dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

minor changes and improving display issues

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@362 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
brandon.devries
2008-08-12 17:36:30 +00:00
parent 775fdad7c4
commit a185de3fa0
9 changed files with 141 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
View File

@ -1,6 +1,7 @@
package org.owasp.webgoat.lessons;
import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
@ -140,8 +141,25 @@ public class ClientSideValidation extends SequentialLessonAdapter
ec.addElement(new HR().setWidth("90%"));
// test success
DecimalFormat money = new DecimalFormat("$0.00");
float grandTotal = s.getParser().getFloatParameter("GRANDTOT", 0.0f);
String grandTotalString = s.getParser().getStringParameter("GRANDTOT", "0");
float grandTotal = 1;
try
{
grandTotal = money.parse(grandTotalString).floatValue();
} catch (java.text.ParseException e)
{
try
{
grandTotal = Float.parseFloat(grandTotalString);
} catch (java.lang.NumberFormatException e1)
{
// eat exception, do not update grandTotal
}
}
if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit)
{
@ -186,9 +204,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement("Total before coupon is applied:"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "SUBTOT", s.getParser().getStringParameter("SUBTOT",
"0"))
.setReadOnly(true)).setAlign("right"));
new Input(Input.TEXT, "SUBTOT", s.getParser()
.getStringParameter("SUBTOT", "$0.00")).setReadOnly(true)
.setStyle("border:0px;")).setAlign("right"));
t.addElement(tr);
tr = new TR();
@ -196,8 +214,8 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "GRANDTOT", s.getParser()
.getStringParameter("GRANDTOT", "0")).setReadOnly(true))
.setAlign("right"));
.getStringParameter("GRANDTOT", "$0.00")).setReadOnly(true)
.setStyle("border:0px;")).setAlign("right"));
t.addElement(tr);
t.addElement(tr);
@ -263,8 +281,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter("PRC1",
"69.99"))
.setSize(10).setReadOnly(true)).setAlign("right"));
"$69.99"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
Input input = new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "0"));
@ -274,10 +293,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD()
.addElement(
new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1", "0")).setSize(10)
.setReadOnly(true)).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1",
"$0.00"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
t.addElement(tr);
tr = new TR();
@ -285,8 +305,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter("PRC2",
"27.99"))
.setSize(10).setReadOnly(true)).setAlign("right"));
"$27.99"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "0"));
@ -294,19 +315,20 @@ public class ClientSideValidation extends SequentialLessonAdapter
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD()
.addElement(
new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2", "0")).setSize(10)
.setReadOnly(true)).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2",
"$0.00"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel<65> Centrino<6E>"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3",
"1599.99"))
.setSize(10).setReadOnly(true)).setAlign("right"));
tr.addElement(new TD()
.addElement(
new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3", "$1599.99"))
.setSize(10).setReadOnly(true).setStyle("border:0px;")).setAlign("right"));
input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "0"));
@ -314,10 +336,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD()
.addElement(
new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3", "0")).setSize(10)
.setReadOnly(true)).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3",
"$0.00"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
t.addElement(tr);
tr = new TR();
@ -325,8 +348,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "PRC4", s.getParser().getStringParameter("PRC4",
"299.99"))
.setSize(10).setReadOnly(true)).setAlign("right"));
"$299.99"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "0"));
@ -334,10 +358,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
input.setSize(10);
tr.addElement(new TD().addElement(input).setAlign("right"));
tr.addElement(new TD()
.addElement(
new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4", "0")).setSize(10)
.setReadOnly(true)).setAlign("right"));
tr.addElement(new TD().addElement(
new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4",
"$0.00"))
.setSize(10).setReadOnly(true).setStyle("border:0px;"))
.setAlign("right"));
t.addElement(tr);
ec.addElement(t);

