if (fileName.indexOf("/") != -1) {
+ fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
+ }
+
+ if (fileName.indexOf(".") != -1) {
+ fileName = fileName.substring(0, fileName.indexOf("."));
+ }
+
+ return fileName;
+ }
+
+ /**
+ * Take a class name and return the equivalent file name
+ *
+ * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
+ *
+ * @param className
+ * @return
+ */
+ private static String getSourceFile(String className) {
+ StringBuffer sb = new StringBuffer();
+
+ sb.append(className.replace(".", "/"));
+ sb.append(".java");
+
+ return sb.toString();
+ }
+
+ /**
+ * Takes a file name and builds the class file name
+ *
+ * @param fileName Description of the Parameter
+ * @param path Description of the Parameter
+ * @return Description of the Return Value
+ */
+ private static String getClassFile(String fileName, String path) {
+ String ext = ".class";
+ fileName = fileName.trim();
+
+ /**
+ * We do not handle directories. We do not handle files with different
+ * extensions
+ */
+ if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
+ return null;
+ }
+
+ // if the file is in /WEB-INF/classes strip the dir info off
+ int index = fileName.indexOf("/WEB-INF/classes/");
+ if (index != -1) {
+ fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
+ fileName = fileName.replace('/', '.');
+ fileName = fileName.replace('\\', '.');
+ } else {
+ // Strip off the leading path info
+ fileName = fileName.substring(path.length(), fileName.length() - ext.length());
+ }
+
+ return fileName;
+ }
+
+ /**
+ * Gets the categories attribute of the Course object
+ *
+ * @return The categories value
+ */
+ public List getCategories() {
+ List categories = new ArrayList();
+ Iterator iter = lessons.iterator();
+
+ while (iter.hasNext()) {
+ AbstractLesson lesson = (AbstractLesson) iter.next();
+
+ if (!categories.contains(lesson.getCategory())) {
+ categories.add(lesson.getCategory());
+ }
+ }
+
+ Collections.sort(categories);
+
+ return categories;
+ }
+
+ /**
+ * Gets the firstLesson attribute of the Course object
+ *
+ * @return The firstLesson value
+ */
+ public AbstractLesson getFirstLesson() {
+ List roles = new ArrayList();
+ roles.add(AbstractLesson.USER_ROLE);
+ // Category 0 is the admin function. We want the first real category
+ // to be returned. This is noramally the General category and the Http Basics lesson
+ return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0));
+ }
+
+ /**
+ * Gets the lesson attribute of the Course object
+ *
+ * @param lessonId Description of the Parameter
+ * @param role Description of the Parameter
+ * @return The lesson value
+ */
+ public AbstractLesson getLesson(WebSession s, int lessonId, List roles) {
+ if (s.isHackedAdmin()) {
+ roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
+ }
+ // System.out.println("getLesson() with roles: " + roles);
+ Iterator iter = lessons.iterator();
+
+ while (iter.hasNext()) {
+ AbstractLesson lesson = iter.next();
+
+ // System.out.println("getLesson() at role: " + lesson.getRole());
+ if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) {
+ return lesson;
+ }
+ }
+
+ return null;
+ }
+
+ public AbstractLesson getLesson(WebSession s, int lessonId, String role) {
+ List roles = new Vector();
+ roles.add(role);
+ return getLesson(s, lessonId, roles);
+ }
+
+ public List getLessons(WebSession s, String role) {
+ List roles = new Vector();
+ roles.add(role);
+ return getLessons(s, roles);
+ }
+
+ /**
+ * Gets the lessons attribute of the Course object
+ *
+ * @param role Description of the Parameter
+ * @return The lessons value
+ */
+ public List getLessons(WebSession s, List roles) {
+ if (s.isHackedAdmin()) {
+ roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
+ }
+ List lessonList = new ArrayList();
+ Iterator categoryIter = getCategories().iterator();
+
+ while (categoryIter.hasNext()) {
+ lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
+ }
+ return lessonList;
+ }
+
+ /**
+ * Gets the lessons attribute of the Course object
+ *
+ * @param category Description of the Parameter
+ * @param role Description of the Parameter
+ * @return The lessons value
+ */
+ private List getLessons(Category category, List roles) {
+ List lessonList = new ArrayList();
+
+ Iterator iter = lessons.iterator();
+ while (iter.hasNext()) {
+ AbstractLesson lesson = (AbstractLesson) iter.next();
+
+ if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) {
+ lessonList.add(lesson);
+ }
+ }
+
+ Collections.sort(lessonList);
+ // System.out.println(java.util.Arrays.asList(lessonList));
+ return lessonList;
+ }
+
+ public List getLessons(WebSession s, Category category, String role) {
+ List roles = new Vector();
+ roles.add(role);
+ return getLessons(s, category, roles);
+ }
+
+ public List getLessons(WebSession s, Category category, List roles) {
+ if (s.isHackedAdmin()) {
+ roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
+ }
+ return getLessons(category, roles);
+ }
+
+ /**
+ * Load all of the filenames into a temporary cache
+ *
+ * @param context
+ * @param path
+ */
+ private void loadFiles(ServletContext context, String path) {
+ Set resourcePaths = context.getResourcePaths(path);
+ Iterator itr = resourcePaths.iterator();
+
+ while (itr.hasNext()) {
+ String file = (String) itr.next();
+
+ if (file.length() != 1 && file.endsWith("/")) {
+ loadFiles(context, file);
+ } else {
+ files.add(file);
+ }
+ }
+ }
+
+ /**
+ * Instantiate all the lesson objects into a cache
+ *
+ * @param path
+ */
+ private void loadLessons(String path) {
+ Iterator itr = files.iterator();
+
+ while (itr.hasNext()) {
+ String file = (String) itr.next();
+ String className = getClassFile(file, path);
+
+ if (className != null && !className.endsWith("_i")) {
+ try {
+ Class c = Class.forName(className);
+ Object o = c.newInstance();
+
+ if (o instanceof AbstractLesson) {
+ AbstractLesson lesson = (AbstractLesson) o;
+ lesson.setWebgoatContext(webgoatContext);
+
+ lesson.update(properties);
+
+ if (lesson.getHidden() == false) {
+ lessons.add(lesson);
+ }
+ }
+ } catch (Exception e) {
+ // System.out.println("Warning: " + e.getMessage());
+ }
+ }
+ }
+ }
+
+ private String getLanguageFromFileName(String first, String absoluteFile) {
+ int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1);
+ int p2 = absoluteFile.indexOf("/", p1 + 1);
+ String langStr = absoluteFile.substring(p1 + 1, p2);
+
+ return new String(langStr);
+ }
+
+ /**
+ * For each lesson, set the source file and lesson file
+ */
+ private void loadResources() {
+ Iterator lessonItr = lessons.iterator();
+
+ while (lessonItr.hasNext()) {
+ AbstractLesson lesson = (AbstractLesson) lessonItr.next();
+ String className = lesson.getClass().getName();
+ String classFile = getSourceFile(className);
+
+ Iterator fileItr = files.iterator();
+
+ while (fileItr.hasNext()) {
+ String absoluteFile = (String) fileItr.next();
+ String fileName = getFileName(absoluteFile);
+ // System.out.println("Course: looking at file: " + absoluteFile);
+
+ if (absoluteFile.endsWith(classFile)) {
+ // System.out.println("Set source file for " + classFile);
+ lesson.setSourceFileName(absoluteFile);
+ }
+
+ if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
+ && className.endsWith(fileName)) {
+ // System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for
+ // lesson " +
+ // lesson.getClass().getName());
+ // System.out.println("fileName: " + fileName + " == className: " + className );
+ String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
+ lesson.setLessonPlanFileName(language, absoluteFile);
+ this.webgoatContext.getWebgoatI18N().loadLanguage(language);
+ }
+ if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
+ && className.endsWith(fileName)) {
+ // System.out.println("DEBUG: setting lesson solution file " + absoluteFile + "
+ // for lesson " +
+ // lesson.getClass().getName());
+ // System.out.println("fileName: " + fileName + " == className: " + className );
+ lesson.setLessonSolutionFileName(absoluteFile);
+ }
+ }
+ }
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param path Description of the Parameter
+ * @param context Description of the Parameter
+ */
+ public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
+ this.webgoatContext = webgoatContext;
+ loadFiles(context, path);
+ loadLessons(path);
+ loadResources();
+ }
+}
diff --git a/java/org/owasp/webgoat/session/WebSession.java b/java/org/owasp/webgoat/session/WebSession.java
index a9e46fc8c..a32a76aa8 100644
--- a/java/org/owasp/webgoat/session/WebSession.java
+++ b/java/org/owasp/webgoat/session/WebSession.java
@@ -1,1119 +1,985 @@
-
-package org.owasp.webgoat.session;
-
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.security.Principal;
-import java.sql.Connection;
-import java.sql.SQLException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Hashtable;
-import java.util.List;
-import java.util.Map;
-import java.util.Vector;
-import javax.servlet.ServletContext;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.RandomLessonAdapter;
-import org.owasp.webgoat.lessons.SequentialLessonAdapter;
-import org.owasp.webgoat.util.WebGoatI18N;
-
-
-
-/***************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2007 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at code.google.com, a repository for free software
- * projects.
