diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
index 41010e813..63537a0c1 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
@@ -1,6 +1,7 @@
package org.owasp.webgoat.lessons;
+import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
@@ -140,8 +141,25 @@ public class ClientSideValidation extends SequentialLessonAdapter
ec.addElement(new HR().setWidth("90%"));
// test success
+ DecimalFormat money = new DecimalFormat("$0.00");
- float grandTotal = s.getParser().getFloatParameter("GRANDTOT", 0.0f);
+ String grandTotalString = s.getParser().getStringParameter("GRANDTOT", "0");
+
+ float grandTotal = 1;
+
+ try
+ {
+ grandTotal = money.parse(grandTotalString).floatValue();
+ } catch (java.text.ParseException e)
+ {
+ try
+ {
+ grandTotal = Float.parseFloat(grandTotalString);
+ } catch (java.lang.NumberFormatException e1)
+ {
+ // eat exception, do not update grandTotal
+ }
+ }
if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit)
{
@@ -186,9 +204,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement("Total before coupon is applied:"));
tr.addElement(new TD().addElement(
- new Input(Input.TEXT, "SUBTOT", s.getParser().getStringParameter("SUBTOT",
- "0"))
- .setReadOnly(true)).setAlign("right"));
+ new Input(Input.TEXT, "SUBTOT", s.getParser()
+ .getStringParameter("SUBTOT", "$0.00")).setReadOnly(true)
+ .setStyle("border:0px;")).setAlign("right"));
t.addElement(tr);
tr = new TR();
@@ -196,8 +214,8 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "GRANDTOT", s.getParser()
- .getStringParameter("GRANDTOT", "0")).setReadOnly(true))
- .setAlign("right"));
+ .getStringParameter("GRANDTOT", "$0.00")).setReadOnly(true)
+ .setStyle("border:0px;")).setAlign("right"));
t.addElement(tr);
t.addElement(tr);
@@ -263,8 +281,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter("PRC1",
- "69.99"))
- .setSize(10).setReadOnly(true)).setAlign("right"));
+ "$69.99"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
Input input = new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "0"));
@@ -274,10 +293,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(input).setAlign("right"));
- tr.addElement(new TD()
- .addElement(
- new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1", "0")).setSize(10)
- .setReadOnly(true)).setAlign("right"));
+ tr.addElement(new TD().addElement(
+ new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1",
+ "$0.00"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
t.addElement(tr);
tr = new TR();
@@ -285,8 +305,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter("PRC2",
- "27.99"))
- .setSize(10).setReadOnly(true)).setAlign("right"));
+ "$27.99"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "0"));
@@ -294,19 +315,20 @@ public class ClientSideValidation extends SequentialLessonAdapter
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
- tr.addElement(new TD()
- .addElement(
- new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2", "0")).setSize(10)
- .setReadOnly(true)).setAlign("right"));
+ tr.addElement(new TD().addElement(
+ new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2",
+ "$0.00"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
- tr.addElement(new TD().addElement(
- new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3",
- "1599.99"))
- .setSize(10).setReadOnly(true)).setAlign("right"));
+ tr.addElement(new TD()
+ .addElement(
+ new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3", "$1599.99"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;")).setAlign("right"));
input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "0"));
@@ -314,10 +336,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
- tr.addElement(new TD()
- .addElement(
- new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3", "0")).setSize(10)
- .setReadOnly(true)).setAlign("right"));
+ tr.addElement(new TD().addElement(
+ new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3",
+ "$0.00"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
t.addElement(tr);
tr = new TR();
@@ -325,8 +348,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC4", s.getParser().getStringParameter("PRC4",
- "299.99"))
- .setSize(10).setReadOnly(true)).setAlign("right"));
+ "$299.99"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "0"));
@@ -334,10 +358,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
- tr.addElement(new TD()
- .addElement(
- new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4", "0")).setSize(10)
- .setReadOnly(true)).setAlign("right"));
+ tr.addElement(new TD().addElement(
+ new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4",