13
main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
View File

@ -21,6 +21,7 @@ import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.B;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
@ -266,7 +267,7 @@ public class Encoding extends LessonAdapter
description = "Rot13 encoding is a way to make text unreadable, but is easily reversed and provides no security.";
t.addElement(makeRow(description, rot13(userInput), userInput));
t.addElement(makeRow(description, rot13(userInput), rot13(userInput)));
description = "XOR with password encoding is a weak encryption scheme that mixes a password into data.";
@ -575,7 +576,7 @@ public class Encoding extends LessonAdapter
System.out.print("Hex encoding: ");
System.out.println(hexEncode(userInput) + " : " + hexDecode(userInput));
System.out.print("Rot13 encoding: ");
System.out.println(rot13(userInput) + " : " + userInput);
System.out.println(rot13(userInput) + " : " + rot13(userInput));
System.out.print("XOR with password: ");
System.out.println(xorEncode(userInput, userKey) + " : " + xorDecode(userInput, userKey));
System.out.print("Double unicode encoding is...");
@ -604,8 +605,12 @@ public class Encoding extends LessonAdapter
{
TD desc = new TD().addElement(description).setBgColor("#bbbbbb");
TD val1 = new TD().addElement(value1).setBgColor("#dddddd");
TD val2 = new TD().addElement(value2).setBgColor("#dddddd");
TD val1 = new TD()
.addElement(new Div().addElement(value1).setStyle("overflow:auto; height:60px; width:100px;"))
.setBgColor("#dddddd");
TD val2 = new TD()
.addElement(new Div().addElement(value2).setStyle("overflow:auto; height:60px; width:100px;"))
.setBgColor("#dddddd");
TR tr = new TR();
tr.addElement(desc);

12
main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -1,6 +1,7 @@
package org.owasp.webgoat.lessons;
import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
@ -97,6 +98,7 @@ public class HiddenFieldTampering extends LessonAdapter
float quantity;
float total;
String price = PRICE_TV;
DecimalFormat money = new DecimalFormat("$0.00");
try
{
price = s.getParser().getRawParameter(PRICE, PRICE_TV);
@ -124,16 +126,16 @@ public class HiddenFieldTampering extends LessonAdapter
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price:").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
tr.addElement(new TD().addElement("$" + total));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1).setSize(6)).setAlign("right"));
tr.addElement(new TD().addElement(money.format(total)));
t.addElement(tr);
ec.addElement(t);
@ -148,7 +150,7 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + total));
tr.addElement(new TD().addElement(money.format(total)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
t.addElement(tr);

4
main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

@ -453,9 +453,7 @@ public class CreateDB
+ "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13),"
+ "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8),"
+ "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason
// for
// the
// recent write-up
// for the recent write-up
+ "disciplined_date CHAR(8)," // date of write up, NA otherwise
+ "disciplined_notes VARCHAR(60)," // reason for the recent write-up
+ "personal_description VARCHAR(60)" // We can be rude here

18
main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
View File

@ -35,8 +35,16 @@ public class RandomLessonTracker extends LessonTracker
public void setStageComplete(String stage, boolean complete)
{
completed.put(stage, Boolean.valueOf(complete));
for (int i = 0; i < stages.length - 1; i++)
if (stages[i].equals(stage)) setStage(stages[i + 1]);
if (!complete) return;
int i = getStageNumber(stage);
if (i < stages.length - 1) setStage(stages[i + 1]);
}
public int getStageNumber(String stage)
{
for (int i = 0; i < stages.length; i++)
if (stages[i].equals(stage)) return i;
return -1;
}
public boolean hasCompleted(String stage)
@ -81,8 +89,14 @@ public class RandomLessonTracker extends LessonTracker
for (int i = 0; i < stages.length; i++)
{
if (hasCompleted(stages[i]))
{
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString());
}
else
{
lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed");
}
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);

4
main/project/JavaSource/org/owasp/webgoat/session/Screen.java
View File

@ -207,7 +207,7 @@ public abstract class Screen
public int getContentLength()
{
return content.toString().length();
return getContent().length();
}
/**
@ -224,7 +224,7 @@ public abstract class Screen
// otherwise we're doing way too much SSL encryption work
out.print(content.toString());
out.print(getContent());
}