- *
- * For details, please see http://code.google.com/p/webgoat/
- *
- * @author Jeff Williams Aspect Security
- * @author Bruce Mayhew WebGoat
- *
- * @created October 28, 2003
- */
-public class WebSession
-{
- /**
- * Description of the Field
- */
- public final static String ADMIN = "admin";
-
- /**
- * Tomcat role for a webgoat user
- */
- public final static String WEBGOAT_USER = "webgoat_user";
-
- /**
- * Tomcat role for a webgoat admin
- */
- public final static String WEBGOAT_ADMIN = "webgoat_admin";
-
- /**
- * Description of the Field
- */
- public final static String CHALLENGE = "Challenge";
-
- /**
- * Description of the Field
- */
- public final static String COLOR = "color";
-
- /**
- * Description of the Field
- */
- public final static int ERROR = 0;
-
- public static final String STAGE = "stage";
-
- /**
- * Description of the Field
- */
- public final static String JSESSION_ID = "jsessionid";
-
- /**
- * Description of the Field
- */
- public final static String LOGOUT = "Logout";
-
- /**
- * Description of the Field
- */
- public final static String RESTART = "Restart";
-
- /**
- * Description of the Field
- */
- public final static String MENU = "menu";
-
- /**
- * Description of the Field
- */
- public final static String SCREEN = "Screen";
-
- /**
- * Description of the Field
- */
- public final static String SESSION = "Session";
-
- public final static String SHOWSOURCE = "ShowSource";
-
- public final static String SHOWSOLUTION = "ShowSolution";
-
- public final static String SHOWHINTS = "ShowHints";
-
- public final static String SHOW = "show";
-
- public final static String SHOW_NEXTHINT = "NextHint";
-
- public final static String SHOW_PREVIOUSHINT = "PreviousHint";
-
- public final static String SHOW_PARAMS = "Params";
-
- public final static String SHOW_COOKIES = "Cookies";
-
- public final static String SHOW_SOURCE = "Source";
-
- public final static String SHOW_SOLUTION = "Solution";
-
- public final static String DEBUG = "debug";
-
- public final static String LANGUAGE = "language";
-
- /**
- * Description of the Field
- */
- public final static int WELCOME = -1;
-
- private WebgoatContext webgoatContext;
-
- private ServletContext context = null;
-
- private Course course;
-
- private int currentScreen = WELCOME;
-
- private int previousScreen = ERROR;
-
- private int hintNum = -1;
-
- private boolean isAdmin = false;
-
- private boolean isHackedAdmin = false;
-
- private boolean isAuthenticated = false;
-
- private boolean isColor = false;
-
- private boolean isDebug = false;
-
- private boolean hasHackedHackableAdmin = false;
-
- private StringBuffer message = new StringBuffer("");
-
- private ParameterParser myParser;
-
- private HttpServletRequest request = null;
-
- private HttpServletResponse response = null;
-
- private String servletName;
-
- private HashMap session = new HashMap();
-
- private boolean showCookies = false;
-
- private boolean showParams = false;
-
- private boolean showRequest = false;
-
- private boolean showSource = false;
-
- private boolean showSolution = false;
-
- private boolean completedHackableAdmin = false;
-
- private int currentMenu;
-
- private String currentLanguage = null;
-
-
-
- /**
- * Constructor for the WebSession object
- *
- * @param servlet
- * Description of the Parameter
- * @param context
- * Description of the Parameter
- */
- public WebSession(WebgoatContext webgoatContext, ServletContext context)
- {
- this.webgoatContext = webgoatContext;
- // initialize from web.xml
- showParams = webgoatContext.isShowParams();
- showCookies = webgoatContext.isShowCookies();
- showSource = webgoatContext.isShowSource();
- showSolution = webgoatContext.isShowSolution();
- showRequest = webgoatContext.isShowRequest();
- currentLanguage = webgoatContext.getDefaultLanguage();
- this.context = context;
-
- course = new Course();
- course.loadCourses(webgoatContext, context, "/");
- }
-
- public static synchronized Connection getConnection(WebSession s) throws SQLException
- {
- return DatabaseUtilities.getConnection(s);
- }
-
- public static void returnConnection(WebSession s)
- {
- DatabaseUtilities.returnConnection(s.getUserName());
- }
-
- /**
- * Description of the Method
- *
- * @param key
- * Description of the Parameter
- * @param value
- * Description of the Parameter
- */
- public void add(String key, Object value)
- {
- session.put(key, value);
- }
-
- /**
- * Description of the Method
- */
- public void clearMessage()
- {
- message.setLength(0);
- }
-
- /**
- * Description of the Method
- */
- public void eatCookies()
- {
- Cookie[] cookies = request.getCookies();
-
- for (int loop = 0; loop < cookies.length; loop++)
- {
- if (!cookies[loop].getName().startsWith("JS"))
- {// skip jsessionid cookie
- cookies[loop].setMaxAge(0);// mark for deletion by browser
- response.addCookie(cookies[loop]);
- }
- }
- }
-
- /**
- * Description of the Method
- *
- * @param key
- * Description of the Parameter
- * @return Description of the Return Value
- */
- public Object get(String key)
- {
- return (session.get(key));
- }
-
- /**
- * Gets the context attribute of the WebSession object
- *
- * @return The context value
- */
- public ServletContext getContext()
- {
- return context;
- }
-
-
-
-
- public List getRoles()
- {
- List roles = new ArrayList();
-
- roles.add(AbstractLesson.USER_ROLE);
- if (isAdmin())
- {
- roles.add(AbstractLesson.ADMIN_ROLE);
- }
-
- return roles;
- }
-
- /**
- * Sets the admin flag - this routine is ONLY here to allow someone a backdoor to setting the
- * user up as an admin.
