From a0d4a02f0a2e552f41b2b33e6d7449297f6ce538 Mon Sep 17 00:00:00 2001 From: lawson89 Date: Tue, 3 Jun 2014 15:41:50 -0400 Subject: [PATCH] logging, formatting --- java/org/owasp/webgoat/HammerHead.java | 44 +- java/org/owasp/webgoat/lessons/Category.java | 339 ++- java/org/owasp/webgoat/session/Course.java | 844 +++---- .../org/owasp/webgoat/session/WebSession.java | 2104 ++++++++--------- .../owasp/webgoat/session/WebgoatContext.java | 479 ++-- resources/log4j.properties | 5 +- 6 files changed, 1800 insertions(+), 2015 deletions(-) diff --git a/java/org/owasp/webgoat/HammerHead.java b/java/org/owasp/webgoat/HammerHead.java index 40f263244..14f446d32 100644 --- a/java/org/owasp/webgoat/HammerHead.java +++ b/java/org/owasp/webgoat/HammerHead.java @@ -64,7 +64,6 @@ public class HammerHead extends HttpServlet { final Logger logger = LoggerFactory.getLogger(HammerHead.class); - private static final String WELCOMED = "welcomed"; /** @@ -82,7 +81,7 @@ public class HammerHead extends HttpServlet { */ private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2; - // private final static int sessionTimeoutSeconds = 1; + // private final static int sessionTimeoutSeconds = 1; /** * Properties file path */ @@ -121,10 +120,9 @@ public class HammerHead extends HttpServlet { WebSession mySession = null; try { - // System.out.println( "HH Entering doPost: " ); - // System.out.println( " - HH request " + request); - // System.out.println( " - HH principle: " + - // request.getUserPrincipal() ); + logger.debug("Entering doPost"); + logger.debug("request: " + request); + logger.debug("principle: " + request.getUserPrincipal()); // setCacheHeaders(response, 0); ServletContext context = getServletContext(); @@ -132,6 +130,7 @@ public class HammerHead extends HttpServlet { // call makeScreen() and writeScreen() mySession = updateSession(request, response, context); if (response.isCommitted()) { + logger.debug("Response already committed, exiting"); return; } @@ -142,7 +141,8 @@ public class HammerHead extends HttpServlet { // where the lesson "knows" what has happened. To track it at a // latter point would // require the lesson to have memory. - screen = makeScreen(mySession); // This calls the lesson's + screen = makeScreen(mySession); + // This calls the lesson's // handleRequest() if (response.isCommitted()) { return; @@ -178,21 +178,20 @@ public class HammerHead extends HttpServlet { request.setAttribute("client.browser", clientBrowser); request.getSession().setAttribute("websession", mySession); request.getSession().setAttribute("course", mySession.getCourse()); - - request.getRequestDispatcher(getViewPage(mySession)).forward(request, response); + String viewPage = getViewPage(mySession); + logger.debug("Forwarding to view: " + viewPage); + request.getRequestDispatcher(viewPage).forward(request, response); } catch (Throwable t) { - t.printStackTrace(); - log("ERROR: " + t); + logger.error("Error handling request", t); screen = new ErrorScreen(mySession, t); } finally { try { this.writeScreen(mySession, screen, response); } catch (Throwable thr) { - thr.printStackTrace(); - log(request, "Could not write error screen: " + thr.getMessage()); + logger.error("Could not write error screen", thr); } WebSession.returnConnection(mySession); - // System.out.println( "HH Leaving doPost: " ); + logger.debug("Leaving doPost: "); } } @@ -240,6 +239,7 @@ public class HammerHead extends HttpServlet { */ @Override public void init() throws ServletException { + logger.info("Initializing main webgoat servlet"); httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US); httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties"); @@ -280,7 +280,7 @@ public class HammerHead extends HttpServlet { } else { AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); if (lesson == null && s.isHackedAdmin()) { - // If admin was hacked, let the user see some of the + // If admin was hacked, let the user see some of the // admin screens lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE); } @@ -288,7 +288,7 @@ public class HammerHead extends HttpServlet { if (lesson != null) { screen = lesson; - // We need to do some bookkeeping for the hackable admin + // We need to do some bookkeeping for the hackable admin // interface. // This is the only place we can tell if the user // successfully hacked the hackable @@ -307,7 +307,7 @@ public class HammerHead extends HttpServlet { if (scr == WebSession.WELCOME) { screen = new WelcomeAdminScreen(s); } else { - // Admin can see all roles. + // Admin can see all roles. // FIXME: should be able to pass a list of roles. AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE); if (lesson == null) { @@ -320,7 +320,7 @@ public class HammerHead extends HttpServlet { if (lesson != null) { screen = lesson; - // We need to do some bookkeeping for the hackable admin + // We need to do some bookkeeping for the hackable admin // interface. // This is the only place we can tell if the user // successfully hacked the hackable @@ -374,7 +374,7 @@ public class HammerHead extends HttpServlet { HttpSession hs; hs = request.getSession(true); - // System.out.println( "HH Entering Session_id: " + hs.getId() ); + // System.out.println( "HH Entering Session_id: " + hs.getId() ); // dumpSession( hs ); // Get our session object out of the HTTP session WebSession session = null; @@ -383,7 +383,7 @@ public class HammerHead extends HttpServlet { if ((o != null) && o instanceof WebSession) { session = (WebSession) o; } else { - // Create new custom session and save it in the HTTP session + // Create new custom session and save it in the HTTP session // System.out.println( "HH Creating new WebSession: " ); session = new WebSession(webgoatContext, context); // Ensure splash screen shows on any restart @@ -396,7 +396,7 @@ public class HammerHead extends HttpServlet { session.update(request, response, this.getServletName()); - // to authenticate + // to authenticate // System.out.println( "HH Leaving Session_id: " + hs.getId() ); // dumpSession( hs ); return (session); @@ -419,7 +419,7 @@ public class HammerHead extends HttpServlet { screen = new ErrorScreen(s, "Page to display was null"); } - // set the content-length of the response. + // set the content-length of the response. // Trying to avoid chunked-encoding. (Aspect required) response.setContentLength(screen.getContentLength()); response.setHeader("Content-Length", screen.getContentLength() + ""); diff --git a/java/org/owasp/webgoat/lessons/Category.java b/java/org/owasp/webgoat/lessons/Category.java index 5683a4842..d9c51beb3 100644 --- a/java/org/owasp/webgoat/lessons/Category.java +++ b/java/org/owasp/webgoat/lessons/Category.java @@ -1,173 +1,166 @@ - -package org.owasp.webgoat.lessons; - -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository for free software - * projects. - * - * For details, please see http://code.google.com/p/webgoat/ - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public class Category implements Comparable -{ - - public final static Category INTRODUCTION = new Category("Introduction", new Integer(5)); - - public final static Category GENERAL = new Category("General", new Integer(100)); - - public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200)); - - public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400)); - - public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500)); - - public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600)); - - public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700)); - - public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800)); - - public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900)); - - public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000)); - - public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100)); - - public final static Category DOS = new Category("Denial of Service", new Integer(1200)); - - public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300)); - - public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400)); - - public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500)); - - public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600)); - - public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700)); - - public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800)); - - public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900)); - - public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000)); - - public final static Category CHALLENGE = new Category("Challenge", new Integer(3000)); - - private static final List categories = new ArrayList(); - - private String category; - - private Integer ranking; - - static - { - categories.add(INTRODUCTION); - categories.add(PARAMETER_TAMPERING); - categories.add(ACCESS_CONTROL); - categories.add(AUTHENTICATION); - categories.add(SESSION_MANAGEMENT); - categories.add(XSS); - categories.add(BUFFER_OVERFLOW); - categories.add(INJECTION); - categories.add(MALICIOUS_EXECUTION); - categories.add(ERROR_HANDLING); - categories.add(INSECURE_STORAGE); - categories.add(DOS); - categories.add(INSECURE_CONFIGURATION); - categories.add(WEB_SERVICES); - categories.add(AJAX_SECURITY); - categories.add(ADMIN_FUNCTIONS); - categories.add(GENERAL); - categories.add(CODE_QUALITY); - categories.add(CONCURRENCY); - categories.add(INSECURE_COMMUNICATION); - categories.add(CHALLENGE); - } - - public static synchronized void addCategory(Category c) - { - categories.add(c); - } - - public static synchronized Category getCategory(String name) - { - Iterator it = categories.iterator(); - while (it.hasNext()) - { - Category c = it.next(); - if (c.getName().equals(name)) return c; - } - return null; - } - - public Category(String category, Integer ranking) - { - this.category = category; - this.ranking = ranking; - } - - public int compareTo(Object obj) - { - int value = 1; - - if (obj instanceof Category) - { - value = this.getRanking().compareTo(((Category) obj).getRanking()); - } - - return value; - } - - public Integer getRanking() - { - return ranking; - } - - public Integer setRanking(Integer ranking) - { - return this.ranking = ranking; - } - - public String getName() - { - return category; - } - - public boolean equals(Object obj) - { - return (obj instanceof Category) && getName().equals(((Category) obj).getName()); - } - - public String toString() - { - return getName(); - } -} \ No newline at end of file +package org.owasp.webgoat.lessons; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 + */ +public class Category implements Comparable { + + public final static Category INTRODUCTION = new Category("Introduction", new Integer(5)); + + public final static Category GENERAL = new Category("General", new Integer(100)); + + public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200)); + + public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400)); + + public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500)); + + public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600)); + + public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700)); + + public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800)); + + public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900)); + + public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000)); + + public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100)); + + public final static Category DOS = new Category("Denial of Service", new