+ "$0.00"))
+ .setSize(10).setReadOnly(true).setStyle("border:0px;"))
+ .setAlign("right"));
t.addElement(tr);
ec.addElement(t);
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
index f98790f23..292369f01 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
@@ -21,6 +21,7 @@ import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.B;
+import org.apache.ecs.html.Div;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
@@ -266,7 +267,7 @@ public class Encoding extends LessonAdapter
description = "Rot13 encoding is a way to make text unreadable, but is easily reversed and provides no security.";
- t.addElement(makeRow(description, rot13(userInput), userInput));
+ t.addElement(makeRow(description, rot13(userInput), rot13(userInput)));
description = "XOR with password encoding is a weak encryption scheme that mixes a password into data.";
@@ -575,7 +576,7 @@ public class Encoding extends LessonAdapter
System.out.print("Hex encoding: ");
System.out.println(hexEncode(userInput) + " : " + hexDecode(userInput));
System.out.print("Rot13 encoding: ");
- System.out.println(rot13(userInput) + " : " + userInput);
+ System.out.println(rot13(userInput) + " : " + rot13(userInput));
System.out.print("XOR with password: ");
System.out.println(xorEncode(userInput, userKey) + " : " + xorDecode(userInput, userKey));
System.out.print("Double unicode encoding is...");
@@ -604,8 +605,12 @@ public class Encoding extends LessonAdapter
{
TD desc = new TD().addElement(description).setBgColor("#bbbbbb");
- TD val1 = new TD().addElement(value1).setBgColor("#dddddd");
- TD val2 = new TD().addElement(value2).setBgColor("#dddddd");
+ TD val1 = new TD()
+ .addElement(new Div().addElement(value1).setStyle("overflow:auto; height:60px; width:100px;"))
+ .setBgColor("#dddddd");
+ TD val2 = new TD()
+ .addElement(new Div().addElement(value2).setStyle("overflow:auto; height:60px; width:100px;"))
+ .setBgColor("#dddddd");
TR tr = new TR();
tr.addElement(desc);
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
index 10ebb255a..ff21886b8 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
@@ -1,6 +1,7 @@
package org.owasp.webgoat.lessons;
+import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
@@ -97,6 +98,7 @@ public class HiddenFieldTampering extends LessonAdapter
float quantity;
float total;
String price = PRICE_TV;
+ DecimalFormat money = new DecimalFormat("$0.00");
try
{
price = s.getParser().getRawParameter(PRICE, PRICE_TV);
@@ -124,16 +126,16 @@ public class HiddenFieldTampering extends LessonAdapter
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
- tr.addElement(new TH().addElement("Price:").setWidth("10%"));
- tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
+ tr.addElement(new TH().addElement("Price").setWidth("10%"));
+ tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
- tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
- tr.addElement(new TD().addElement("$" + total));
+ tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1).setSize(6)).setAlign("right"));
+ tr.addElement(new TD().addElement(money.format(total)));
t.addElement(tr);
ec.addElement(t);
@@ -148,7 +150,7 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
- tr.addElement(new TD().addElement("$" + total));
+ tr.addElement(new TD().addElement(money.format(total)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
t.addElement(tr);
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
index de6b4db3e..3e0633fad 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
@@ -453,9 +453,7 @@ public class CreateDB
+ "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13),"
+ "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8),"
+ "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason
- // for
- // the
- // recent write-up
+ // for the recent write-up
+ "disciplined_date CHAR(8)," // date of write up, NA otherwise
+ "disciplined_notes VARCHAR(60)," // reason for the recent write-up
+ "personal_description VARCHAR(60)" // We can be rude here
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java b/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
index c9ee5945a..5c7f0704f 100755
--- a/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
@@ -35,8 +35,16 @@ public class RandomLessonTracker extends LessonTracker
public void setStageComplete(String stage, boolean complete)
{
completed.put(stage, Boolean.valueOf(complete));
- for (int i = 0; i < stages.length - 1; i++)
- if (stages[i].equals(stage)) setStage(stages[i + 1]);
+ if (!complete) return;
+ int i = getStageNumber(stage);
+ if (i < stages.length - 1) setStage(stages[i + 1]);