- *
- * This is also used by the WebSession to set the admin, but the method should be private
- *
- * @param state
- */
- public void setAdmin(boolean state)
-
- {
- isAdmin = state;
-
- }
-
- public String getRole()
- {
-
- String role = "";
- if (isAdmin())
- {
- role = AbstractLesson.ADMIN_ROLE;
- }
- else if (isHackedAdmin())
- {
- role = AbstractLesson.HACKED_ADMIN_ROLE;
- }
- else if (isChallenge())
- {
- role = AbstractLesson.CHALLENGE_ROLE;
- }
- else
- {
- role = AbstractLesson.USER_ROLE;
- }
-
- return role;
- }
-
- /**
- * Gets the course attribute of the WebSession object
- *
- * @return The course value
- */
- public Course getCourse()
- {
- return course;
- }
-
- public void setCourse(Course course)
- {
- this.course = course;
- }
-
- /**
- * Gets the currentScreen attribute of the WebSession object
- *
- * @return The currentScreen value
- */
- public int getCurrentScreen()
- {
- return (currentScreen);
- }
-
- public void setCurrentScreen(int screen)
- {
- currentScreen = screen;
- }
-
- public String getRestartLink()
- {
- return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
- }
-
- public String getCurrentLink()
- {
- String thisLink = "attack";
- Enumeration e = request.getParameterNames();
- boolean isFirstParameter = true;
- while (e.hasMoreElements())
- {
- String name = e.nextElement();
- if (isFirstParameter)
- {
- isFirstParameter = false;
- thisLink += "?";
- }
- else
- {
- thisLink += "&";
- }
- thisLink = thisLink + name + "=" + request.getParameter(name);
- }
-
- return thisLink;
- }
-
- public AbstractLesson getCurrentLesson()
- {
- return getCourse().getLesson(this, getCurrentScreen(), getRoles());
- }
-
- public AbstractLesson getLesson(int id)
- {
- return getCourse().getLesson(this, id, getRoles());
- }
-
- public List getLessons(Category category)
- {
- return getCourse().getLessons(this, category, getRoles());
- }
-
- /**
- * Gets the hint1 attribute of the WebSession object
- *
- * @return The hint1 value
- */
- private int getHintNum()
- {
- return (hintNum);
- }
-
- public String getHint()
- {
- String hint = null;
- int hints = getCurrentLesson().getHintCount(this);
- if (getHintNum() > hints) hintNum = -1;
- if (getHintNum() >= 0)
- // FIXME
- hint = getCurrentLesson().getHint(this, getHintNum());
-
- return hint;
- }
-
- public List getParams()
- {
- Vector params = null;
-
- if (showParams() && getParser() != null)
- {
- params = new Vector();
-
- Enumeration e = getParser().getParameterNames();
-
- while ((e != null) && e.hasMoreElements())
- {
- String name = (String) e.nextElement();
- String[] values = getParser().getParameterValues(name);
-
- for (int loop = 0; (values != null) && (loop < values.length); loop++)
- {
- params.add(new Parameter(name, values[loop]));
- // params.add( name + " -> " + values[loop] );
- }
- }
-
- Collections.sort(params);
- }
-
- return params;
- }
-
- public List getCookies()
- {
- List cookies = null;
-
- if (showCookies()) cookies = Arrays.asList(request.getCookies());
-
- /*
- * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies
- * = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI(
- * "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie =
- * cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
- * cookie.getValue() ) ); }
- */
-
- return cookies;
- }
-
- /**
- * Gets the cookie attribute of the CookieScreen object
- *
- * @param s
- * Description of the Parameter
- * @return The cookie value
- */
- public String getCookie(String cookieName)
- {
- Cookie[] cookies = getRequest().getCookies();
-
- for (int i = 0; i < cookies.length; i++)
- {
- if (cookies[i].getName().equalsIgnoreCase(cookieName)) { return (cookies[i].getValue()); }
- }
-
- return (null);
- }
-
- public String getSource()
- {
- return "Sorry. No Java Source viewing available.";
- // return getCurrentLesson().getSource(this);
- }
-
- public String getSolution()
- {
- return "Sorry. No solution is available.";
- // return getCurrentLesson().getSolution(this);
- }
-
- public String getInstructions()
- {
- return getCurrentLesson().getInstructions(this);
- }
-
- /**
- * Gets the message attribute of the WebSession object
- *
- * @return The message value
- */
- public String getMessage()
- {
- return (message.toString());
- }
-
- /**
- * Gets the parser attribute of the WebSession object
- *
- * @return The parser value
- */
- public ParameterParser getParser()
- {
- return (myParser);
- }
-
- /**
- * Gets the previousScreen attribute of the WebSession object
- *
- * @return The previousScreen value
- */
- public int getPreviousScreen()
- {
- return (previousScreen);
- }
-
- /**
- * Gets the request attribute of the WebSession object
- *
- * @return The request value
- */
- public HttpServletRequest getRequest()
- {
- return request;
- }
-
- public void setRequest(HttpServletRequest request)
- {
- this.request = request;
- }
-
- /**
- * Gets the response attribute of the WebSession object
- *
- * @return The response value
- */
- public HttpServletResponse getResponse()
- {
- return response;
- }
-
- /**
- * Gets the servletName attribute of the WebSession object
- *
- * @return The servletName value
- */
- public String getServletName()
- {
- return (servletName);
- }
-
- /**
- * Gets the sourceFile attribute of the WebSession object
- *
- * @param screen
- * Description of the Parameter
- * @return The sourceFile value
- */
- public String getWebResource(String fileName)
- {
- // Note: doesn't work for admin path! Maybe with a ../ attack
- return (context.getRealPath(fileName));
- }
-
- /**
- * Gets the admin attribute of the WebSession object
- *
- * @return The admin value
- */
- public boolean isAdmin()
- {
- return (isAdmin);
- }
-
- /**
- * Gets the hackedAdmin attribute of the WebSession object
- *
- * @return The hackedAdmin value
- */
- public boolean isHackedAdmin()
- {
- return (isHackedAdmin);
- }
-
- /**
- * Has the user ever hacked the hackable admin
- *
- * @return The hackedAdmin value
- */
- public boolean completedHackableAdmin()
- {
- return (completedHackableAdmin);
- }
-
- /**
- * Gets the authenticated attribute of the WebSession object
- *
- * @return The authenticated value
- */
- public boolean isAuthenticated()
- {
- return (isAuthenticated);
- }
-
- private Map lessonSessions = new Hashtable();
-
- public boolean isAuthenticatedInLesson(AbstractLesson lesson)
- {
- boolean authenticated = false;
-
- LessonSession lessonSession = getLessonSession(lesson);
- if (lessonSession != null)
- {
- authenticated = lessonSession.isAuthenticated();
- }
- // System.out.println("Authenticated for lesson " + lesson + "? " + authenticated);
-
- return authenticated;
- }
-
- public boolean isAuthorizedInLesson(int employeeId, String functionId)
- {
- return getCurrentLesson().isAuthorized(this, employeeId, functionId);
- }
-
- public boolean isAuthorizedInLesson(String role, String functionId)
- {
- return getCurrentLesson().isAuthorized(this, role, functionId);
- }
-
- public int getUserIdInLesson() throws ParameterNotFoundException
- {
- return getCurrentLesson().getUserId(this);
- }
-
- public String getUserNameInLesson() throws ParameterNotFoundException
- {
- return getCurrentLesson().getUserName(this);
- }
-
- public void openLessonSession(AbstractLesson lesson)
- {
- System.out.println("Opening new lesson session for lesson " + lesson);
- LessonSession lessonSession = new LessonSession();
- lessonSessions.put(lesson, lessonSession);
- }
-
- public void closeLessonSession(AbstractLesson lesson)
- {
- lessonSessions.remove(lesson);
- }
-
- public LessonSession getLessonSession(AbstractLesson lesson)
- {
- return lessonSessions.get(lesson);
- }
-
- /**
- * Gets the challenge attribute of the WebSession object
- *
- * @return The challenge value
- */
- public boolean isChallenge()
- {
- if (getCurrentLesson() != null) { return (Category.CHALLENGE.equals(getCurrentLesson().getCategory())); }
- return false;
- }
-
- /**
- * Gets the color attribute of the WebSession object
- *
- * @return The color value
- */
- public boolean isColor()
- {
- return (isColor);
- }
-
- /**
- * Gets the screen attribute of the WebSession object
- *
- * @param value
- * Description of the Parameter
- * @return The screen value
- */
- public boolean isScreen(int value)
- {
- return (getCurrentScreen() == value);
- }
-
- /**
- * Gets the user attribute of the WebSession object
- *
- * @return The user value
- */
- public boolean isUser()
- {
- return (!isAdmin && !isChallenge());
- }
-
- /**
- * Sets the message attribute of the WebSession object
- *
- * @param text
- * The new message value
- */
- public void setMessage(String text)
- {
- message.append("
" + " * " + text);
- }
-
- public void setLineBreak(String text)
- {
- message.append("
" + text);
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- public boolean showCookies()
- {
- return (showCookies);
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- public boolean showParams()
- {
- return (showParams);
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- public boolean showRequest()
- {
- return (showRequest);
- }
-
- /**
- * Description of the Method
- *
- * @return Description of the Return Value
- */
- public boolean showSource()
- {
- return (showSource);
- }
-
- public boolean showSolution()
- {
- return (showSolution);
- }
-
- /**
- * Gets the userName attribute of the WebSession object
- *
- * @return The userName value
- */
- public String getUserName()
- {
- HttpServletRequest request = getRequest();
- if (request == null) throw new RuntimeException("Could not find the ServletRequest in the web session");
- Principal principal = request.getUserPrincipal();
- if (principal == null) throw new RuntimeException("Could not find the Principal in the Servlet Request");
- return principal.getName();
- }
-
- /**
- * Parse parameters from the given request, handle any servlet commands, and update this session
- * based on the parameters.
- *
- * @param request
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @param name
- * Description of the Parameter
- */
- public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException
- {
- String content = null;
-
- clearMessage();
- this.request = request;
- this.response = response;
- this.servletName = name;
-
- if (myParser == null)
- {
- myParser = new ParameterParser(request);
- }
- else
- {
- myParser.update(request);
- }
-
- if(myParser.getRawParameter(LANGUAGE,null)!=null){
- this.currentLanguage=new String(myParser.getRawParameter(LANGUAGE,null));
- WebGoatI18N.setCurrentLanguage(this.currentLanguage);
- }
-
-
- // System.out.println("Current Screen 1: " + currentScreen );
- // System.out.println("Previous Screen 1: " + previousScreen );
- // FIXME: requires ?Logout=true
- // FIXME: doesn't work right -- no reauthentication
- if (myParser.getRawParameter(LOGOUT, null) != null)
- {
- System.out.println("Logout " + request.getUserPrincipal());
- eatCookies();
- request.getSession().invalidate();
- currentScreen = WELCOME;
- previousScreen = ERROR;
- }
-
- // There are several scenarios where we want the first lesson to be loaded
- // 1) Previous screen is Welcome - Start of the course
- // 2) After a logout and after the session has been reinitialized
- if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null &&
- // getRequest().getSession(false).isNew() &&
- this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR))
- {
- currentScreen = course.getFirstLesson().getScreenId();
- hintNum = -1;
- }
-
- // System.out.println("Current Screen 2: " + currentScreen );
- // System.out.println("Previous Screen 2: " + previousScreen );
- // update the screen variables
- previousScreen = currentScreen;
-
- try
- {
- // If the request is new there should be no parameters.