Integer(1200)); + + public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300)); + + public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400)); + + public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500)); + + public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600)); + + public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700)); + + public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800)); + + public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900)); + + public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000)); + + public final static Category CHALLENGE = new Category("Challenge", new Integer(3000)); + + private static final List categories = new ArrayList(); + + private String category; + + private Integer ranking; + + static { + categories.add(INTRODUCTION); + categories.add(PARAMETER_TAMPERING); + categories.add(ACCESS_CONTROL); + categories.add(AUTHENTICATION); + categories.add(SESSION_MANAGEMENT); + categories.add(XSS); + categories.add(BUFFER_OVERFLOW); + categories.add(INJECTION); + categories.add(MALICIOUS_EXECUTION); + categories.add(ERROR_HANDLING); + categories.add(INSECURE_STORAGE); + categories.add(DOS); + categories.add(INSECURE_CONFIGURATION); + categories.add(WEB_SERVICES); + categories.add(AJAX_SECURITY); + categories.add(ADMIN_FUNCTIONS); + categories.add(GENERAL); + categories.add(CODE_QUALITY); + categories.add(CONCURRENCY); + categories.add(INSECURE_COMMUNICATION); + categories.add(CHALLENGE); + } + + public static synchronized void addCategory(Category c) { + categories.add(c); + } + + public static synchronized Category getCategory(String name) { + Iterator it = categories.iterator(); + while (it.hasNext()) { + Category c = it.next(); + if (c.getName().equals(name)) { + return c; + } + } + return null; + } + + public Category(String category, Integer ranking) { + this.category = category; + this.ranking = ranking; + } + + @Override + public int compareTo(Object obj) { + int value = 1; + + if (obj instanceof Category) { + value = this.getRanking().compareTo(((Category) obj).getRanking()); + } + + return value; + } + + public Integer getRanking() { + return ranking; + } + + public Integer setRanking(Integer ranking) { + return this.ranking = ranking; + } + + public String getName() { + return category; + } + + @Override + public boolean equals(Object obj) { + return (obj instanceof Category) && getName().equals(((Category) obj).getName()); + } + + @Override + public String toString() { + return getName(); + } +} diff --git a/java/org/owasp/webgoat/session/Course.java b/java/org/owasp/webgoat/session/Course.java index 17358f799..6430b409c 100644 --- a/java/org/owasp/webgoat/session/Course.java +++ b/java/org/owasp/webgoat/session/Course.java @@ -1,452 +1,392 @@ - -package org.owasp.webgoat.session; - -import java.io.File; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.Iterator; -import java.util.List; -import java.util.Set; -import java.util.Vector; -import java.util.LinkedList; -import javax.servlet.ServletContext; -import org.owasp.webgoat.HammerHead; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.Category; - - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository for free software - * projects. - * - * For details, please see http://code.google.com/p/webgoat/ - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public class Course -{ - - private List lessons = new LinkedList(); - - private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath; - - private WebgoatProperties properties = null; - - private List files = new LinkedList(); - - private WebgoatContext webgoatContext; - - - public Course() - { - try - { - properties = new WebgoatProperties(PROPERTIES_FILENAME); - } catch (IOException e) - { - System.out.println("Error loading WebGoat properties"); - e.printStackTrace(); - } - } - - - - - /** - * Take an absolute file and return the filename. - * - * Ex. /etc/password becomes password - * - * @param s - * @return the file name - */ - private static String getFileName(String s) - { - String fileName = new File(s).getName(); - - if (fileName.indexOf("/") != -1) - { - fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length()); - } - - if (fileName.indexOf(".") != -1) - { - fileName = fileName.substring(0, fileName.indexOf(".")); - } - - return fileName; - } - - /** - * Take a class name and return the equivalent file name - * - * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java - * - * @param className - * @return - */ - private static String getSourceFile(String className) - { - StringBuffer sb = new StringBuffer(); - - sb.append(className.replace(".", "/")); - sb.append(".java"); - - return sb.toString(); - } - - /** - * Takes a file name and builds the class file name - * - * @param fileName - * Description of the Parameter - * @param path - * Description of the Parameter - * @return Description of the Return Value - */ - private static String getClassFile(String fileName, String path) - { - String ext = ".class"; - fileName = fileName.trim(); - - /** - * We do not handle directories. - * We do not handle files with different extensions - */ - if (fileName.endsWith("/") || !fileName.endsWith(ext)) { return null; } - - // if the file is in /WEB-INF/classes strip the dir info off - int index = fileName.indexOf("/WEB-INF/classes/"); - if (index != -1) - { - fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length()); - fileName = fileName.replace('/', '.'); - fileName = fileName.replace('\\', '.'); - } - else - { - // Strip off the leading path info - fileName = fileName.substring(path.length(), fileName.length() - ext.length()); - } - - return fileName; - } - - /** - * Gets the categories attribute of the Course object - * - * @return The categories value - */ - public List getCategories() - { - List categories = new ArrayList(); - Iterator iter = lessons.iterator(); - - while (iter.hasNext()) - { - AbstractLesson lesson = (AbstractLesson) iter.next(); - - if (!categories.contains(lesson.getCategory())) - { - categories.add(lesson.getCategory()); - } - } - - Collections.sort(categories); - - return categories; - } - - /** - * Gets the firstLesson attribute of the Course object - * - * @return The firstLesson value - */ - public AbstractLesson getFirstLesson() - { - List roles = new ArrayList(); - roles.add(AbstractLesson.USER_ROLE); - // Category 0 is the admin function. We want the first real category - // to be returned. This is noramally the General category and the Http Basics lesson - return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0)); - } - - /** - * Gets the lesson attribute of the Course object - * - * @param lessonId - * Description of the Parameter - * @param role - * Description of the Parameter - * @return The lesson value - */ - public AbstractLesson getLesson(WebSession s, int lessonId, List roles) - { - if (s.isHackedAdmin()) - { - roles.add(AbstractLesson.HACKED_ADMIN_ROLE); - } - // System.out.println("getLesson() with roles: " + roles); - Iterator iter = lessons.iterator(); - - while (iter.hasNext()) - { - AbstractLesson lesson = iter.next(); - - // System.out.println("getLesson() at role: " + lesson.getRole()); - if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) { return lesson; } - } - - return null; - } - - public AbstractLesson getLesson(WebSession s, int lessonId, String role) - { - List roles = new Vector(); - roles.add(role); - return getLesson(s, lessonId, roles); - } - - public List getLessons(WebSession s, String role) - { - List roles = new Vector(); - roles.add(role); - return getLessons(s, roles); - } - - /** - * Gets the lessons attribute of the Course object - * - * @param role - * Description of the Parameter - * @return The lessons value - */ - public List getLessons(WebSession s, List roles) - { - if (s.isHackedAdmin()) - { - roles.add(AbstractLesson.HACKED_ADMIN_ROLE); - } - List lessonList = new ArrayList(); - Iterator categoryIter = getCategories().iterator(); - - while (categoryIter.hasNext()) - { - lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles)); - } - return lessonList; - } - - /** - * Gets the lessons attribute of the Course object - * - * @param category - * Description of the Parameter - * @param role - * Description of the Parameter - * @return The lessons value - */ - private List getLessons(Category category, List roles) - { - List lessonList = new ArrayList(); - - Iterator iter = lessons.iterator(); - while (iter.hasNext()) - { - AbstractLesson lesson = (AbstractLesson) iter.next(); - - if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) - { - lessonList.add(lesson); - } - } - - Collections.sort(lessonList); - // System.out.println(java.util.Arrays.asList(lessonList)); - return lessonList; - } - - public List getLessons(WebSession s, Category category, String role) - { - List roles = new Vector(); - roles.add(role); - return getLessons(s, category, roles); - } - - public List getLessons(WebSession s, Category category, List roles) - { - if (s.isHackedAdmin()) - { - roles.add(AbstractLesson.HACKED_ADMIN_ROLE); - } - return getLessons(category, roles); - } - - /** - * Load all of the filenames into a temporary cache - * - * @param context - * @param path - */ - private void loadFiles(ServletContext context, String path) - { - Set resourcePaths = context.getResourcePaths(path); - Iterator itr = resourcePaths.iterator(); - - while (itr.hasNext()) - { - String file = (String) itr.next(); - - if (file.length() != 1 && file.endsWith("/")) - { - loadFiles(context, file); - } - else - { - files.add(file); - } - } - } - - /** - * Instantiate all the lesson objects into a cache - * - * @param path - */ - private void loadLessons(String path) - { - Iterator itr = files.iterator(); - - while (itr.hasNext()) - { - String file = (String) itr.next(); - String className = getClassFile(file, path); - - if (className != null && !className.endsWith("_i")) - { - try - { - Class c = Class.forName(className); - Object o = c.newInstance(); - - if (o instanceof AbstractLesson) - { - AbstractLesson lesson = (AbstractLesson) o; - lesson.setWebgoatContext(webgoatContext); - - lesson.update(properties); - - if (lesson.getHidden() == false) - { - lessons.add(lesson); - } - } - } catch (Exception e) - { - // System.out.println("Warning: " + e.getMessage()); - } - } - } - } - - private String getLanguageFromFileName(String first, String absoluteFile){ - int p1 = absoluteFile.indexOf("/",absoluteFile.indexOf(first)+1); - int p2 = absoluteFile.indexOf("/",p1+1); - String langStr=absoluteFile.substring(p1+1,p2); - - - return new String(langStr); - } - - /** - * For each lesson, set the source file and lesson file - */ - private void loadResources() - { - Iterator lessonItr = lessons.iterator(); - - while (lessonItr.hasNext()) - { - AbstractLesson lesson = (AbstractLesson) lessonItr.next(); - String className = lesson.getClass().getName(); - String classFile = getSourceFile(className); - - Iterator fileItr = files.iterator(); - - while (fileItr.hasNext()) - { - String absoluteFile = (String) fileItr.next(); - String fileName = getFileName(absoluteFile); - // System.out.println("Course: looking at file: " + absoluteFile); - - if (absoluteFile.endsWith(classFile)) - { - // System.out.println("Set source file for " + classFile); - lesson.setSourceFileName(absoluteFile); - } - - if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") - && className.endsWith(fileName)) - { - // System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for - // lesson " + - // lesson.getClass().getName()); - // System.out.println("fileName: " + fileName + " == className: " + className ); - String language = getLanguageFromFileName("/lesson_plans",absoluteFile); - lesson.setLessonPlanFileName(language, absoluteFile); - this.webgoatContext.getWebgoatI18N().loadLanguage(language); - } - if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") - && className.endsWith(fileName)) - { - // System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " - // for lesson " + - // lesson.getClass().getName()); - // System.out.println("fileName: " + fileName + " == className: " + className ); - lesson.setLessonSolutionFileName(absoluteFile); - } - } - } - } - - /** - * Description of the Method - * - * @param path - * Description of the Parameter - * @param context - * Description of the Parameter - */ - public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) - { - this.webgoatContext = webgoatContext; - loadFiles(context, path); - loadLessons(path); - loadResources(); - } -} +package org.owasp.webgoat.session; + +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import java.util.Vector; +import java.util.LinkedList; +import javax.servlet.ServletContext; +import org.owasp.webgoat.HammerHead; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.Category; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 + */ +public class Course { + + private List lessons = new LinkedList(); + + private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath; + + private WebgoatProperties properties = null; + + private List files = new LinkedList(); + + private WebgoatContext webgoatContext; + + public Course() { + try { + properties = new WebgoatProperties(PROPERTIES_FILENAME); + } catch (IOException e) { + System.out.println("Error loading WebGoat properties"); + e.printStackTrace(); + } + } + + /** + * Take an absolute file and return the filename. + * + * Ex. /etc/password becomes password + * + * @param s + * @return the file name + */ + private static String getFileName(String s) { + String fileName = new File(s).getName(); + + if (fileName.indexOf("/") != -1) { + fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length()); + } + + if (fileName.indexOf(".") != -1) { + fileName = fileName.substring(0, fileName.indexOf(".")); + } + + return fileName; + } + + /** + * Take a class name and return the equivalent file name + * + * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java + * + * @param className + * @return + */ + private static String getSourceFile(String className) { + StringBuffer sb = new StringBuffer(); + + sb.append(className.replace(".", "/")); + sb.append(".java"); + + return sb.toString(); + } + + /** + * Takes a file name and builds the class file name + * + * @param fileName Description of the Parameter + * @param path Description of the Parameter + * @return Description of the Return Value + */ + private static String getClassFile(String fileName, String path) { + String ext = ".class"; + fileName = fileName.trim(); + + /** + * We do not handle directories. We do not handle files with different + * extensions + */ + if (fileName.endsWith("/") || !fileName.endsWith(ext)) { + return null; + } + + // if the file is in /WEB-INF/classes strip the dir info off + int index = fileName.indexOf("/WEB-INF/classes/"); + if (index != -1) { + fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length()); + fileName = fileName.replace('/', '.'); + fileName = fileName.replace('\\', '.'); + } else { + // Strip off the leading path info + fileName = fileName.substring(path.length(), fileName.length() - ext.length()); + } + + return fileName; + } + + /** + * Gets the categories attribute of the Course object + * + * @return The categories value + */ + public List getCategories() { + List categories = new ArrayList(); + Iterator iter = lessons.iterator(); + + while (iter.hasNext()) { + AbstractLesson lesson = (AbstractLesson) iter.next(); + + if (!categories.contains(lesson.getCategory())) { + categories.add(lesson.getCategory()); + } + } + + Collections.sort(categories); + + return categories; + } + + /** + * Gets the firstLesson attribute of the Course object + * + * @return The firstLesson value + */ + public AbstractLesson getFirstLesson() { + List roles = new ArrayList(); + roles.add(AbstractLesson.USER_ROLE); + // Category 0 is the admin function. We want the first real category + // to be returned. This is noramally the General category and the Http Basics lesson + return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0)); + } + + /** + * Gets the lesson attribute of the Course object + * + * @param lessonId Description of the Parameter + * @param role Description of the Parameter + * @return The lesson value + */ + public AbstractLesson getLesson(WebSession s, int lessonId, List roles) { + if (s.isHackedAdmin()) { + roles.add(AbstractLesson.HACKED_ADMIN_ROLE); + } + // System.out.println("getLesson() with roles: " + roles); + Iterator iter = lessons.iterator(); + + while (iter.hasNext()) { + AbstractLesson lesson = iter.next(); + + // System.out.println("getLesson() at role: " + lesson.getRole()); + if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) { + return lesson; + } + } + + return null; + } + + public AbstractLesson getLesson(WebSession s, int lessonId, String role) { + List roles = new Vector(); + roles.add(role); + return getLesson(s, lessonId, roles); + } + + public List getLessons(WebSession s, String role) { + List roles = new Vector(); + roles.add(role); + return getLessons(s, roles); + } + + /** + * Gets the lessons attribute of the Course object + * + * @param role Description of the Parameter + * @return The lessons value + */ + public List getLessons(WebSession s, List roles) { + if (s.isHackedAdmin()) { + roles.add(AbstractLesson.HACKED_ADMIN_ROLE); + } + List lessonList = new ArrayList(); + Iterator categoryIter = getCategories().iterator(); + + while (categoryIter.hasNext()) { + lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles)); + } + return lessonList; + } + + /** + * Gets the lessons attribute of the Course object + * + * @param category Description of the Parameter + * @param role Description of the Parameter + * @return The lessons value + */ + private List getLessons(Category category, List roles) { + List lessonList = new ArrayList(); + + Iterator iter = lessons.iterator(); + while (iter.hasNext()) { + AbstractLesson lesson = (AbstractLesson) iter.next(); + + if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) { + lessonList.add(lesson); + } + } + + Collections.sort(lessonList); + // System.out.println(java.util.Arrays.asList(lessonList)); + return lessonList; + } + + public List getLessons(WebSession s, Category category, String role) { + List roles = new Vector(); + roles.add(role); + return getLessons(s, category, roles); + } + + public List getLessons(WebSession s, Category category, List roles) { + if (s.isHackedAdmin()) { + roles.add(AbstractLesson.HACKED_ADMIN_ROLE); + } + return getLessons(category, roles); + } + + /** + * Load all of the filenames into a temporary cache + * + * @param context + * @param path + */ + private void loadFiles(ServletContext context, String path) { + Set resourcePaths = context.getResourcePaths(path); + Iterator itr = resourcePaths.iterator(); + + while (itr.hasNext()) { + String file = (String) itr.next(); + + if (file.length() != 1 && file.endsWith("/")) { + loadFiles(context, file); + } else { + files.add(file); + } + } + } + + /** + * Instantiate all the lesson objects into a cache + * + * @param path + */ + private void loadLessons(String path) { + Iterator itr = files.iterator(); + + while (itr.hasNext()) { + String file = (String) itr.next(); + String className = getClassFile(file, path); + + if (className != null && !className.endsWith("_i")) { + try { + Class c = Class.forName(className); + Object o = c.newInstance(); + + if (o instanceof AbstractLesson) { + AbstractLesson lesson = (AbstractLesson) o; + lesson.setWebgoatContext(webgoatContext); + + lesson.update(properties); + + if (lesson.getHidden() == false) { + lessons.add(lesson); + } + } + } catch (Exception e) { + // System.out.println("Warning: " + e.getMessage()); + } + } + } + } + + private String getLanguageFromFileName(String first, String absoluteFile) { + int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1); + int p2 = absoluteFile.indexOf("/", p1 + 1); + String langStr = absoluteFile.substring(p1 + 1, p2); + + return new String(langStr); + } + + /** + * For each lesson, set the source file and lesson file + */ + private void loadResources() { + Iterator lessonItr = lessons.iterator(); + + while (lessonItr.hasNext()) { + AbstractLesson lesson = (AbstractLesson) lessonItr.next(); + String className = lesson.getClass().getName(); + String classFile = getSourceFile(className); + + Iterator fileItr = files.iterator(); + + while (fileItr.hasNext()) { + String absoluteFile = (String) fileItr.next(); + String fileName = getFileName(absoluteFile); + // System.out.println("Course: looking at file: " + absoluteFile); + + if (absoluteFile.endsWith(classFile)) { + // System.out.println("Set source file for " + classFile); + lesson.setSourceFileName(absoluteFile); + } + + if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") + && className.endsWith(fileName)) { + // System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for + // lesson " + + // lesson.getClass().getName()); + // System.out.println("fileName: " + fileName + " == className: " + className ); + String language = getLanguageFromFileName("/lesson_plans", absoluteFile); + lesson.setLessonPlanFileName(language, absoluteFile); + this.webgoatContext.getWebgoatI18N().loadLanguage(language); + } + if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") + && className.endsWith(fileName)) { + // System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " + // for lesson " + + // lesson.getClass().getName()); + // System.out.println("fileName: " + fileName + " == className: " + className ); + lesson.setLessonSolutionFileName(absoluteFile); + } + } + } + } + + /** + * Description of the Method + * + * @param path Description of the Parameter + * @param context Description of the Parameter + */ + public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) { + this.webgoatContext = webgoatContext; + loadFiles(context, path); + loadLessons(path); + loadResources(); + } +} diff --git a/java/org/owasp/webgoat/session/WebSession.java b/java/org/owasp/webgoat/session/WebSession.java index a9e46fc8c..a32a76aa8 100644 --- a/java/org/owasp/webgoat/session/WebSession.java +++ b/java/org/owasp/webgoat/session/WebSession.java @@ -1,1119 +1,985 @@ - -package org.owasp.webgoat.session; - -import java.io.IOException; -import java.io.PrintWriter; -import java.security.Principal; -import java.sql.Connection; -import java.sql.SQLException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Hashtable; -import java.util.List; -import java.util.Map; -import java.util.Vector; -import javax.servlet.ServletContext; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.RandomLessonAdapter; -import org.owasp.webgoat.lessons.SequentialLessonAdapter; -import org.owasp.webgoat.util.WebGoatI18N; - - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository for free software - * projects. - * - * For details, please see http://code.google.com/p/webgoat/ - * - * @author Jeff Williams Aspect Security - * @author Bruce Mayhew WebGoat - * - * @created October 28, 2003 - */ -public class WebSession -{ - /** - * Description of the Field - */ - public final static String ADMIN = "admin"; - - /** - * Tomcat role for a webgoat user - */ - public final static String WEBGOAT_USER = "webgoat_user"; - - /** - * Tomcat role for a webgoat admin - */ - public final