diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java new file mode 100755 index 000000000..5b699eb6e --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java @@ -0,0 +1,125 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class DeleteProfile extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + public DeleteProfile(AbstractLesson lesson, String lessonName, + String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException, + ValidationException + { + getLesson().setCurrentAction(s, getActionName()); + + int userId = getIntSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.USER_ID); + int employeeId = s.getParser().getIntParameter( + GoatHillsFinancial.EMPLOYEE_ID); + + if (isAuthenticated(s)) + { + deleteEmployeeProfile(s, userId, employeeId); + + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + } + else + throw new UnauthenticatedException(); + + } + + public String getNextPage(WebSession s) + { + return GoatHillsFinancial.LISTSTAFF_ACTION; + } + + public void deleteEmployeeProfile(WebSession s, int userId, int employeeId) + throws UnauthorizedException + { + try + { + // Note: The password field is ONLY set by ChangePassword + String query = "DELETE FROM employee WHERE userid = " + employeeId; + //System.out.println("Query: " + query); + try + { + Statement statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + statement.executeUpdate(query); + } + catch (SQLException sqle) + { + s.setMessage("Error deleting employee profile"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error deleting employee profile"); + e.printStackTrace(); + } + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java new file mode 100755 index 000000000..4aeebaf3c --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java @@ -0,0 +1,134 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.session.Employee; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class EditProfile extends DefaultLessonAction +{ + + public EditProfile(AbstractLesson lesson, String lessonName, + String actionName) + { + super(lesson, lessonName, actionName); + } + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException + { + getLesson().setCurrentAction(s, getActionName()); + + if (isAuthenticated(s)) + { + int userId = getUserId(s); + int employeeId = s.getParser().getIntParameter( + GoatHillsFinancial.EMPLOYEE_ID); + + Employee employee = getEmployeeProfile(s, userId, employeeId); + setSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee); + } + else + throw new UnauthenticatedException(); + } + + public String getNextPage(WebSession s) + { + return GoatHillsFinancial.EDITPROFILE_ACTION; + } + + public Employee getEmployeeProfile(WebSession s, int userId, + int subjectUserId) throws UnauthorizedException + { + Employee profile = null; + + // Query the database for the profile data of the given employee + try + { + String query = "SELECT * FROM employee WHERE userid = ?"; + + try + { + PreparedStatement answer_statement = WebSession + .getConnection(s).prepareStatement(query, + ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + answer_statement.setInt(1, subjectUserId); + ResultSet answer_results = answer_statement.executeQuery(); + if (answer_results.next()) + { + // Note: Do NOT get the password field. + profile = new Employee(answer_results.getInt("userid"), + answer_results.getString("first_name"), + answer_results.getString("last_name"), + answer_results.getString("ssn"), answer_results + .getString("title"), answer_results + .getString("phone"), answer_results + .getString("address1"), answer_results + .getString("address2"), answer_results + .getInt("manager"), answer_results + .getString("start_date"), answer_results + .getInt("salary"), answer_results + .getString("ccn"), answer_results + .getInt("ccn_limit"), answer_results + .getString("disciplined_date"), + answer_results.getString("disciplined_notes"), + answer_results.getString("personal_description")); + /* System.out.println("Retrieved employee from db: " + + profile.getFirstName() + " " + profile.getLastName() + + " (" + profile.getId() + ")"); + */} + } + catch (SQLException sqle) + { + s.setMessage("Error getting employee profile"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error getting employee profile"); + e.printStackTrace(); + } + + return profile; + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java new file mode 100755 index 000000000..ddd3e50df --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java @@ -0,0 +1,193 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.session.Employee; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class FindProfile extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + + public FindProfile(AbstractLesson lesson, String lessonName, + String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException, + ValidationException + { + if (isAuthenticated(s)) + { + int userId = getIntSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.USER_ID); + + String pattern = s.getParser().getRawParameter( + GoatHillsFinancial.SEARCHNAME); + + findEmployeeProfile(s, userId, pattern); + + // Execute the chained Action if the employee was found. + if (foundEmployee(s)) + { + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + } + } + else + throw new UnauthenticatedException(); + } + + + public String getNextPage(WebSession s) + { + String page = GoatHillsFinancial.SEARCHSTAFF_ACTION; + + if (foundEmployee(s)) + page = GoatHillsFinancial.VIEWPROFILE_ACTION; + + return page; + } + + + private boolean foundEmployee(WebSession s) + { + boolean found = false; + try + { + int id = getIntRequestAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ID); + found = true; + } + catch (ParameterNotFoundException e) + {} + + return found; + } + + + public Employee findEmployeeProfile(WebSession s, int userId, String pattern) + throws UnauthorizedException + { + Employee profile = null; + // Clear any residual employee id's in the session now. + removeSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ID); + + // Query the database for the profile data of the given employee + try + { + String query = "SELECT * FROM employee WHERE first_name LIKE ? OR last_name LIKE ?"; + + try + { + PreparedStatement answer_statement = WebSession + .getConnection(s).prepareStatement(query, + ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + answer_statement.setString(1, "%" + pattern + "%"); + answer_statement.setString(2, "%" + pattern + "%"); + ResultSet answer_results = answer_statement.executeQuery(); + + // Just use the first hit. + if (answer_results.next()) + { + int id = answer_results.getInt("userid"); + // Note: Do NOT get the password field. + profile = new Employee(id, answer_results + .getString("first_name"), answer_results + .getString("last_name"), answer_results + .getString("ssn"), answer_results + .getString("title"), answer_results + .getString("phone"), answer_results + .getString("address1"), answer_results + .getString("address2"), answer_results + .getInt("manager"), answer_results + .getString("start_date"), answer_results + .getInt("salary"), answer_results.getString("ccn"), + answer_results.getInt("ccn_limit"), answer_results + .getString("disciplined_date"), + answer_results.getString("disciplined_notes"), + answer_results.getString("personal_description")); + + /* System.out.println("Retrieved employee from db: " + + profile.getFirstName() + " " + profile.getLastName() + + " (" + profile.getId() + ")"); + */ + setRequestAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ID, Integer + .toString(id)); + } + } + catch (SQLException sqle) + { + s.setMessage("Error finding employee profile"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error finding employee profile"); + e.printStackTrace(); + } + + return profile; + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java new file mode 100755 index 000000000..1fbb60366 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java @@ -0,0 +1,344 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.Connection; +import java.sql.SQLException; +import java.util.ArrayList; +import java.util.Hashtable; +import java.util.List; +import java.util.Map; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.html.A; +import org.apache.ecs.html.IMG; +import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.LessonAdapter; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class GoatHillsFinancial extends LessonAdapter +{ + public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); + + public final static String DESCRIPTION = "description"; + + public final static String DISCIPLINARY_DATE = "disciplinaryDate"; + + public final static String DISCIPLINARY_NOTES = "disciplinaryNotes"; + + public final static String CCN_LIMIT = "ccnLimit"; + + public final static String CCN = "ccn"; + + public final static String SALARY = "salary"; + + public final static String START_DATE = "startDate"; + + public final static String MANAGER = "manager"; + + public final static String ADDRESS1 = "address1"; + + public final static String ADDRESS2 = "address2"; + + public final static String PHONE_NUMBER = "phoneNumber"; + + public final static String TITLE = "title"; + + public final static String SSN = "ssn"; + + public final static String LAST_NAME = "lastName"; + + public final static String FIRST_NAME = "firstName"; + + public final static String PASSWORD = "password"; + + public final static String EMPLOYEE_ID = "employee_id"; + + public final static String USER_ID = "user_id"; + + public final static String SEARCHNAME = "search_name"; + + public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult"; + + public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee"; + + public final static String STAFF_ATTRIBUTE_KEY = "Staff"; + + public final static String LOGIN_ACTION = "Login"; + + public final static String LOGOUT_ACTION = "Logout"; + + public final static String LISTSTAFF_ACTION = "ListStaff"; + + public final static String SEARCHSTAFF_ACTION = "SearchStaff"; + + public final static String FINDPROFILE_ACTION = "FindProfile"; + + public final static String VIEWPROFILE_ACTION = "ViewProfile"; + + public final static String EDITPROFILE_ACTION = "EditProfile"; + + public final static String UPDATEPROFILE_ACTION = "UpdateProfile"; + + public final static String CREATEPROFILE_ACTION = "CreateProfile"; + + public final static String DELETEPROFILE_ACTION = "DeleteProfile"; + + public final static String ERROR_ACTION = "error"; + + private final static Integer DEFAULT_RANKING = new Integer(125); + + private static Connection connection = null; + + private Map lessonFunctions = new Hashtable(); + + + public static synchronized Connection getConnection(WebSession s) + throws SQLException, ClassNotFoundException + { + if (connection == null) + { + connection = DatabaseUtilities.makeConnection(s); + } + + return connection; + } + + + public GoatHillsFinancial() + { + String myClassName = parseClassName(this.getClass().getName()); + registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); + + // These actions are special in that they chain to other actions. + registerAction(new Login(this, myClassName, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, myClassName, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, myClassName, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, myClassName, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + + + protected final String parseClassName(String fqcn) + { + String className = fqcn; + + int lastDotIndex = fqcn.lastIndexOf('.'); + if (lastDotIndex > -1) + className = fqcn.substring(lastDotIndex + 1); + + return className; + } + + protected void registerAction(LessonAction action) + { + lessonFunctions.put(action.getActionName(), action); + } + + protected List getHints(WebSession s) + { + return new ArrayList(); + } + + public String getInstructions(WebSession s) + { + return ""; + } + + protected LessonAction getAction(String actionName) + { + return lessonFunctions.get(actionName); + } + + public void handleRequest(WebSession s) + { + if (s.getLessonSession(this) == null) + s.openLessonSession(this); + + String requestedActionName = null; + try + { + requestedActionName = s.getParser().getStringParameter("action"); + } + catch (ParameterNotFoundException pnfe) + { + // Let them eat login page. + requestedActionName = LOGIN_ACTION; + } + + try + { + LessonAction action = getAction(requestedActionName); + if (action == null) + { + setCurrentAction(s, ERROR_ACTION); + } else + { + //System.out.println("GoatHillsFinancial.handleRequest() dispatching to: " + action.getActionName()); + if (action.requiresAuthentication()) + { + if (action.isAuthenticated(s)) + { + action.handleRequest(s); + } + else + throw new UnauthenticatedException(); + } + else + { + // Access to Login does not require authentication. + action.handleRequest(s); + } + } + } + catch (ParameterNotFoundException pnfe) + { + System.out.println("Missing parameter"); + pnfe.