- // This can occur from a session timeout or a the starting of a new course.
- if (!request.getSession().isNew())
- {
- currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
- }
- else
- {
- if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL"))
- {
- this.setMessage("Session Timeout - Starting new Session.");
- }
- }
- } catch (Exception e)
- {
- }
-
- // clear variables when switching screens
- if (this.getCurrentScreen() != this.getPreviousScreen())
- {
- if (webgoatContext.isDebug())
- {
- setMessage("Changed to a new screen, clearing cookies and hints");
- }
- eatCookies();
- hintNum = -1;
- }
- else if (myParser.getRawParameter(STAGE, null) != null)
- {
- AbstractLesson al = getCurrentLesson();
- if (al instanceof SequentialLessonAdapter)
- {
- SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
- int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
- if (stage > 0 && stage <= sla.getStageCount()) sla.setStage(this, stage);
- }
- else if (al instanceof RandomLessonAdapter)
- {
- try
- {
- RandomLessonAdapter rla = (RandomLessonAdapter) al;
- int stage = myParser.getIntParameter(STAGE) - 1;
- String[] stages = rla.getStages();
- if (stages == null) stages = new String[0];
- if (stage >= 0 && stage < stages.length) rla.setStage(this, stages[stage]);
- } catch (ParameterNotFoundException pnfe)
- {
- }
- }
- }
- // else update global variables for the current screen
- else
- {
- // Handle "restart" commands
- int lessonId = myParser.getIntParameter(RESTART, -1);
- if (lessonId != -1)
- {
- restartLesson(lessonId);
- }
- // if ( myParser.getBooleanParameter( RESTART, false ) )
- // {
- // getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty(
- // CHALLENGE_STAGE, "1" );
- // }
-
- // Handle "show" commands
- String showCommand = myParser.getStringParameter(SHOW, null);
- if (showCommand != null)
- {
- if (showCommand.equalsIgnoreCase(SHOW_PARAMS))
- {
- showParams = !showParams;
- }
- else if (showCommand.equalsIgnoreCase(SHOW_COOKIES))
- {
- showCookies = !showCookies;
- }
- else if (showCommand.equalsIgnoreCase(SHOW_SOURCE))
- {
- content = getSource();
- // showSource = true;
- }
- else if (showCommand.equalsIgnoreCase(SHOW_SOLUTION))
- {
- content = getSolution();
- // showSource = true;
- }
- else if (showCommand.equalsIgnoreCase(SHOW_NEXTHINT))
- {
- getNextHint();
- }
- else if (showCommand.equalsIgnoreCase(SHOW_PREVIOUSHINT))
- {
- getPreviousHint();
- }
- }
-
- }
-
- isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
- isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
- if (isHackedAdmin)
- {
- System.out.println("Hacked admin");
- hasHackedHackableAdmin = true;
- }
- isColor = myParser.getBooleanParameter(COLOR, isColor);
- isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
-
- // System.out.println( "showParams:" + showParams );
- // System.out.println( "showSource:" + showSource );
- // System.out.println( "showSolution:" + showSolution );
- // System.out.println( "showCookies:" + showCookies );
- // System.out.println( "showRequest:" + showRequest );
-
- if (content != null)
- {
- response.setContentType("text/html");
- PrintWriter out = new PrintWriter(response.getOutputStream());
- out.print(content);
- out.flush();
- out.close();
- }
- }
-
- private void restartLesson(int lessonId)
- {
- AbstractLesson al = getLesson(lessonId);
- System.out.println("Restarting lesson: " + al);
- al.getLessonTracker(this).setCompleted(false);
- if (al instanceof SequentialLessonAdapter)
- {
- SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
- sla.getLessonTracker(this).setStage(1);
- }
- else if (al instanceof RandomLessonAdapter)
- {
- RandomLessonAdapter rla = (RandomLessonAdapter) al;
- rla.setStage(this, rla.getStages()[0]);
- }
- }
-
- /**
- * @param string
- */
- public void setHasHackableAdmin(String role)
- {
- hasHackedHackableAdmin = (AbstractLesson.HACKED_ADMIN_ROLE.equals(role) & hasHackedHackableAdmin);
-
- // if the user got the Admin=true parameter correct AND they accessed an admin screen
- if (hasHackedHackableAdmin)
- {
- completedHackableAdmin = true;
- }
- }
-
- /**
- * @return Returns the isDebug.
- */
- public boolean isDebug()
- {
- return isDebug;
- }
-
- /**
- * @param header
- * - request header value to return
- * @return
- */
- public String getHeader(String header)
- {
- return getRequest().getHeader(header);
- }
-
- public String getNextHint()
- {
- String hint = null;
-
- // FIXME
- int maxHints = getCurrentLesson().getHintCount(this);
- if (hintNum < maxHints - 1)
- {
- hintNum++;
-
- // Hints are indexed from 0
- getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1);
-
- hint = (String) getCurrentLesson().getHint(this, getHintNum());
- }
-
- return hint;
- }
-
- public String getPreviousHint()
- {
- String hint = null;
-
- if (hintNum > 0)
- {
- hintNum--;
-
- // Hints are indexed from 0
- getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1);
-
- hint = (String) getCurrentLesson().getHint(this, getHintNum());
- }
-
- return hint;
- }
-
- public void setCurrentMenu(Integer ranking)
- {
- currentMenu = ranking.intValue();
- }
-
- public int getCurrentMenu()
- {
- return currentMenu;
- }
-
- public WebgoatContext getWebgoatContext()
- {
- return webgoatContext;
- }
-
- public String getCurrrentLanguage() {
- return currentLanguage;
- }
-
-
-}
+package org.owasp.webgoat.session;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.Principal;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.Map;
+import java.util.Vector;
+import javax.servlet.ServletContext;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.RandomLessonAdapter;
+import org.owasp.webgoat.lessons.SequentialLessonAdapter;
+import org.owasp.webgoat.util.WebGoatI18N;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author Jeff Williams Aspect
+ * Security
+ * @author Bruce Mayhew WebGoat
+ *
+ * @created October 28, 2003
+ */
+public class WebSession {
+
+ /**
+ * Description of the Field
+ */
+ public final static String ADMIN = "admin";
+
+ /**
+ * Tomcat role for a webgoat user
+ */
+ public final static String WEBGOAT_USER = "webgoat_user";
+
+ /**
+ * Tomcat role for a webgoat admin
+ */
+ public final static String WEBGOAT_ADMIN = "webgoat_admin";
+
+ /**
+ * Description of the Field
+ */
+ public final static String CHALLENGE = "Challenge";
+
+ /**
+ * Description of the Field
+ */
+ public final static String COLOR = "color";
+
+ /**
+ * Description of the Field
+ */
+ public final static int ERROR = 0;
+
+ public static final String STAGE = "stage";
+
+ /**
+ * Description of the Field
+ */
+ public final static String JSESSION_ID = "jsessionid";
+
+ /**
+ * Description of the Field
+ */
+ public final static String LOGOUT = "Logout";
+
+ /**
+ * Description of the Field
+ */
+ public final static String RESTART = "Restart";
+
+ /**
+ * Description of the Field
+ */
+ public final static String MENU = "menu";
+
+ /**
+ * Description of the Field
+ */
+ public final static String SCREEN = "Screen";
+
+ /**
+ * Description of the Field
+ */
+ public final static String SESSION = "Session";
+
+ public final static String SHOWSOURCE = "ShowSource";
+
+ public final static String SHOWSOLUTION = "ShowSolution";
+
+ public final static String SHOWHINTS = "ShowHints";
+
+ public final static String SHOW = "show";
+
+ public final static String SHOW_NEXTHINT = "NextHint";
+
+ public final static String SHOW_PREVIOUSHINT = "PreviousHint";
+
+ public final static String SHOW_PARAMS = "Params";
+
+ public final static String SHOW_COOKIES = "Cookies";
+
+ public final static String SHOW_SOURCE = "Source";
+
+ public final static String SHOW_SOLUTION = "Solution";
+
+ public final static String DEBUG = "debug";