static String WEBGOAT_ADMIN = "webgoat_admin"; - - /** - * Description of the Field - */ - public final static String CHALLENGE = "Challenge"; - - /** - * Description of the Field - */ - public final static String COLOR = "color"; - - /** - * Description of the Field - */ - public final static int ERROR = 0; - - public static final String STAGE = "stage"; - - /** - * Description of the Field - */ - public final static String JSESSION_ID = "jsessionid"; - - /** - * Description of the Field - */ - public final static String LOGOUT = "Logout"; - - /** - * Description of the Field - */ - public final static String RESTART = "Restart"; - - /** - * Description of the Field - */ - public final static String MENU = "menu"; - - /** - * Description of the Field - */ - public final static String SCREEN = "Screen"; - - /** - * Description of the Field - */ - public final static String SESSION = "Session"; - - public final static String SHOWSOURCE = "ShowSource"; - - public final static String SHOWSOLUTION = "ShowSolution"; - - public final static String SHOWHINTS = "ShowHints"; - - public final static String SHOW = "show"; - - public final static String SHOW_NEXTHINT = "NextHint"; - - public final static String SHOW_PREVIOUSHINT = "PreviousHint"; - - public final static String SHOW_PARAMS = "Params"; - - public final static String SHOW_COOKIES = "Cookies"; - - public final static String SHOW_SOURCE = "Source"; - - public final static String SHOW_SOLUTION = "Solution"; - - public final static String DEBUG = "debug"; - - public final static String LANGUAGE = "language"; - - /** - * Description of the Field - */ - public final static int WELCOME = -1; - - private WebgoatContext webgoatContext; - - private ServletContext context = null; - - private Course course; - - private int currentScreen = WELCOME; - - private int previousScreen = ERROR; - - private int hintNum = -1; - - private boolean isAdmin = false; - - private boolean isHackedAdmin = false; - - private boolean isAuthenticated = false; - - private boolean isColor = false; - - private boolean isDebug = false; - - private boolean hasHackedHackableAdmin = false; - - private StringBuffer message = new StringBuffer(""); - - private ParameterParser myParser; - - private HttpServletRequest request = null; - - private HttpServletResponse response = null; - - private String servletName; - - private HashMap session = new HashMap(); - - private boolean showCookies = false; - - private boolean showParams = false; - - private boolean showRequest = false; - - private boolean showSource = false; - - private boolean showSolution = false; - - private boolean completedHackableAdmin = false; - - private int currentMenu; - - private String currentLanguage = null; - - - - /** - * Constructor for the WebSession object - * - * @param servlet - * Description of the Parameter - * @param context - * Description of the Parameter - */ - public WebSession(WebgoatContext webgoatContext, ServletContext context) - { - this.webgoatContext = webgoatContext; - // initialize from web.xml - showParams = webgoatContext.isShowParams(); - showCookies = webgoatContext.isShowCookies(); - showSource = webgoatContext.isShowSource(); - showSolution = webgoatContext.isShowSolution(); - showRequest = webgoatContext.isShowRequest(); - currentLanguage = webgoatContext.getDefaultLanguage(); - this.context = context; - - course = new Course(); - course.loadCourses(webgoatContext, context, "/"); - } - - public static synchronized Connection getConnection(WebSession s) throws SQLException - { - return DatabaseUtilities.getConnection(s); - } - - public static void returnConnection(WebSession s) - { - DatabaseUtilities.returnConnection(s.getUserName()); - } - - /** - * Description of the Method - * - * @param key - * Description of the Parameter - * @param value - * Description of the Parameter - */ - public void add(String key, Object value) - { - session.put(key, value); - } - - /** - * Description of the Method - */ - public void clearMessage() - { - message.setLength(0); - } - - /** - * Description of the Method - */ - public void eatCookies() - { - Cookie[] cookies = request.getCookies(); - - for (int loop = 0; loop < cookies.length; loop++) - { - if (!cookies[loop].getName().startsWith("JS")) - {// skip jsessionid cookie - cookies[loop].setMaxAge(0);// mark for deletion by browser - response.addCookie(cookies[loop]); - } - } - } - - /** - * Description of the Method - * - * @param key - * Description of the Parameter - * @return Description of the Return Value - */ - public Object get(String key) - { - return (session.get(key)); - } - - /** - * Gets the context attribute of the WebSession object - * - * @return The context value - */ - public ServletContext getContext() - { - return context; - } - - - - - public List getRoles() - { - List roles = new ArrayList(); - - roles.add(AbstractLesson.USER_ROLE); - if (isAdmin()) - { - roles.add(AbstractLesson.ADMIN_ROLE); - } - - return roles; - } - - /** - * Sets the admin flag - this routine is ONLY here to allow someone a backdoor to setting the - * user up as an admin. - * - * This is also used by the WebSession to set the admin, but the method should be private - * - * @param state - */ - public void setAdmin(boolean state) - - { - isAdmin = state; - - } - - public String getRole() - { - - String role = ""; - if (isAdmin()) - { - role = AbstractLesson.ADMIN_ROLE; - } - else if (isHackedAdmin()) - { - role = AbstractLesson.HACKED_ADMIN_ROLE; - } - else if (isChallenge()) - { - role = AbstractLesson.CHALLENGE_ROLE; - } - else - { - role = AbstractLesson.USER_ROLE; - } - - return role; - } - - /** - * Gets the course attribute of the WebSession object - * - * @return The course value - */ - public Course getCourse() - { - return course; - } - - public void setCourse(Course course) - { - this.course = course; - } - - /** - * Gets the currentScreen attribute of the WebSession object - * - * @return The currentScreen value - */ - public int getCurrentScreen() - { - return (currentScreen); - } - - public void setCurrentScreen(int screen) - { - currentScreen = screen; - } - - public String getRestartLink() - { - return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen(); - } - - public String getCurrentLink() - { - String thisLink = "attack"; - Enumeration e = request.getParameterNames(); - boolean isFirstParameter = true; - while (e.hasMoreElements()) - { - String name = e.nextElement(); - if (isFirstParameter) - { - isFirstParameter = false; - thisLink += "?"; - } - else - { - thisLink += "&"; - } - thisLink = thisLink + name + "=" + request.getParameter(name); - } - - return thisLink; - } - - public AbstractLesson getCurrentLesson() - { - return getCourse().getLesson(this, getCurrentScreen(), getRoles()); - } - - public AbstractLesson getLesson(int id) - { - return getCourse().getLesson(this, id, getRoles()); - } - - public List getLessons(Category category) - { - return getCourse().getLessons(this, category, getRoles()); - } - - /** - * Gets the hint1 attribute of the WebSession object - * - * @return The hint1 value - */ - private int getHintNum() - { - return (hintNum); - } - - public String getHint() - { - String hint = null; - int hints = getCurrentLesson().getHintCount(this); - if (getHintNum() > hints) hintNum = -1; - if (getHintNum() >= 0) - // FIXME - hint = getCurrentLesson().getHint(this, getHintNum()); - - return hint; - } - - public List getParams() - { - Vector params = null; - - if (showParams() && getParser() != null) - { - params = new Vector(); - - Enumeration e = getParser().getParameterNames(); - - while ((e != null) && e.hasMoreElements()) - { - String name = (String) e.nextElement(); - String[] values = getParser().getParameterValues(name); - - for (int loop = 0; (values != null) && (loop < values.length); loop++) - { - params.add(new Parameter(name, values[loop])); - // params.add( name + " -> " + values[loop] ); - } - } - - Collections.sort(params); - } - - return params; - } - - public List getCookies() - { - List cookies = null; - - if (showCookies()) cookies = Arrays.asList(request.getCookies()); - - /* - * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies - * = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( - * "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie = - * cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " + - * cookie.getValue() ) ); } - */ - - return cookies; - } - - /** - * Gets the cookie attribute of the CookieScreen object - * - * @param s - * Description of the Parameter - * @return The cookie value - */ - public String getCookie(String cookieName) - { - Cookie[] cookies = getRequest().getCookies(); - - for (int i = 0; i < cookies.length; i++) - { - if (cookies[i].getName().equalsIgnoreCase(cookieName)) { return (cookies[i].getValue()); } - } - - return (null); - } - - public String getSource() - { - return "Sorry. No Java Source viewing available."; - // return getCurrentLesson().getSource(this); - } - - public String getSolution() - { - return "Sorry. No solution is available."; - // return getCurrentLesson().getSolution(this); - } - - public String getInstructions() - { - return getCurrentLesson().getInstructions(this); - } - - /** - * Gets the message attribute of the WebSession object - * - * @return The message value - */ - public String getMessage() - { - return (message.toString()); - } - - /** - * Gets the parser attribute of the WebSession object - * - * @return The parser value - */ - public ParameterParser getParser() - { - return (myParser); - } - - /** - * Gets the previousScreen attribute of the WebSession object - * - * @return The previousScreen value - */ - public int getPreviousScreen() - { - return (previousScreen); - } - - /** - * Gets the request attribute of the WebSession object - * - * @return The request value - */ - public HttpServletRequest getRequest() - { - return request; - } - - public void setRequest(HttpServletRequest request) - { - this.request = request; - } - - /** - * Gets the response attribute of the WebSession object - * - * @return The response value - */ - public HttpServletResponse getResponse() - { - return response; - } - - /** - * Gets the servletName attribute of the WebSession object - * - * @return The servletName value - */ - public String getServletName() - { - return (servletName); - } - - /** - * Gets the sourceFile attribute of the WebSession object - * - * @param screen - * Description of the Parameter - * @return The sourceFile value - */ - public String getWebResource(String fileName) - { - // Note: doesn't work for admin path! Maybe with a ../ attack - return (context.getRealPath(fileName)); - } - - /** - * Gets the admin attribute of the WebSession object - * - * @return The admin value - */ - public boolean isAdmin() - { - return (isAdmin); - } - - /** - * Gets the hackedAdmin attribute of the WebSession object - * - * @return The hackedAdmin value - */ - public boolean isHackedAdmin() - { - return (isHackedAdmin); - } - - /** - * Has the user ever hacked the hackable admin - * - * @return The hackedAdmin value - */ - public boolean completedHackableAdmin() - { - return (completedHackableAdmin); - } - - /** - * Gets the authenticated attribute of the WebSession object - * - * @return The authenticated value - */ - public boolean isAuthenticated() - { - return (isAuthenticated); - } - - private Map lessonSessions = new Hashtable(); - - public boolean isAuthenticatedInLesson(AbstractLesson lesson) - { - boolean authenticated = false; - - LessonSession lessonSession = getLessonSession(lesson); - if (lessonSession != null) - { - authenticated = lessonSession.isAuthenticated(); - } - // System.out.println("Authenticated for lesson " + lesson + "? " + authenticated); - - return authenticated; - } - - public boolean isAuthorizedInLesson(int employeeId, String functionId) - { - return getCurrentLesson().isAuthorized(this, employeeId, functionId); - } - - public boolean isAuthorizedInLesson(String role, String functionId) - { - return getCurrentLesson().isAuthorized(this, role, functionId); - } - - public int getUserIdInLesson() throws ParameterNotFoundException - { - return getCurrentLesson().getUserId(this); - } - - public String getUserNameInLesson() throws ParameterNotFoundException - { - return getCurrentLesson().getUserName(this); - } - - public void openLessonSession(AbstractLesson lesson) - { - System.out.println("Opening new lesson session for lesson " + lesson); - LessonSession lessonSession = new LessonSession(); - lessonSessions.put(lesson, lessonSession); - } - - public void closeLessonSession(AbstractLesson lesson) - { - lessonSessions.remove(lesson); - } - - public LessonSession getLessonSession(AbstractLesson lesson) - { - return lessonSessions.get(lesson); - } - - /** - * Gets the challenge attribute of the WebSession object - * - * @return The challenge value - */ - public boolean isChallenge() - { - if (getCurrentLesson() != null) { return (Category.CHALLENGE.equals(getCurrentLesson().getCategory())); } - return false; - } - - /** - * Gets the color attribute of the WebSession object - * - * @return The color value - */ - public boolean isColor() - { - return (isColor); - } - - /** - * Gets the screen attribute of the WebSession object - * - * @param value - * Description of the Parameter - * @return The screen value - */ - public boolean isScreen(int value) - { - return (getCurrentScreen() == value); - } - - /** - * Gets the user attribute of the WebSession object - * - * @return The user value - */ - public boolean isUser() - { - return (!isAdmin && !isChallenge()); - } - - /** - * Sets the message attribute of the WebSession object - * - * @param text - * The new message value - */ - public void setMessage(String text) - { - message.append("
" + " * " + text); - } - - public void setLineBreak(String text) - { - message.append("

" + text); - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - public boolean showCookies() - { - return (showCookies); - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - public boolean showParams() - { - return (showParams); - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - public boolean showRequest() - { - return (showRequest); - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - public boolean showSource() - { - return (showSource); - } - - public boolean showSolution() - { - return (showSolution); - } - - /** - * Gets the userName attribute of the WebSession object - * - * @return The userName value - */ - public String getUserName() - { - HttpServletRequest request = getRequest(); - if (request == null) throw new RuntimeException("Could not find the ServletRequest in the web session"); - Principal principal = request.getUserPrincipal(); - if (principal == null) throw new RuntimeException("Could not find the Principal in the Servlet Request"); - return principal.getName(); - } - - /** - * Parse parameters from the given request, handle any servlet commands, and update this session - * based on the parameters. - * - * @param request - * Description of the Parameter - * @param response - * Description of the Parameter - * @param name - * Description of the Parameter - */ - public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException - { - String content = null; - - clearMessage(); - this.request = request; - this.response = response; - this.servletName = name; - - if (myParser == null) - { - myParser = new ParameterParser(request); - } - else - { - myParser.update(request); - } - - if(myParser.getRawParameter(LANGUAGE,null)!=null){ - this.currentLanguage=new String(myParser.getRawParameter(LANGUAGE,null)); - WebGoatI18N.setCurrentLanguage(this.currentLanguage); - } - - - // System.out.println("Current Screen 1: " + currentScreen ); - // System.out.println("Previous Screen 1: " + previousScreen ); - // FIXME: requires ?Logout=true - // FIXME: doesn't work right -- no reauthentication - if (myParser.getRawParameter(LOGOUT, null) != null) - { - System.out.println("Logout " + request.getUserPrincipal()); - eatCookies(); - request.getSession().invalidate(); - currentScreen = WELCOME; - previousScreen = ERROR; - } - - // There are several scenarios where we want the first lesson to be loaded - // 1) Previous screen is Welcome - Start of the course - // 2) After a logout and after the session has been reinitialized - if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null && - // getRequest().getSession(false).isNew() && - this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR)) - { - currentScreen = course.getFirstLesson().getScreenId(); - hintNum = -1; - } - - // System.out.println("Current Screen 2: " + currentScreen ); - // System.out.println("Previous Screen 2: " + previousScreen ); - // update the screen variables - previousScreen = currentScreen; - - try - { - // If the request is new there should be no parameters. - // This can occur from a session timeout or a the starting of a new course. - if (!request.getSession().isNew()) - { - currentScreen = myParser.getIntParameter(SCREEN, currentScreen); - } - else - { - if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) - { - this.setMessage("Session Timeout - Starting new Session."); - } - } - } catch (Exception e) - { - } - - // clear variables when switching screens - if (this.getCurrentScreen() != this.getPreviousScreen()) - { - if (webgoatContext.isDebug()) - { - setMessage("Changed to a new screen, clearing cookies and hints"); - } - eatCookies(); - hintNum = -1; - } - else if (myParser.getRawParameter(STAGE, null) != null) - { - AbstractLesson al = getCurrentLesson(); - if (al instanceof SequentialLessonAdapter) - { - SequentialLessonAdapter sla = (SequentialLessonAdapter) al; - int stage = myParser.getIntParameter(STAGE, sla.getStage(this)); - if (stage > 0 && stage <= sla.getStageCount()) sla.setStage(this, stage); - } - else if (al instanceof RandomLessonAdapter) - { - try - { - RandomLessonAdapter rla = (RandomLessonAdapter) al; - int stage = myParser.getIntParameter(STAGE) - 1; - String[] stages = rla.getStages(); - if (stages == null) stages = new String[0]; - if (stage >= 0 && stage < stages.length) rla.setStage(this, stages[stage]); - } catch (ParameterNotFoundException pnfe) - { - } - } - } - // else update global variables for the current screen - else - { - // Handle "restart" commands - int lessonId = myParser.getIntParameter(RESTART, -1); - if (lessonId != -1) - { - restartLesson(lessonId); - } - // if ( myParser.getBooleanParameter( RESTART, false ) ) - // { - // getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty( - // CHALLENGE_STAGE, "1" ); - // } - - // Handle "show" commands - String showCommand = myParser.getStringParameter(SHOW, null); - if (showCommand != null) - { - if (showCommand.equalsIgnoreCase(SHOW_PARAMS)) - { - showParams = !showParams; - } - else if (showCommand.equalsIgnoreCase(SHOW_COOKIES)) - { - showCookies = !showCookies; - } - else if (showCommand.equalsIgnoreCase(SHOW_SOURCE)) - { - content = getSource(); - // showSource = true; - } - else if (showCommand.equalsIgnoreCase(SHOW_SOLUTION)) - { - content = getSolution(); - // showSource = true; - } - else if (showCommand.equalsIgnoreCase(SHOW_NEXTHINT)) - { - getNextHint(); - } - else if (showCommand.equalsIgnoreCase(SHOW_PREVIOUSHINT)) - { - getPreviousHint(); - } - } - - } - - isAdmin = request.isUserInRole(WEBGOAT_ADMIN); - isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin); - if (isHackedAdmin) - { - System.out.println("Hacked admin"); - hasHackedHackableAdmin = true; - } - isColor = myParser.getBooleanParameter(COLOR, isColor); - isDebug = myParser.getBooleanParameter(DEBUG, isDebug); - - // System.out.println( "showParams:" + showParams ); - // System.out.println( "showSource:" + showSource ); - // System.out.println( "showSolution:" + showSolution ); - // System.out.println( "showCookies:" + showCookies ); - // System.out.println( "showRequest:" + showRequest ); - - if (content != null) - { - response.setContentType("text/html"); - PrintWriter out = new PrintWriter(response.getOutputStream()); - out.print(content); - out.flush(); - out.close(); - } - } - - private void restartLesson(int lessonId) - { - AbstractLesson al = getLesson(lessonId); - System.out.println("Restarting lesson: " + al); - al.getLessonTracker(this).setCompleted(false); - if (al instanceof SequentialLessonAdapter) - { - SequentialLessonAdapter sla = (SequentialLessonAdapter) al; - sla.getLessonTracker(this).setStage(1); - } - else if (al instanceof RandomLessonAdapter) - { - RandomLessonAdapter rla = (RandomLessonAdapter) al; - rla.setStage(this, rla.getStages()[0]); - } - } - - /** - * @param string - */ - public void setHasHackableAdmin(String role) - { - hasHackedHackableAdmin = (AbstractLesson.HACKED_ADMIN_ROLE.equals(role) & hasHackedHackableAdmin); - - // if the user got the Admin=true parameter correct AND they accessed an admin screen - if (hasHackedHackableAdmin) - { - completedHackableAdmin = true; - } - } - - /** - * @return Returns the isDebug. - */ - public boolean isDebug() - { - return isDebug; - } - - /** - * @param header - * - request header value to return - * @return - */ - public String getHeader(String header) - { - return getRequest().getHeader(header); - } - - public String getNextHint() - { - String hint = null; - - // FIXME - int maxHints = getCurrentLesson().getHintCount(this); - if (hintNum < maxHints - 1) - { - hintNum++; - - // Hints are indexed from 0 - getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1); - - hint = (String) getCurrentLesson().getHint(this, getHintNum()); - } - - return hint; - } - - public String getPreviousHint() - { - String hint = null; - - if (hintNum > 0) - { - hintNum--; - - // Hints are indexed from 0 - getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1); - - hint = (String) getCurrentLesson().getHint(this, getHintNum()); - } - - return hint; - } - - public void setCurrentMenu(Integer ranking) - { - currentMenu = ranking.intValue(); - } - - public int getCurrentMenu() - { - return currentMenu; - } - - public WebgoatContext getWebgoatContext() - { - return webgoatContext; - } - - public String getCurrrentLanguage() { - return currentLanguage; - } - - -} +package org.owasp.webgoat.session; + +import java.io.IOException; +import java.io.PrintWriter; +import java.security.Principal; +import java.sql.Connection; +import java.sql.SQLException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.List; +import java.util.Map; +import java.util.Vector; +import javax.servlet.ServletContext; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.RandomLessonAdapter; +import org.owasp.webgoat.lessons.SequentialLessonAdapter; +import org.owasp.webgoat.util.WebGoatI18N; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + * @author Jeff Williams Aspect + * Security + * @author Bruce Mayhew WebGoat + * + * @created October 28, 2003 + */ +public class WebSession { + + /** + * Description of the Field + */ + public final static String ADMIN = "admin"; + + /** + * Tomcat role for a webgoat user + */ + public final static String WEBGOAT_USER = "webgoat_user"; + + /** + * Tomcat role for a webgoat admin + */ + public final static