+ }
+
+ public int getStageNumber(String stage)
+ {
+ for (int i = 0; i < stages.length; i++)
+ if (stages[i].equals(stage)) return i;
+ return -1;
}
public boolean hasCompleted(String stage)
@@ -81,8 +89,14 @@ public class RandomLessonTracker extends LessonTracker
for (int i = 0; i < stages.length; i++)
{
if (hasCompleted(stages[i]))
+ {
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString());
+ }
+ else
+ {
+ lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed");
+ }
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/Screen.java b/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
index 62b301f94..c9bffe506 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
@@ -207,7 +207,7 @@ public abstract class Screen
public int getContentLength()
{
- return content.toString().length();
+ return getContent().length();
}
/**
@@ -224,7 +224,7 @@ public abstract class Screen
// otherwise we're doing way too much SSL encryption work
- out.print(content.toString());
+ out.print(getContent());
}
diff --git a/main/project/WebContent/javascript/clientSideValidation.js b/main/project/WebContent/javascript/clientSideValidation.js
index f47c5b83e..864ec94dc 100644
--- a/main/project/WebContent/javascript/clientSideValidation.js
+++ b/main/project/WebContent/javascript/clientSideValidation.js
@@ -75,8 +75,7 @@ function ajaxFunction(coupon)
{
if(xmlHttp.readyState==4)
{
- document.form.GRANDTOT.value = document.form.SUBTOT.value * xmlHttp.responseText;
- document.form.GRANDTOT.value = dollarRound(document.form.GRANDTOT.value);
+ document.form.GRANDTOT.value = calcTot(document.form.SUBTOT.value , xmlHttp.responseText);
}
}
xmlHttp.open("GET","lessons/Ajax/clientSideValidation.jsp?coupon=" + coupon,true);
@@ -88,26 +87,59 @@ function ajaxFunction(coupon)
f = document.form;
- f.TOT1.value = dollarRound(f.QTY1.value * f.PRC1.value);
- f.TOT2.value = dollarRound(f.QTY2.value * f.PRC2.value);
- f.TOT3.value = dollarRound(f.QTY3.value * f.PRC3.value);
- f.TOT4.value = dollarRound(f.QTY4.value * f.PRC4.value);
+ f.TOT1.value = calcTot(f.PRC1.value , f.QTY1.value);
+ f.TOT2.value = calcTot(f.PRC2.value , f.QTY2.value);
+ f.TOT3.value = calcTot(f.PRC3.value , f.QTY3.value);
+ f.TOT4.value = calcTot(f.PRC4.value , f.QTY4.value);
- f.SUBTOT.value = dollarRound(parseFloat(f.TOT1.value) + parseFloat(f.TOT2.value) + parseFloat(f.TOT3.value) + parseFloat(f.TOT4.value));
-
+ f.SUBTOT.value = formatCurrency(unFormat(f.TOT1.value)
+ + unFormat(f.TOT2.value)
+ + unFormat(f.TOT3.value)
+ + unFormat(f.TOT4.value));
- f.GRANDTOT.value = f.SUBTOT.value;
+ f.GRANDTOT.value = f.SUBTOT.value;
isValidCoupon(f.field1.value);
+
+
+}
+
+function unFormat(price){
+
+ price = parseFloat(unFormatCurrency(price));
+
+ if(isNaN(price))
+ price = 0;
+
+ return price;
}
function calcTot( price, qty){
- return parseInt(qty * price *100)/100;
-
+ price = unFormatCurrency(price);
+
+ return formatCurrency(price*qty);
}
-function dollarRound(price){
- return parseInt(price *100)/100;
+
+function unFormatCurrency(price){
+ price = price.toString().replace(/\$|\,/g,'');
+ return price;
+}
+
+function formatCurrency(num) {
+ num = num.toString().replace(/\$|\,/g,'');
+ if(isNaN(num))
+ num = "0";
+ sign = (num == (num = Math.abs(num)));
+ num = Math.floor(num*100+0.50000000001);
+ cents = num%100;
+ num = Math.floor(num/100).toString();
+ if(cents<10)
+ cents = "0" + cents;
+ for (var i = 0; i < Math.floor((num.length-(1+i))/3); i++)
+ num = num.substring(0,num.length-(4*i+3))+','+
+ num.substring(num.length-(4*i+3));
+ return (((sign)?'':'-') + '$' + num + '.' + cents);
}
diff --git a/main/project/WebContent/lesson_plans/HtmlClues.html b/main/project/WebContent/lesson_plans/HtmlClues.html
index a4c4e078f..d1c2b3c1a 100644
--- a/main/project/WebContent/lesson_plans/HtmlClues.html
+++ b/main/project/WebContent/lesson_plans/HtmlClues.html
@@ -4,7 +4,7 @@
Concept / Topic To Teach:
- Developers are notorious for leaving statements like TODO's, Code Broken, Hack, etc... inside the source code. Review the source code for any comments denoting passwords, backdoors, or something doesn't work right.
+ Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code. Review the source code for any comments denoting passwords, backdoors, or something doesn't work right.
General Goal(s):
diff --git a/main/project/WebContent/lessons/Ajax/employees.xml b/main/project/WebContent/lessons/Ajax/employees.xml
index c15e654b4..8e0df8fcc 100644
--- a/main/project/WebContent/lessons/Ajax/employees.xml
+++ b/main/project/WebContent/lessons/Ajax/employees.xml
@@ -247,5 +247,8 @@
112005
+
+ 112
+