+
+ public final static String LANGUAGE = "language";
+
+ /**
+ * Description of the Field
+ */
+ public final static int WELCOME = -1;
+
+ private WebgoatContext webgoatContext;
+
+ private ServletContext context = null;
+
+ private Course course;
+
+ private int currentScreen = WELCOME;
+
+ private int previousScreen = ERROR;
+
+ private int hintNum = -1;
+
+ private boolean isAdmin = false;
+
+ private boolean isHackedAdmin = false;
+
+ private boolean isAuthenticated = false;
+
+ private boolean isColor = false;
+
+ private boolean isDebug = false;
+
+ private boolean hasHackedHackableAdmin = false;
+
+ private StringBuffer message = new StringBuffer("");
+
+ private ParameterParser myParser;
+
+ private HttpServletRequest request = null;
+
+ private HttpServletResponse response = null;
+
+ private String servletName;
+
+ private HashMap session = new HashMap();
+
+ private boolean showCookies = false;
+
+ private boolean showParams = false;
+
+ private boolean showRequest = false;
+
+ private boolean showSource = false;
+
+ private boolean showSolution = false;
+
+ private boolean completedHackableAdmin = false;
+
+ private int currentMenu;
+
+ private String currentLanguage = null;
+
+ /**
+ * Constructor for the WebSession object
+ *
+ * @param servlet Description of the Parameter
+ * @param context Description of the Parameter
+ */
+ public WebSession(WebgoatContext webgoatContext, ServletContext context) {
+ this.webgoatContext = webgoatContext;
+ // initialize from web.xml
+ showParams = webgoatContext.isShowParams();
+ showCookies = webgoatContext.isShowCookies();
+ showSource = webgoatContext.isShowSource();
+ showSolution = webgoatContext.isShowSolution();
+ showRequest = webgoatContext.isShowRequest();
+ currentLanguage = webgoatContext.getDefaultLanguage();
+ this.context = context;
+
+ course = new Course();
+ course.loadCourses(webgoatContext, context, "/");
+ }
+
+ public static synchronized Connection getConnection(WebSession s) throws SQLException {
+ return DatabaseUtilities.getConnection(s);
+ }
+
+ public static void returnConnection(WebSession s) {
+ DatabaseUtilities.returnConnection(s.getUserName());
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param key Description of the Parameter
+ * @param value Description of the Parameter
+ */
+ public void add(String key, Object value) {
+ session.put(key, value);
+ }
+
+ /**
+ * Description of the Method
+ */
+ public void clearMessage() {
+ message.setLength(0);
+ }
+
+ /**
+ * Description of the Method
+ */
+ public void eatCookies() {
+ Cookie[] cookies = request.getCookies();
+
+ for (int loop = 0; loop < cookies.length; loop++) {
+ if (!cookies[loop].getName().startsWith("JS")) {// skip jsessionid cookie
+ cookies[loop].setMaxAge(0);// mark for deletion by browser
+ response.addCookie(cookies[loop]);
+ }
+ }
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param key Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public Object get(String key) {
+ return (session.get(key));
+ }
+
+ /**
+ * Gets the context attribute of the WebSession object
+ *
+ * @return The context value
+ */
+ public ServletContext getContext() {
+ return context;
+ }
+
+ public List getRoles() {
+ List roles = new ArrayList();
+
+ roles.add(AbstractLesson.USER_ROLE);
+ if (isAdmin()) {
+ roles.add(AbstractLesson.ADMIN_ROLE);
+ }
+
+ return roles;
+ }
+
+ /**
+ * Sets the admin flag - this routine is ONLY here to allow someone a
+ * backdoor to setting the user up as an admin.
+ *
+ * This is also used by the WebSession to set the admin, but the method
+ * should be private
+ *
+ * @param state
+ */
+ public void setAdmin(boolean state) {
+ isAdmin = state;
+
+ }
+
+ public String getRole() {
+
+ String role = "";
+ if (isAdmin()) {
+ role = AbstractLesson.ADMIN_ROLE;
+ } else if (isHackedAdmin()) {
+ role = AbstractLesson.HACKED_ADMIN_ROLE;
+ } else if (isChallenge()) {
+ role = AbstractLesson.CHALLENGE_ROLE;
+ } else {
+ role = AbstractLesson.USER_ROLE;
+ }
+
+ return role;
+ }
+
+ /**
+ * Gets the course attribute of the WebSession object
+ *
+ * @return The course value
+ */
+ public Course getCourse() {
+ return course;
+ }
+
+ public void setCourse(Course course) {
+ this.course = course;
+ }
+
+ /**
+ * Gets the currentScreen attribute of the WebSession object
+ *
+ * @return The currentScreen value
+ */
+ public int getCurrentScreen() {
+ return (currentScreen);
+ }
+
+ public void setCurrentScreen(int screen) {
+ currentScreen = screen;
+ }
+
+ public String getRestartLink() {
+ return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
+ }
+
+ public String getCurrentLink() {
+ String thisLink = "attack";
+ Enumeration e = request.getParameterNames();
+ boolean isFirstParameter = true;
+ while (e.hasMoreElements()) {
+ String name = e.nextElement();
+ if (isFirstParameter) {
+ isFirstParameter = false;
+ thisLink += "?";
+ } else {
+ thisLink += "&";
+ }
+ thisLink = thisLink + name + "=" + request.getParameter(name);
+ }
+
+ return thisLink;
+ }
+
+ public AbstractLesson getCurrentLesson() {
+ return getCourse().getLesson(this, getCurrentScreen(), getRoles());
+ }
+
+ public AbstractLesson getLesson(int id) {
+ return getCourse().getLesson(this, id, getRoles());
+ }
+
+ public List getLessons(Category category) {
+ return getCourse().getLessons(this, category, getRoles());
+ }
+
+ /**
+ * Gets the hint1 attribute of the WebSession object
+ *
+ * @return The hint1 value
+ */
+ private int getHintNum() {
+ return (hintNum);
+ }
+
+ public String getHint() {
+ String hint = null;
+ int hints = getCurrentLesson().getHintCount(this);
+ if (getHintNum() > hints) {
+ hintNum = -1;
+ }
+ if (getHintNum() >= 0) // FIXME
+ {
+ hint = getCurrentLesson().getHint(this, getHintNum());
+ }
+
+ return hint;
+ }
+
+ public List getParams() {
+ Vector params = null;
+
+ if (showParams() && getParser() != null) {
+ params = new Vector();
+
+ Enumeration e = getParser().getParameterNames();
+
+ while ((e != null) && e.hasMoreElements()) {
+ String name = (String) e.nextElement();
+ String[] values = getParser().getParameterValues(name);
+
+ for (int loop = 0; (values != null) && (loop < values.length); loop++) {
+ params.add(new Parameter(name, values[loop]));
+ // params.add( name + " -> " + values[loop] );
+ }
+ }
+
+ Collections.sort(params);
+ }
+
+ return params;
+ }
+
+ public List getCookies() {
+ List cookies = null;
+
+ if (showCookies()) {
+ cookies = Arrays.asList(request.getCookies());
+ }
+
+ /*
+ * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies
+ * = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI(
+ * "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie =
+ * cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
+ * cookie.getValue() ) ); }
+ */
+ return cookies;
+ }
+
+ /**
+ * Gets the cookie attribute of the CookieScreen object
+ *
+ * @param s Description of the Parameter
+ * @return The cookie value
+ */
+ public String getCookie(String cookieName) {
+ Cookie[] cookies = getRequest().getCookies();
+
+ for (int i = 0; i < cookies.length; i++) {
+ if (cookies[i].getName().equalsIgnoreCase(cookieName)) {
+ return (cookies[i].getValue());
+ }
+ }
+
+ return (null);
+ }
+
+ public String getSource() {
+ return "Sorry. No Java Source viewing available.";
+ // return getCurrentLesson().getSource(this);
+ }
+
+ public String getSolution() {
+ return "Sorry. No solution is available.";
+ // return getCurrentLesson().getSolution(this);
+ }
+
+ public String getInstructions() {
+ return getCurrentLesson().getInstructions(this);
+ }
+
+ /**
+ * Gets the message attribute of the WebSession object
+ *
+ * @return The message value
+ */
+ public String getMessage() {