String WEBGOAT_ADMIN = "webgoat_admin"; + + /** + * Description of the Field + */ + public final static String CHALLENGE = "Challenge"; + + /** + * Description of the Field + */ + public final static String COLOR = "color"; + + /** + * Description of the Field + */ + public final static int ERROR = 0; + + public static final String STAGE = "stage"; + + /** + * Description of the Field + */ + public final static String JSESSION_ID = "jsessionid"; + + /** + * Description of the Field + */ + public final static String LOGOUT = "Logout"; + + /** + * Description of the Field + */ + public final static String RESTART = "Restart"; + + /** + * Description of the Field + */ + public final static String MENU = "menu"; + + /** + * Description of the Field + */ + public final static String SCREEN = "Screen"; + + /** + * Description of the Field + */ + public final static String SESSION = "Session"; + + public final static String SHOWSOURCE = "ShowSource"; + + public final static String SHOWSOLUTION = "ShowSolution"; + + public final static String SHOWHINTS = "ShowHints"; + + public final static String SHOW = "show"; + + public final static String SHOW_NEXTHINT = "NextHint"; + + public final static String SHOW_PREVIOUSHINT = "PreviousHint"; + + public final static String SHOW_PARAMS = "Params"; + + public final static String SHOW_COOKIES = "Cookies"; + + public final static String SHOW_SOURCE = "Source"; + + public final static String SHOW_SOLUTION = "Solution"; + + public final static String DEBUG = "debug"; + + public final static String LANGUAGE = "language"; + + /** + * Description of the Field + */ + public final static int WELCOME = -1; + + private WebgoatContext webgoatContext; + + private ServletContext context = null; + + private Course course; + + private int currentScreen = WELCOME; + + private int previousScreen = ERROR; + + private int hintNum = -1; + + private boolean isAdmin = false; + + private boolean isHackedAdmin = false; + + private boolean isAuthenticated = false; + + private boolean isColor = false; + + private boolean isDebug = false; + + private boolean hasHackedHackableAdmin = false; + + private StringBuffer message = new StringBuffer(""); + + private ParameterParser myParser; + + private HttpServletRequest request = null; + + private HttpServletResponse response = null; + + private String servletName; + + private HashMap session = new HashMap(); + + private boolean showCookies = false; + + private boolean showParams = false; + + private boolean showRequest = false; + + private boolean showSource = false; + + private boolean showSolution = false; + + private boolean completedHackableAdmin = false; + + private int currentMenu; + + private String currentLanguage = null; + + /** + * Constructor for the WebSession object + * + * @param servlet Description of the Parameter + * @param context Description of the Parameter + */ + public WebSession(WebgoatContext webgoatContext, ServletContext context) { + this.webgoatContext = webgoatContext; + // initialize from web.xml + showParams = webgoatContext.isShowParams(); + showCookies = webgoatContext.isShowCookies(); + showSource = webgoatContext.isShowSource(); + showSolution = webgoatContext.isShowSolution(); + showRequest = webgoatContext.isShowRequest(); + currentLanguage = webgoatContext.getDefaultLanguage(); + this.context = context; + + course = new Course(); + course.loadCourses(webgoatContext, context, "/"); + } + + public static synchronized Connection getConnection(WebSession s) throws SQLException { + return DatabaseUtilities.getConnection(s); + } + + public static void returnConnection(WebSession s) { + DatabaseUtilities.returnConnection(s.getUserName()); + } + + /** + * Description of the Method + * + * @param key Description of the Parameter + * @param value Description of the Parameter + */ + public void add(String key, Object value) { + session.put(key, value); + } + + /** + * Description of the Method + */ + public void clearMessage() { + message.setLength(0); + } + + /** + * Description of the Method + */ + public void eatCookies() { + Cookie[] cookies = request.getCookies(); + + for (int loop = 0; loop < cookies.length; loop++) { + if (!cookies[loop].getName().startsWith("JS")) {// skip jsessionid cookie + cookies[loop].setMaxAge(0);// mark for deletion by browser + response.addCookie(cookies[loop]); + } + } + } + + /** + * Description of the Method + * + * @param key Description of the Parameter + * @return Description of the Return Value + */ + public Object get(String key) { + return (session.get(key)); + } + + /** + * Gets the context attribute of the WebSession object + * + * @return The context value + */ + public ServletContext getContext() { + return context; + } + + public List getRoles() { + List roles = new ArrayList(); + + roles.add(AbstractLesson.USER_ROLE); + if (isAdmin()) { + roles.add(AbstractLesson.ADMIN_ROLE); + } + + return roles; + } + + /** + * Sets the admin flag - this routine is ONLY here to allow someone a + * backdoor to setting the user up as an admin. + * + * This is also used by the WebSession to set the admin, but the method + * should be private + * + * @param state + */ + public void setAdmin(boolean state) { + isAdmin = state; + + } + + public String getRole() { + + String role = ""; + if (isAdmin()) { + role = AbstractLesson.ADMIN_ROLE; + } else if (isHackedAdmin()) { + role = AbstractLesson.HACKED_ADMIN_ROLE; + } else if (isChallenge()) { + role = AbstractLesson.CHALLENGE_ROLE; + } else { + role = AbstractLesson.USER_ROLE; + } + + return role; + } + + /** + * Gets the course attribute of the WebSession object + * + * @return The course value + */ + public Course getCourse() { + return course; + } + + public void setCourse(Course course) { + this.course = course; + } + + /** + * Gets the currentScreen attribute of the WebSession object + * + * @return The currentScreen value + */ + public int getCurrentScreen() { + return (currentScreen); + } + + public void setCurrentScreen(int screen) { + currentScreen = screen; + } + + public String getRestartLink() { + return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen(); + } + + public String getCurrentLink() { + String thisLink = "attack"; + Enumeration e = request.getParameterNames(); + boolean isFirstParameter = true; + while (e.hasMoreElements()) { + String name = e.nextElement(); + if (isFirstParameter) { + isFirstParameter = false; + thisLink += "?"; + } else { + thisLink += "&"; + } + thisLink = thisLink + name + "=" + request.getParameter(name); + } + + return thisLink; + } + + public AbstractLesson getCurrentLesson() { + return getCourse().getLesson(this, getCurrentScreen(), getRoles()); + } + + public AbstractLesson getLesson(int id) { + return getCourse().getLesson(this, id, getRoles()); + } + + public List getLessons(Category category) { + return getCourse().getLessons(this, category, getRoles()); + } + + /** + * Gets the hint1 attribute of the WebSession object + * + * @return The hint1 value + */ + private int getHintNum() { + return (hintNum); + } + + public String getHint() { + String hint = null; + int hints = getCurrentLesson().getHintCount(this); + if (getHintNum() > hints) { + hintNum = -1; + } + if (getHintNum() >= 0) // FIXME + { + hint = getCurrentLesson().getHint(this, getHintNum()); + } + + return hint; + } + + public List getParams() { + Vector params = null; + + if (showParams() && getParser() != null) { + params = new Vector(); + + Enumeration e = getParser().getParameterNames(); + + while ((e != null) && e.hasMoreElements()) { + String name = (String) e.nextElement(); + String[] values = getParser().getParameterValues(name); + + for (int loop = 0; (values != null) && (loop < values.length); loop++) { + params.add(new Parameter(name, values[loop])); + // params.add( name + " -> " + values[loop] ); + } + } + + Collections.sort(params); + } + + return params; + } + + public List getCookies() { + List cookies = null; + + if (showCookies()) { + cookies = Arrays.asList(request.getCookies()); + } + + /* + * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies + * = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( + * "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie = + * cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " + + * cookie.getValue() ) ); } + */ + return cookies; + } + + /** + * Gets the cookie attribute of the CookieScreen object + * + * @param s Description of the Parameter + * @return The cookie value + */ + public String getCookie(String cookieName) { + Cookie[] cookies = getRequest().getCookies(); + + for (int i = 0; i < cookies.length; i++) { + if (cookies[i].getName().equalsIgnoreCase(cookieName)) { + return (cookies[i].getValue()); + } + } + + return (null); + } + + public String getSource() { + return "Sorry. No Java Source viewing available."; + // return getCurrentLesson().getSource(this); + } + + public String getSolution() { + return "Sorry. No solution is available."; + // return getCurrentLesson().getSolution(this); + } + + public String getInstructions() { + return getCurrentLesson().getInstructions(this); + } + + /** + * Gets the message attribute of the WebSession object + * + * @return The message value + */ + public String getMessage() { + return (message.toString()); + } + + /** + * Gets the parser attribute of the WebSession object + * + * @return The parser value + */ + public ParameterParser getParser() { + return (myParser); + } + + /** + * Gets the previousScreen attribute of the WebSession object + * + * @return The previousScreen value + */ + public int getPreviousScreen() { + return (previousScreen); + } + + /** + * Gets the request attribute of the WebSession object + * + * @return The request value + */ + public HttpServletRequest getRequest() { + return request; + } + + public void setRequest(HttpServletRequest request) { + this.request = request; + } + + /** + * Gets the response attribute of the WebSession object + * + * @return The response value + */ + public HttpServletResponse getResponse() { + return response; + } + + /** + * Gets the servletName attribute of the WebSession object + * + * @return The servletName value + */ + public String getServletName() { + return (servletName); + } + + /** + * Gets the sourceFile attribute of the WebSession object + * + * @param screen Description of the Parameter + * @return The sourceFile value + */ + public String getWebResource(String fileName) { + // Note: doesn't work for admin path! Maybe with a ../ attack + return (context.getRealPath(fileName)); + } + + /** + * Gets the admin attribute of the WebSession object + * + * @return The admin value + */ + public boolean isAdmin() { + return (isAdmin); + } + + /** + * Gets the hackedAdmin attribute of the WebSession object + * + * @return The hackedAdmin value + */ + public boolean isHackedAdmin() { + return (isHackedAdmin); + } + + /** + * Has the user ever hacked the hackable admin + * + * @return The hackedAdmin value + */ + public boolean completedHackableAdmin() { + return (completedHackableAdmin); + } + + /** + * Gets the authenticated attribute of the WebSession object + * + * @return The authenticated value + */ + public boolean isAuthenticated() { + return (isAuthenticated); + } + + private Map lessonSessions = new Hashtable(); + + public boolean isAuthenticatedInLesson(AbstractLesson lesson) { + boolean authenticated = false; + + LessonSession lessonSession = getLessonSession(lesson); + if (lessonSession != null) { + authenticated = lessonSession.isAuthenticated(); + } + // System.out.println("Authenticated for lesson " + lesson + "? " + authenticated); + + return authenticated; + } + + public boolean isAuthorizedInLesson(int employeeId, String functionId) { + return getCurrentLesson().isAuthorized(this, employeeId, functionId); + } + + public boolean isAuthorizedInLesson(String role, String functionId) { + return getCurrentLesson().isAuthorized(this, role, functionId); + } + + public int getUserIdInLesson() throws ParameterNotFoundException { + return getCurrentLesson().getUserId(this); + } + + public String getUserNameInLesson() throws ParameterNotFoundException { + return getCurrentLesson().getUserName(this); + } + + public void openLessonSession(AbstractLesson lesson) { + System.out.println("Opening new lesson session for lesson " + lesson); + LessonSession lessonSession = new LessonSession(); + lessonSessions.put(lesson, lessonSession); + } + + public void closeLessonSession(AbstractLesson lesson) { + lessonSessions.remove(lesson); + } + + public LessonSession getLessonSession(AbstractLesson lesson) { + return lessonSessions.get(lesson); + } + + /** + * Gets the challenge attribute of the WebSession object + * + * @return The challenge value + */ + public boolean isChallenge() { + if (getCurrentLesson() != null) { + return (Category.CHALLENGE.equals(getCurrentLesson().getCategory())); + } + return false; + } + + /** + * Gets the color attribute of the WebSession object + * + * @return The color value + */ + public boolean isColor() { + return (isColor); + } + + /** + * Gets the screen attribute of the WebSession object + * + * @param value Description of the Parameter + * @return The screen value + */ + public boolean isScreen(int value) { + return (getCurrentScreen() == value); + } + + /** + * Gets the user attribute of the WebSession object + * + * @return The user value + */ + public boolean isUser() { + return (!isAdmin && !isChallenge()); + } + + /** + * Sets the message attribute of the WebSession object + * + * @param text The new message value + */ + public void setMessage(String text) { + message.append("
" + " * " + text); + } + + public void setLineBreak(String text) { + message.append("

" + text); + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + public boolean showCookies() { + return (showCookies); + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + public boolean showParams() { + return (showParams); + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + public boolean showRequest() { + return (showRequest); + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + public boolean showSource() { + return (showSource); + } + + public boolean showSolution() { + return (showSolution); + } + + /** + * Gets the userName attribute of the WebSession object + * + * @return The userName value + */ + public String getUserName() { + HttpServletRequest request = getRequest(); + if (request == null) { + throw new RuntimeException("Could not find the ServletRequest in the web session"); + } + Principal principal = request.getUserPrincipal(); + if (principal == null) { + throw new RuntimeException("Could not find the Principal in the Servlet Request"); + } + return principal.getName(); + } + + /** + * Parse parameters from the given request, handle any servlet commands, and + * update this session based on the parameters. + * + * @param request Description of the Parameter + * @param response Description of the Parameter + * @param name Description of the Parameter + */ + public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException { + String content = null; + + clearMessage(); + this.request = request; + this.response = response; + this.servletName = name; + + if (myParser == null) { + myParser = new ParameterParser(request); + } else { + myParser.update(request); + } + + if (myParser.getRawParameter(LANGUAGE, null) != null) { + this.currentLanguage = new String(myParser.getRawParameter(LANGUAGE, null)); + WebGoatI18N.setCurrentLanguage(this.currentLanguage); + } + + // System.out.println("Current Screen 1: " + currentScreen ); + // System.out.println("Previous Screen 1: " + previousScreen ); + // FIXME: requires ?Logout=true + // FIXME: doesn't work right -- no reauthentication + if (myParser.getRawParameter(LOGOUT, null) != null) { + System.out.println("Logout " + request.getUserPrincipal()); + eatCookies(); + request.getSession().invalidate(); + currentScreen = WELCOME; + previousScreen = ERROR; + } + + // There are several scenarios where we want the first lesson to be loaded + // 1) Previous screen is Welcome - Start of the course + // 2) After a logout and after the session has been reinitialized + if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null + && // getRequest().getSession(false).isNew() && + this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR)) { + currentScreen = course.getFirstLesson().getScreenId(); + hintNum = -1; + } + + // System.out.println("Current Screen 2: " + currentScreen ); + // System.out.println("Previous Screen 2: " + previousScreen ); + // update the screen variables + previousScreen = currentScreen; + + try { + // If the request is new there should be no parameters. + // This can occur from a session timeout or a the starting of a new course. + if (!request.getSession().isNew()) { + currentScreen = myParser.getIntParameter(SCREEN, currentScreen); + } else { + if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) { + this.setMessage("Session Timeout - Starting new Session."); + } + } + } catch (Exception e) { + } + + // clear variables when switching screens + if (this.getCurrentScreen() != this.getPreviousScreen()) { + if (webgoatContext.isDebug()) { + setMessage("Changed to a new screen, clearing cookies and hints"); + } + eatCookies(); + hintNum = -1; + } else if (myParser.getRawParameter(STAGE, null) != null) { + AbstractLesson al = getCurrentLesson(); + if (al instanceof SequentialLessonAdapter) { + SequentialLessonAdapter sla = (SequentialLessonAdapter) al; + int stage = myParser.getIntParameter(STAGE, sla.getStage(this)); + if (stage > 0 && stage <= sla.getStageCount()) { + sla.setStage(this, stage); + } + } else if (al instanceof RandomLessonAdapter) { + try { + RandomLessonAdapter rla = (RandomLessonAdapter) al; + int stage = myParser.getIntParameter(STAGE) - 1; + String[] stages = rla.getStages(); + if (stages == null) { + stages = new String[0]; + } + if (stage >= 0 && stage < stages.length) { + rla.setStage(this, stages[stage]); + } + } catch (ParameterNotFoundException pnfe) { + } + } + } // else update global variables for the current screen + else { + // Handle "restart" commands + int lessonId = myParser.getIntParameter(RESTART, -1); + if (lessonId != -1) { + restartLesson(lessonId); + } + // if ( myParser.getBooleanParameter( RESTART, false ) ) + // { + // getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty( + // CHALLENGE_STAGE, "1" ); + // } + + // Handle "show" commands + String showCommand = myParser.getStringParameter(SHOW, null); + if (showCommand != null) { + if (showCommand.equalsIgnoreCase(SHOW_PARAMS)) { + showParams = !showParams; + } else if (showCommand.equalsIgnoreCase(SHOW_COOKIES)) { + showCookies = !showCookies; + } else if (showCommand.equalsIgnoreCase(SHOW_SOURCE)) { + content = getSource(); + // showSource = true; + } else if (showCommand.equalsIgnoreCase(SHOW_SOLUTION)) { + content = getSolution(); + // showSource = true; + } else if (showCommand.equalsIgnoreCase(SHOW_NEXTHINT)) { + getNextHint(); + } else if (showCommand.equalsIgnoreCase(SHOW_PREVIOUSHINT)) { + getPreviousHint(); + } + } + + } + + isAdmin = request.isUserInRole(WEBGOAT_ADMIN); + isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin); + if (isHackedAdmin) { + System.out.println("Hacked admin"); + hasHackedHackableAdmin = true; + } + isColor = myParser.getBooleanParameter(COLOR, isColor); + isDebug = myParser.getBooleanParameter(DEBUG, isDebug); + + // System.out.println( "showParams:" + showParams ); + // System.out.println( "showSource:" + showSource ); + // System.out.println( "showSolution:" + showSolution ); + // System.out.println( "showCookies:" + showCookies ); + // System.out.println( "showRequest:" + showRequest ); + if (content != null) { + response.setContentType("text/html"); + PrintWriter out = new PrintWriter(response.getOutputStream()); + out.print(content); + out.flush(); + out.close(); + } + } + + private void restartLesson(int lessonId) { + AbstractLesson al = getLesson(lessonId); + System.out.println("Restarting lesson: " + al); + al.getLessonTracker(this).setCompleted(false); + if (al instanceof SequentialLessonAdapter) { + SequentialLessonAdapter sla = (SequentialLessonAdapter) al; + sla.getLessonTracker(this).setStage(1); + } else if (al instanceof RandomLessonAdapter) { + RandomLessonAdapter rla = (RandomLessonAdapter) al; + rla.setStage(this, rla.getStages()[0]); + } + } + + /** + * @param string + */ + public void setHasHackableAdmin(String role) { + hasHackedHackableAdmin = (AbstractLesson.HACKED_ADMIN_ROLE.equals(role) & hasHackedHackableAdmin); + + // if the user got the Admin=true parameter correct AND they accessed an admin screen + if (hasHackedHackableAdmin) { + completedHackableAdmin = true; + } + } + + /** + * @return Returns the isDebug. + */ + public boolean isDebug() { + return isDebug; + } + + /** + * @param header - request header value to return + * @return + */ + public String getHeader(String header) { + return getRequest().getHeader(header); + } + + public String getNextHint() { + String hint = null; + + // FIXME + int maxHints = getCurrentLesson().getHintCount(this); + if (hintNum < maxHints - 1) { + hintNum++; + + // Hints are indexed from 0 + getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1); + + hint = (String) getCurrentLesson().getHint(this, getHintNum()); + } + + return hint; + } + + public String getPreviousHint() { + String hint = null; + + if (hintNum > 0) { + hintNum--; + + // Hints are indexed from 0 + getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1); + + hint = (String) getCurrentLesson().getHint(this, getHintNum()); + } + + return hint; + } + + public void setCurrentMenu(Integer ranking) { + currentMenu = ranking.intValue(); + } + + public int getCurrentMenu() { + return currentMenu; + } + + public WebgoatContext getWebgoatContext() { + return webgoatContext; + } + + public String getCurrrentLanguage() { + return currentLanguage; + } + +} diff --git a/java/org/owasp/webgoat/session/WebgoatContext.java b/java/org/owasp/webgoat/session/WebgoatContext.java index ebb9b34d3..fae41da05 100644 --- a/java/org/owasp/webgoat/session/WebgoatContext.java +++ b/java/org/owasp/webgoat/session/WebgoatContext.java @@ -1,248 +1,231 @@ - -package org.owasp.webgoat.session; - -import java.util.Iterator; -import javax.servlet.http.HttpServlet; - -import org.owasp.webgoat.util.WebGoatI18N; - - -public class WebgoatContext -{ - - public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString"; - - public final static String DATABASE_DRIVER = "DatabaseDriver"; - - public final static String DATABASE_USER = "DatabaseUser"; - - public final static String DATABASE_PASSWORD = "DatabasePassword"; - - public final static String ENTERPRISE = "Enterprise"; - - public final static String CODING_EXERCISES = "CodingExercises"; - - public final static String SHOWCOOKIES = "ShowCookies"; - - public final static String SHOWPARAMS = "ShowParams"; - - public final static String SHOWREQUEST = "ShowRequest"; - - public final static String SHOWSOURCE = "ShowSource"; - - public final static String SHOWSOLUTION = "ShowSolution"; - - public final static String SHOWHINTS = "ShowHints"; - - public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands"; - - public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML"; - - public final static String FEEDBACK_ADDRESS = "email"; - - public final static String DEBUG = "debug"; - - public final static String DEFAULTLANGUAGE = "DefaultLanguage"; - - private String databaseConnectionString; - - private String realConnectionString = null; - - private String databaseDriver; - - private String databaseUser; - - private String databasePassword; - - private boolean showCookies = false; - - private boolean showParams = false; - - private boolean showRequest = false; - - private boolean showSource = false; - - private boolean showSolution = false; - - private boolean defuseOSCommands = false; - - private boolean enterprise = false; - - private boolean codingExercises = false; - - private String feedbackAddress = "webgoat@owasp.org"; - - private String feedbackAddressHTML = "webgoat@owasp.org"; - - private boolean isDebug = false; - - private String servletName; - - private HttpServlet servlet; - - private String defaultLanguage; - - private WebGoatI18N webgoati18n = null; - - public WebgoatContext(HttpServlet servlet) - { - this.servlet = servlet; - databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING); - databaseDriver = getParameter(servlet, DATABASE_DRIVER); - databaseUser = getParameter(servlet, DATABASE_USER); - databasePassword = getParameter(servlet, DATABASE_PASSWORD); - - // initialize from web.xml - showParams = "true".equals(getParameter(servlet, SHOWPARAMS)); - showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES)); - showSource = "true".equals(getParameter(servlet, SHOWSOURCE)); - showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION)); - defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS)); - enterprise = "true".equals(getParameter(servlet, ENTERPRISE)); - codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES)); - feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, - FEEDBACK_ADDRESS_HTML) - : feedbackAddressHTML; - feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS) - : feedbackAddress; - showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); - isDebug = "true".equals(getParameter(servlet, DEBUG)); - servletName = servlet.getServletName(); - defaultLanguage = getParameter(servlet,DEFAULTLANGUAGE)!=null ? new String(getParameter(servlet, DEFAULTLANGUAGE)): new String("English"); - - webgoati18n = new WebGoatI18N(this); - - } - - private String getParameter(HttpServlet servlet, String key) - { - String value = System.getenv().get(key); - if (value == null) value = servlet.getInitParameter(key); - return value; - } - - /** - * returns the connection string with the real path to the database directory inserted at the - * word PATH - * - * @return The databaseConnectionString value - */ - public String getDatabaseConnectionString() - { - if (realConnectionString == null) try - { - String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/'); - System.out.println("PATH: " + path); - realConnectionString = databaseConnectionString.replaceAll("PATH", path); - System.out.println("Database Connection String: " + realConnectionString); - } catch (Exception e) - { - System.out.println("Couldn't open database: check web.xml database parameters"); - e.printStackTrace(); - } - return realConnectionString; - } - - /** - * Gets the databaseDriver attribute of the WebSession object - * - * @return The databaseDriver value - */ - public String getDatabaseDriver() - { - return (databaseDriver); - } - - /** - * Gets the databaseUser attribute of the WebSession object - * - * @return The databaseUser value - */ - public String getDatabaseUser() - { - return (databaseUser); - } - - /** - * Gets the databasePassword attribute of the WebSession object - * - * @return The databasePassword value - */ - public String getDatabasePassword() - { - return (databasePassword); - } - - public boolean isDefuseOSCommands() - { - return defuseOSCommands; - } - - public boolean isEnterprise() - { - return enterprise; - } - - public boolean isCodingExercises() - { - return codingExercises; - } - - public String getFeedbackAddress() - { - return feedbackAddress; - } - - public String getFeedbackAddressHTML() - { - return feedbackAddressHTML; - } - - public boolean isDebug() - { - return isDebug; - } - - public String getServletName() - { - return servletName; - } - - public boolean isShowCookies() - { - return showCookies; - } - - public boolean isShowParams() - { - return showParams; - } - - public boolean isShowRequest() - { - return showRequest; - } - - public boolean isShowSource() - { - return showSource; - } - - public boolean isShowSolution() - { - return showSolution; - } - - public String getDefaultLanguage() { - return defaultLanguage; - } - - public void setWebgoatiI18N(WebGoatI18N webgoati18n) { - this.webgoati18n = webgoati18n; - } - - public WebGoatI18N getWebgoatI18N() { - return webgoati18n; - } - -} +package org.owasp.webgoat.session; + +import javax.servlet.http.HttpServlet; + +import org.owasp.webgoat.util.WebGoatI18N; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class WebgoatContext { + + final Logger logger = LoggerFactory.getLogger(WebgoatContext.class); + + public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString"; + + public final static String DATABASE_DRIVER = "DatabaseDriver"; + + public final static String DATABASE_USER = "DatabaseUser"; + + public final static String DATABASE_PASSWORD = "DatabasePassword"; + + public final static String ENTERPRISE = "Enterprise"; + + public final static String CODING_EXERCISES = "CodingExercises"; + + public final static String SHOWCOOKIES = "ShowCookies"; + + public final static String SHOWPARAMS = "ShowParams"; + + public final static String SHOWREQUEST = "ShowRequest"; + + public final static String SHOWSOURCE = "ShowSource"; + + public final static String SHOWSOLUTION = "ShowSolution"; + + public final static String SHOWHINTS = "ShowHints"; + + public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands"; + + public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML"; + + public final static String FEEDBACK_ADDRESS = "email"; + + public final static String DEBUG = "debug"; + + public final static String DEFAULTLANGUAGE = "DefaultLanguage"; + + private String databaseConnectionString; + + private String realConnectionString = null; + + private String databaseDriver; + + private String databaseUser; + + private String databasePassword; + + private boolean showCookies = false; + + private boolean showParams = false; + + private boolean showRequest = false; + + private boolean showSource = false; + + private boolean showSolution = false; + + private boolean defuseOSCommands = false; + + private boolean enterprise = false; + + private boolean codingExercises = false; + + private String feedbackAddress = "webgoat@owasp.org"; + + private String feedbackAddressHTML = "webgoat@owasp.org"; + + private boolean isDebug = false; + + private String servletName; + + private HttpServlet servlet; + + private String defaultLanguage; + + private WebGoatI18N webgoati18n = null; + + public WebgoatContext(HttpServlet servlet) { + this.servlet = servlet; + databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING); + databaseDriver = getParameter(servlet, DATABASE_DRIVER); + databaseUser = getParameter(servlet, DATABASE_USER); + databasePassword = getParameter(servlet, DATABASE_PASSWORD); + + // initialize from web.xml + showParams = "true".equals(getParameter(servlet, SHOWPARAMS)); + showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES)); + showSource = "true".equals(getParameter(servlet, SHOWSOURCE)); + showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION)); + defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS)); + enterprise = "true".equals(getParameter(servlet, ENTERPRISE)); + codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES)); + feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, + FEEDBACK_ADDRESS_HTML) + : feedbackAddressHTML; + feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS) + : feedbackAddress; + showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); + isDebug = "true".equals(getParameter(servlet, DEBUG)); + servletName = servlet.getServletName(); + defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("English"); + + webgoati18n = new WebGoatI18N(this); + + } + + private String getParameter(HttpServlet servlet, String key) { + String value = System.getenv().get(key); + if (value == null) { + value = servlet.getInitParameter(key); + } + return value; + } + + /** + * returns the connection string with the real path to the database + * directory inserted at the word PATH + * + * @return The databaseConnectionString value + */ + public String getDatabaseConnectionString() { + if (realConnectionString == null) { + try { + String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/'); + System.out.println("PATH: " + path); + realConnectionString = databaseConnectionString.replaceAll("PATH", path); + System.out.println("Database Connection String: " + realConnectionString); + } catch (Exception e) { + logger.error("Couldn't open database: check web.xml database parameters", e); + } + } + return realConnectionString; + } + + /** + * Gets the databaseDriver attribute of the WebSession object + * + * @return The databaseDriver value + */ + public String getDatabaseDriver() { + return (databaseDriver); + } + + /** + * Gets the databaseUser attribute of the WebSession object + * + * @return The databaseUser value + */ + public String getDatabaseUser() { + return (databaseUser); + } + + /** + * Gets the databasePassword attribute of the WebSession object + * + * @return The databasePassword value + */ + public String getDatabasePassword() { + return (databasePassword); + } + + public boolean isDefuseOSCommands() { + return defuseOSCommands; + } + + public boolean isEnterprise() { + return enterprise; + } + + public boolean isCodingExercises() { + return codingExercises; + } + + public String getFeedbackAddress() { + return feedbackAddress; + } + + public String getFeedbackAddressHTML() { + return feedbackAddressHTML; + } + + public boolean isDebug() { + return isDebug; + } + + public String getServletName() { + return servletName; + } + + public boolean isShowCookies() { + return showCookies; + } + + public boolean isShowParams() { + return showParams; + } + + public boolean isShowRequest() { + return showRequest; + } + + public boolean isShowSource() { + return showSource; + } + + public boolean isShowSolution() { + return showSolution; + } + + public String getDefaultLanguage() { + return defaultLanguage; + } + + public void setWebgoatiI18N(WebGoatI18N webgoati18n) { + this.webgoati18n = webgoati18n; + } + + public WebGoatI18N getWebgoatI18N() { + return webgoati18n; + } + +} diff --git a/resources/log4j.properties b/resources/log4j.properties index 207c3dcde..9efb1064a 100644 --- a/resources/log4j.properties +++ b/resources/log4j.properties @@ -1,4 +1,4 @@ -log4j.rootLogger=INFO, MAIN_LOG, ERROR_LOG +log4j.rootLogger=DEBUG, MAIN_LOG, ERROR_LOG # MAIN - everything gets logged here log4j.appender.MAIN_LOG=org.apache.log4j.RollingFileAppender @@ -9,6 +9,9 @@ log4j.appender.MAIN_LOG.MaxFileSize=10MB log4j.appender.MAIN_LOG.MaxBackupIndex=5 log4j.appender.MAIN_LOG.append=true +# a little less spring output +log4j.category.org.springframework = INFO + # ERROR log4j.appender.ERROR_LOG=org.apache.log4j.RollingFileAppender log4j.appender.ERROR_LOG.File=${catalina.home}/logs/webgoat_error.log