+ return (message.toString());
+ }
+
+ /**
+ * Gets the parser attribute of the WebSession object
+ *
+ * @return The parser value
+ */
+ public ParameterParser getParser() {
+ return (myParser);
+ }
+
+ /**
+ * Gets the previousScreen attribute of the WebSession object
+ *
+ * @return The previousScreen value
+ */
+ public int getPreviousScreen() {
+ return (previousScreen);
+ }
+
+ /**
+ * Gets the request attribute of the WebSession object
+ *
+ * @return The request value
+ */
+ public HttpServletRequest getRequest() {
+ return request;
+ }
+
+ public void setRequest(HttpServletRequest request) {
+ this.request = request;
+ }
+
+ /**
+ * Gets the response attribute of the WebSession object
+ *
+ * @return The response value
+ */
+ public HttpServletResponse getResponse() {
+ return response;
+ }
+
+ /**
+ * Gets the servletName attribute of the WebSession object
+ *
+ * @return The servletName value
+ */
+ public String getServletName() {
+ return (servletName);
+ }
+
+ /**
+ * Gets the sourceFile attribute of the WebSession object
+ *
+ * @param screen Description of the Parameter
+ * @return The sourceFile value
+ */
+ public String getWebResource(String fileName) {
+ // Note: doesn't work for admin path! Maybe with a ../ attack
+ return (context.getRealPath(fileName));
+ }
+
+ /**
+ * Gets the admin attribute of the WebSession object
+ *
+ * @return The admin value
+ */
+ public boolean isAdmin() {
+ return (isAdmin);
+ }
+
+ /**
+ * Gets the hackedAdmin attribute of the WebSession object
+ *
+ * @return The hackedAdmin value
+ */
+ public boolean isHackedAdmin() {
+ return (isHackedAdmin);
+ }
+
+ /**
+ * Has the user ever hacked the hackable admin
+ *
+ * @return The hackedAdmin value
+ */
+ public boolean completedHackableAdmin() {
+ return (completedHackableAdmin);
+ }
+
+ /**
+ * Gets the authenticated attribute of the WebSession object
+ *
+ * @return The authenticated value
+ */
+ public boolean isAuthenticated() {
+ return (isAuthenticated);
+ }
+
+ private Map lessonSessions = new Hashtable();
+
+ public boolean isAuthenticatedInLesson(AbstractLesson lesson) {
+ boolean authenticated = false;
+
+ LessonSession lessonSession = getLessonSession(lesson);
+ if (lessonSession != null) {
+ authenticated = lessonSession.isAuthenticated();
+ }
+ // System.out.println("Authenticated for lesson " + lesson + "? " + authenticated);
+
+ return authenticated;
+ }
+
+ public boolean isAuthorizedInLesson(int employeeId, String functionId) {
+ return getCurrentLesson().isAuthorized(this, employeeId, functionId);
+ }
+
+ public boolean isAuthorizedInLesson(String role, String functionId) {
+ return getCurrentLesson().isAuthorized(this, role, functionId);
+ }
+
+ public int getUserIdInLesson() throws ParameterNotFoundException {
+ return getCurrentLesson().getUserId(this);
+ }
+
+ public String getUserNameInLesson() throws ParameterNotFoundException {
+ return getCurrentLesson().getUserName(this);
+ }
+
+ public void openLessonSession(AbstractLesson lesson) {
+ System.out.println("Opening new lesson session for lesson " + lesson);
+ LessonSession lessonSession = new LessonSession();
+ lessonSessions.put(lesson, lessonSession);
+ }
+
+ public void closeLessonSession(AbstractLesson lesson) {
+ lessonSessions.remove(lesson);
+ }
+
+ public LessonSession getLessonSession(AbstractLesson lesson) {
+ return lessonSessions.get(lesson);
+ }
+
+ /**
+ * Gets the challenge attribute of the WebSession object
+ *
+ * @return The challenge value
+ */
+ public boolean isChallenge() {
+ if (getCurrentLesson() != null) {
+ return (Category.CHALLENGE.equals(getCurrentLesson().getCategory()));
+ }
+ return false;
+ }
+
+ /**
+ * Gets the color attribute of the WebSession object
+ *
+ * @return The color value
+ */
+ public boolean isColor() {
+ return (isColor);
+ }
+
+ /**
+ * Gets the screen attribute of the WebSession object
+ *
+ * @param value Description of the Parameter
+ * @return The screen value
+ */
+ public boolean isScreen(int value) {
+ return (getCurrentScreen() == value);
+ }
+
+ /**
+ * Gets the user attribute of the WebSession object
+ *
+ * @return The user value
+ */
+ public boolean isUser() {
+ return (!isAdmin && !isChallenge());
+ }
+
+ /**
+ * Sets the message attribute of the WebSession object
+ *
+ * @param text The new message value
+ */
+ public void setMessage(String text) {
+ message.append("
" + " * " + text);
+ }
+
+ public void setLineBreak(String text) {
+ message.append("
" + text);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @return Description of the Return Value
+ */
+ public boolean showCookies() {
+ return (showCookies);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @return Description of the Return Value
+ */
+ public boolean showParams() {
+ return (showParams);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @return Description of the Return Value
+ */
+ public boolean showRequest() {
+ return (showRequest);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @return Description of the Return Value
+ */
+ public boolean showSource() {
+ return (showSource);
+ }
+
+ public boolean showSolution() {
+ return (showSolution);
+ }
+
+ /**
+ * Gets the userName attribute of the WebSession object
+ *
+ * @return The userName value
+ */
+ public String getUserName() {
+ HttpServletRequest request = getRequest();
+ if (request == null) {
+ throw new RuntimeException("Could not find the ServletRequest in the web session");
+ }
+ Principal principal = request.getUserPrincipal();
+ if (principal == null) {
+ throw new RuntimeException("Could not find the Principal in the Servlet Request");
+ }
+ return principal.getName();
+ }
+
+ /**
+ * Parse parameters from the given request, handle any servlet commands, and
+ * update this session based on the parameters.
+ *
+ * @param request Description of the Parameter
+ * @param response Description of the Parameter
+ * @param name Description of the Parameter
+ */
+ public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException {
+ String content = null;
+
+ clearMessage();
+ this.request = request;
+ this.response = response;
+ this.servletName = name;
+
+ if (myParser == null) {
+ myParser = new ParameterParser(request);
+ } else {
+ myParser.update(request);
+ }
+
+ if (myParser.getRawParameter(LANGUAGE, null) != null) {
+ this.currentLanguage = new String(myParser.getRawParameter(LANGUAGE, null));
+ WebGoatI18N.setCurrentLanguage(this.currentLanguage);
+ }
+
+ // System.out.println("Current Screen 1: " + currentScreen );
+ // System.out.println("Previous Screen 1: " + previousScreen );
+ // FIXME: requires ?Logout=true
+ // FIXME: doesn't work right -- no reauthentication
+ if (myParser.getRawParameter(LOGOUT, null) != null) {
+ System.out.println("Logout " + request.getUserPrincipal());
+ eatCookies();
+ request.getSession().invalidate();
+ currentScreen = WELCOME;
+ previousScreen = ERROR;
+ }
+
+ // There are several scenarios where we want the first lesson to be loaded
+ // 1) Previous screen is Welcome - Start of the course
+ // 2) After a logout and after the session has been reinitialized
+ if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null
+ && // getRequest().getSession(false).isNew() &&
+ this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR)) {
+ currentScreen = course.getFirstLesson().getScreenId();
+ hintNum = -1;
+ }
+
+ // System.out.println("Current Screen 2: " + currentScreen );
+ // System.out.println("Previous Screen 2: " + previousScreen );
+ // update the screen variables
+ previousScreen = currentScreen;
+
+ try {
+ // If the request is new there should be no parameters.
+ // This can occur from a session timeout or a the starting of a new course.
+ if (!request.getSession().isNew()) {
+ currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
+ } else {
+ if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) {
+ this.setMessage("Session Timeout - Starting new Session.");
+ }
+ }
+ } catch (Exception e) {
+ }
+
+ // clear variables when switching screens
+ if (this.getCurrentScreen() != this.getPreviousScreen()) {
+ if (webgoatContext.isDebug()) {
+ setMessage("Changed to a new screen, clearing cookies and hints");
+ }
+ eatCookies();
+ hintNum = -1;
+ } else if (myParser.getRawParameter(STAGE, null) != null) {
+ AbstractLesson al = getCurrentLesson();
+ if (al instanceof SequentialLessonAdapter) {
+ SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+ int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
+ if (stage > 0 && stage <= sla.getStageCount()) {
+ sla.setStage(this, stage);
+ }
+ } else if (al instanceof RandomLessonAdapter) {
+ try {
+ RandomLessonAdapter rla = (RandomLessonAdapter) al;
+ int stage = myParser.getIntParameter(STAGE) - 1;
+ String[] stages = rla.getStages();
+ if (stages == null) {
+ stages = new String[0];
+ }
+ if (stage >= 0 && stage < stages.length) {
+ rla.setStage(this, stages[stage]);
+ }
+ } catch (ParameterNotFoundException pnfe) {
+ }
+ }
+ } // else update global variables for the current screen
+ else {
+ // Handle "restart" commands
+ int lessonId = myParser.getIntParameter(RESTART, -1);
+ if (lessonId != -1) {
+ restartLesson(lessonId);
+ }
+ // if ( myParser.getBooleanParameter( RESTART, false ) )
+ // {
+ // getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty(
+ // CHALLENGE_STAGE, "1" );
+ // }
+
+ // Handle "show" commands
+ String showCommand = myParser.getStringParameter(SHOW, null);
+ if (showCommand != null) {
+ if (showCommand.equalsIgnoreCase(SHOW_PARAMS)) {
+ showParams = !showParams;
+ } else if (showCommand.equalsIgnoreCase(SHOW_COOKIES)) {
+ showCookies = !showCookies;
+ } else if (showCommand.equalsIgnoreCase(SHOW_SOURCE)) {
+ content = getSource();
+ // showSource = true;
+ } else if (showCommand.equalsIgnoreCase(SHOW_SOLUTION)) {
+ content = getSolution();
+ // showSource = true;
+ } else if (showCommand.equalsIgnoreCase(SHOW_NEXTHINT)) {
+ getNextHint();
+ } else if (showCommand.equalsIgnoreCase(SHOW_PREVIOUSHINT)) {
+ getPreviousHint();
+ }
+ }
+
+ }
+
+ isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
+ isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
+ if (isHackedAdmin) {
+ System.out.println("Hacked admin");
+ hasHackedHackableAdmin = true;
+ }
+ isColor = myParser.getBooleanParameter(COLOR, isColor);
+ isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
+
+ // System.out.println( "showParams:" + showParams );
+ // System.out.println( "showSource:" + showSource );
+ // System.out.println( "showSolution:" + showSolution );
+ // System.out.println( "showCookies:" + showCookies );
+ // System.out.println( "showRequest:" + showRequest );
+ if (content != null) {
+ response.setContentType("text/html");
+ PrintWriter out = new PrintWriter(response.getOutputStream());
+ out.print(content);
+ out.flush();
+ out.close();
+ }
+ }
+
+ private void restartLesson(int lessonId) {
+ AbstractLesson al = getLesson(lessonId);
+ System.out.println("Restarting lesson: " + al);
+ al.getLessonTracker(this).setCompleted(false);
+ if (al instanceof SequentialLessonAdapter) {
+ SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+ sla.getLessonTracker(this).setStage(1);
+ } else if (al instanceof RandomLessonAdapter) {
+ RandomLessonAdapter rla = (RandomLessonAdapter) al;
+ rla.setStage(this, rla.getStages()[0]);
+ }
+ }
+
+ /**
+ * @param string
+ */
+ public void setHasHackableAdmin(String role) {
+ hasHackedHackableAdmin = (AbstractLesson.HACKED_ADMIN_ROLE.equals(role) & hasHackedHackableAdmin);
+
+ // if the user got the Admin=true parameter correct AND they accessed an admin screen
+ if (hasHackedHackableAdmin) {
+ completedHackableAdmin = true;
+ }
+ }
+
+ /**
+ * @return Returns the isDebug.
+ */
+ public boolean isDebug() {
+ return isDebug;
+ }
+
+ /**
+ * @param header - request header value to return
+ * @return
+ */
+ public String getHeader(String header) {
+ return getRequest().getHeader(header);
+ }
+
+ public String getNextHint() {
+ String hint = null;
+
+ // FIXME
+ int maxHints = getCurrentLesson().getHintCount(this);
+ if (hintNum < maxHints - 1) {
+ hintNum++;
+
+ // Hints are indexed from 0
+ getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1);
+
+ hint = (String) getCurrentLesson().getHint(this, getHintNum());
+ }
+
+ return hint;
+ }
+
+ public String getPreviousHint() {
+ String hint = null;
+
+ if (hintNum > 0) {
+ hintNum--;
+
+ // Hints are indexed from 0
+ getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1);
+
+ hint = (String) getCurrentLesson().getHint(this, getHintNum());
+ }
+
+ return hint;
+ }
+
+ public void setCurrentMenu(Integer ranking) {
+ currentMenu = ranking.intValue();
+ }
+
+ public int getCurrentMenu() {
+ return currentMenu;
+ }
+
+ public WebgoatContext getWebgoatContext() {
+ return webgoatContext;
+ }
+
+ public String getCurrrentLanguage() {
+ return currentLanguage;
+ }
+
+}
diff --git a/java/org/owasp/webgoat/session/WebgoatContext.java b/java/org/owasp/webgoat/session/WebgoatContext.java
index ebb9b34d3..fae41da05 100644
--- a/java/org/owasp/webgoat/session/WebgoatContext.java
+++ b/java/org/owasp/webgoat/session/WebgoatContext.java
@@ -1,248 +1,231 @@
-
-package org.owasp.webgoat.session;
-
-import java.util.Iterator;
-import javax.servlet.http.HttpServlet;
-
-import org.owasp.webgoat.util.WebGoatI18N;
-
-
-public class WebgoatContext
-{
-
- public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
-
- public final static String DATABASE_DRIVER = "DatabaseDriver";
-
- public final static String DATABASE_USER = "DatabaseUser";
-
- public final static String DATABASE_PASSWORD = "DatabasePassword";
-
- public final static String ENTERPRISE = "Enterprise";
-
- public final static String CODING_EXERCISES = "CodingExercises";
-
- public final static String SHOWCOOKIES = "ShowCookies";
-
- public final static String SHOWPARAMS = "ShowParams";
-
- public final static String SHOWREQUEST = "ShowRequest";
-
- public final static String SHOWSOURCE = "ShowSource";
-
- public final static String SHOWSOLUTION = "ShowSolution";
-
- public final static String SHOWHINTS = "ShowHints";
-
- public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
-
- public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML";
-
- public final static String FEEDBACK_ADDRESS = "email";
-
- public final static String DEBUG = "debug";
-
- public final static String DEFAULTLANGUAGE = "DefaultLanguage";
-
- private String databaseConnectionString;
-
- private String realConnectionString = null;
-
- private String databaseDriver;
-
- private String databaseUser;
-
- private String databasePassword;
-
- private boolean showCookies = false;
-
- private boolean showParams = false;
-
- private boolean showRequest = false;
-
- private boolean showSource = false;
-
- private boolean showSolution = false;
-
- private boolean defuseOSCommands = false;
-
- private boolean enterprise = false;
-
- private boolean codingExercises = false;
-
- private String feedbackAddress = "webgoat@owasp.org";
-
- private String feedbackAddressHTML = "webgoat@owasp.org";
-
- private boolean isDebug = false;
-
- private String servletName;
-
- private HttpServlet servlet;
-
- private String defaultLanguage;
-
- private WebGoatI18N webgoati18n = null;
-
- public WebgoatContext(HttpServlet servlet)
- {
- this.servlet = servlet;
- databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
- databaseDriver = getParameter(servlet, DATABASE_DRIVER);
- databaseUser = getParameter(servlet, DATABASE_USER);
- databasePassword = getParameter(servlet, DATABASE_PASSWORD);
-
- // initialize from web.xml
- showParams = "true".equals(getParameter(servlet, SHOWPARAMS));
- showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
- showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
- showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
- defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
- enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
- codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
- feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
- FEEDBACK_ADDRESS_HTML)
- : feedbackAddressHTML;
- feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
- : feedbackAddress;
- showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
- isDebug = "true".equals(getParameter(servlet, DEBUG));
- servletName = servlet.getServletName();
- defaultLanguage = getParameter(servlet,DEFAULTLANGUAGE)!=null ? new String(getParameter(servlet, DEFAULTLANGUAGE)): new String("English");
-
- webgoati18n = new WebGoatI18N(this);
-
- }
-
- private String getParameter(HttpServlet servlet, String key)
- {
- String value = System.getenv().get(key);
- if (value == null) value = servlet.getInitParameter(key);
- return value;
- }
-
- /**
- * returns the connection string with the real path to the database directory inserted at the
- * word PATH
- *
- * @return The databaseConnectionString value
- */
- public String getDatabaseConnectionString()
- {
- if (realConnectionString == null) try
- {
- String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
- System.out.println("PATH: " + path);
- realConnectionString = databaseConnectionString.replaceAll("PATH", path);
- System.out.println("Database Connection String: " + realConnectionString);
- } catch (Exception e)
- {
- System.out.println("Couldn't open database: check web.xml database parameters");
- e.printStackTrace();
- }
- return realConnectionString;
- }
-
- /**
- * Gets the databaseDriver attribute of the WebSession object
- *
- * @return The databaseDriver value
- */
- public String getDatabaseDriver()
- {
- return (databaseDriver);
- }
-
- /**
- * Gets the databaseUser attribute of the WebSession object
- *
- * @return The databaseUser value
- */
- public String getDatabaseUser()
- {
- return (databaseUser);
- }
-
- /**
- * Gets the databasePassword attribute of the WebSession object
- *
- * @return The databasePassword value
- */
- public String getDatabasePassword()
- {
- return (databasePassword);
- }
-
- public boolean isDefuseOSCommands()
- {
- return defuseOSCommands;
- }
-
- public boolean isEnterprise()
- {
- return enterprise;
- }
-
- public boolean isCodingExercises()
- {
- return codingExercises;
- }
-
- public String getFeedbackAddress()
- {
- return feedbackAddress;
- }
-
- public String getFeedbackAddressHTML()
- {
- return feedbackAddressHTML;
- }
-
- public boolean isDebug()
- {
- return isDebug;
- }
-
- public String getServletName()
- {
- return servletName;
- }
-
- public boolean isShowCookies()
- {
- return showCookies;
- }
-
- public boolean isShowParams()
- {
- return showParams;
- }
-
- public boolean isShowRequest()
- {
- return showRequest;
- }
-
- public boolean isShowSource()
- {
- return showSource;
- }
-
- public boolean isShowSolution()
- {
- return showSolution;
- }
-
- public String getDefaultLanguage() {
- return defaultLanguage;
- }
-
- public void setWebgoatiI18N(WebGoatI18N webgoati18n) {
- this.webgoati18n = webgoati18n;
- }
-
- public WebGoatI18N getWebgoatI18N() {
- return webgoati18n;
- }
-
-}
+package org.owasp.webgoat.session;
+
+import javax.servlet.http.HttpServlet;
+
+import org.owasp.webgoat.util.WebGoatI18N;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class WebgoatContext {
+
+ final Logger logger = LoggerFactory.getLogger(WebgoatContext.class);
+
+ public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
+
+ public final static String DATABASE_DRIVER = "DatabaseDriver";
+
+ public final static String DATABASE_USER = "DatabaseUser";
+
+ public final static String DATABASE_PASSWORD = "DatabasePassword";
+
+ public final static String ENTERPRISE = "Enterprise";
+
+ public final static String CODING_EXERCISES = "CodingExercises";
+
+ public final static String SHOWCOOKIES = "ShowCookies";
+
+ public final static String SHOWPARAMS = "ShowParams";
+
+ public final static String SHOWREQUEST = "ShowRequest";
+
+ public final static String SHOWSOURCE = "ShowSource";
+
+ public final static String SHOWSOLUTION = "ShowSolution";
+
+ public final static String SHOWHINTS = "ShowHints";
+
+ public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
+
+ public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML";
+
+ public final static String FEEDBACK_ADDRESS = "email";
+
+ public final static String DEBUG = "debug";
+
+ public final static String DEFAULTLANGUAGE = "DefaultLanguage";
+
+ private String databaseConnectionString;
+
+ private String realConnectionString = null;
+
+ private String databaseDriver;
+
+ private String databaseUser;
+
+ private String databasePassword;
+
+ private boolean showCookies = false;
+
+ private boolean showParams = false;
+
+ private boolean showRequest = false;
+
+ private boolean showSource = false;
+
+ private boolean showSolution = false;
+
+ private boolean defuseOSCommands = false;
+
+ private boolean enterprise = false;
+
+ private boolean codingExercises = false;
+
+ private String feedbackAddress = "webgoat@owasp.org";
+
+ private String feedbackAddressHTML = "webgoat@owasp.org";
+
+ private boolean isDebug = false;
+
+ private String servletName;
+
+ private HttpServlet servlet;
+
+ private String defaultLanguage;
+
+ private WebGoatI18N webgoati18n = null;
+
+ public WebgoatContext(HttpServlet servlet) {
+ this.servlet = servlet;
+ databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
+ databaseDriver = getParameter(servlet, DATABASE_DRIVER);
+ databaseUser = getParameter(servlet, DATABASE_USER);
+ databasePassword = getParameter(servlet, DATABASE_PASSWORD);
+
+ // initialize from web.xml
+ showParams = "true".equals(getParameter(servlet, SHOWPARAMS));
+ showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
+ showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
+ showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
+ defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
+ enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
+ codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
+ feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
+ FEEDBACK_ADDRESS_HTML)
+ : feedbackAddressHTML;
+ feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
+ : feedbackAddress;
+ showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
+ isDebug = "true".equals(getParameter(servlet, DEBUG));
+ servletName = servlet.getServletName();
+ defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("English");
+
+ webgoati18n = new WebGoatI18N(this);
+
+ }
+
+ private String getParameter(HttpServlet servlet, String key) {
+ String value = System.getenv().get(key);
+ if (value == null) {
+ value = servlet.getInitParameter(key);
+ }
+ return value;
+ }
+
+ /**
+ * returns the connection string with the real path to the database
+ * directory inserted at the word PATH
+ *
+ * @return The databaseConnectionString value
+ */
+ public String getDatabaseConnectionString() {
+ if (realConnectionString == null) {
+ try {
+ String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
+ System.out.println("PATH: " + path);
+ realConnectionString = databaseConnectionString.replaceAll("PATH", path);
+ System.out.println("Database Connection String: " + realConnectionString);
+ } catch (Exception e) {
+ logger.error("Couldn't open database: check web.xml database parameters", e);
+ }
+ }
+ return realConnectionString;
+ }
+
+ /**
+ * Gets the databaseDriver attribute of the WebSession object
+ *
+ * @return The databaseDriver value
+ */
+ public String getDatabaseDriver() {
+ return (databaseDriver);
+ }
+
+ /**
+ * Gets the databaseUser attribute of the WebSession object
+ *
+ * @return The databaseUser value
+ */
+ public String getDatabaseUser() {
+ return (databaseUser);
+ }
+
+ /**
+ * Gets the databasePassword attribute of the WebSession object
+ *
+ * @return The databasePassword value
+ */
+ public String getDatabasePassword() {
+ return (databasePassword);
+ }
+
+ public boolean isDefuseOSCommands() {
+ return defuseOSCommands;
+ }
+
+ public boolean isEnterprise() {
+ return enterprise;
+ }
+
+ public boolean isCodingExercises() {
+ return codingExercises;
+ }
+
+ public String getFeedbackAddress() {
+ return feedbackAddress;
+ }
+
+ public String getFeedbackAddressHTML() {
+ return feedbackAddressHTML;
+ }
+
+ public boolean isDebug() {
+ return isDebug;
+ }
+
+ public String getServletName() {
+ return servletName;
+ }
+
+ public boolean isShowCookies() {
+ return showCookies;
+ }
+
+ public boolean isShowParams() {
+ return showParams;
+ }
+
+ public boolean isShowRequest() {
+ return showRequest;
+ }
+
+ public boolean isShowSource() {
+ return showSource;
+ }
+
+ public boolean isShowSolution() {
+ return showSolution;
+ }
+
+ public String getDefaultLanguage() {
+ return defaultLanguage;
+ }
+
+ public void setWebgoatiI18N(WebGoatI18N webgoati18n) {
+ this.webgoati18n = webgoati18n;
+ }
+
+ public WebGoatI18N getWebgoatI18N() {
+ return webgoati18n;
+ }
+
+}
diff --git a/resources/log4j.properties b/resources/log4j.properties
index 207c3dcde..9efb1064a 100644
--- a/resources/log4j.properties
+++ b/resources/log4j.properties
@@ -1,4 +1,4 @@
-log4j.rootLogger=INFO, MAIN_LOG, ERROR_LOG
+log4j.rootLogger=DEBUG, MAIN_LOG, ERROR_LOG
# MAIN - everything gets logged here
log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender
@@ -9,6 +9,9 @@ log4j.appender.MAIN_LOG.MaxFileSize=10MB
log4j.appender.MAIN_LOG.MaxBackupIndex=5
log4j.appender.MAIN_LOG.append=true
+# a little less spring output
+log4j.category.org.springframework = INFO
+
# ERROR
log4j.appender.ERROR_LOG=org.apache.log4j.RollingFileAppender
log4j.appender.ERROR_LOG.File=${catalina.home}/logs/webgoat_error.log