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + catch (ValidationException ve) + { + System.out.println("Validation failed"); + ve.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + catch (UnauthenticatedException ue) + { + s.setMessage("Login failed"); + System.out.println("Authentication failure"); + ue.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + s.setMessage("You are not authorized to perform this function"); + System.out.println("Authorization failure"); + setCurrentAction(s, ERROR_ACTION); + ue2.printStackTrace(); + } + catch (Exception e) + { + // All other errors send the user to the generic error page + System.out.println("handleRequest() error"); + e.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + + // All this does for this lesson is ensure that a non-null content exists. + setContent(new ElementContainer()); + } + + public boolean isAuthorized(WebSession s, int userId, String functionId) + { + //System.out.println("Checking authorization from " + getCurrentAction(s)); + LessonAction action = getAction(getCurrentAction(s)); + return action.isAuthorized(s, userId, functionId); + } + + public int getUserId(WebSession s) throws ParameterNotFoundException + { + LessonAction action = getAction(getCurrentAction(s)); + return action.getUserId(s); + } + + public String getUserName(WebSession s) throws ParameterNotFoundException + { + LessonAction action = getAction(getCurrentAction(s)); + return action.getUserName(s); + } + + protected String getJspPath() { + return "/lessons/" + getLessonName() + "/"; + } + + public String getTemplatePage(WebSession s) + { + return getJspPath() + getLessonName() + ".jsp"; + } + + public String getPage(WebSession s) + { + String page = getJspPath() + getCurrentAction(s) + ".jsp"; + + return page; + } + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + public String getTitle() + { + return "Goat Hills Financials"; + } + + public String getSourceFileName() + { + // FIXME: Need to generalize findSourceResource() and use it on the currently active + // LessonAction delegate to get its source file. + //return findSourceResource(getCurrentLessonScreen()....); + return super.getSourceFileName(); + } + + @Override + protected boolean getDefaultHidden() { + return false; + } + + public Element getCredits() + { + return super.getCustomCredits("", ASPECT_LOGO); + } + + @Override + protected String getLessonName() { + String className = getClass().getName(); + int index = className.lastIndexOf('.'); + if (index > -1) + return className.substring(index+1); + return super.getLessonName(); + } +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java new file mode 100755 index 000000000..7434d5ae6 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java @@ -0,0 +1,123 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.List; +import java.util.Vector; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.session.EmployeeStub; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class ListStaff extends DefaultLessonAction +{ + + public ListStaff(AbstractLesson lesson, String lessonName, String actionName) + { + super(lesson, lessonName, actionName); + } + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException + { + getLesson().setCurrentAction(s, getActionName()); + + if (isAuthenticated(s)) + { + int userId = getIntSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.USER_ID); + + List employees = getAllEmployees(s, userId); + setSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees); + } + else + throw new UnauthenticatedException(); + } + + public String getNextPage(WebSession s) + { + return GoatHillsFinancial.LISTSTAFF_ACTION; + } + + public List getAllEmployees(WebSession s, int userId) + throws UnauthorizedException + { + // Query the database for all employees "owned" by the given employee + + List employees = new Vector(); + + try + { + String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in " + + "(SELECT employee_id FROM ownership WHERE employer_id = " + + userId + ")"; + + try + { + Statement answer_statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet answer_results = answer_statement.executeQuery(query); + answer_results.beforeFirst(); + while (answer_results.next()) + { + int employeeId = answer_results.getInt("userid"); + String firstName = answer_results.getString("first_name"); + String lastName = answer_results.getString("last_name"); + String role = answer_results.getString("role"); + //System.out.println("Retrieving employee stub for role " + role); + EmployeeStub stub = new EmployeeStub(employeeId, firstName, + lastName, role); + employees.add(stub); + } + } + catch (SQLException sqle) + { + s.setMessage("Error getting employees"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error getting employees"); + e.printStackTrace(); + } + + return employees; + } +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java new file mode 100755 index 000000000..8d9f87235 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java @@ -0,0 +1,222 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.List; +import java.util.Vector; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.session.EmployeeStub; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class Login extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + + public Login(AbstractLesson lesson, String lessonName, String actionName, + LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + ValidationException + { + //System.out.println("Login.handleRequest()"); + getLesson().setCurrentAction(s, getActionName()); + + List employees = getAllEmployees(s); + setSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees); + + int employeeId = -1; + try + { + employeeId = s.getParser().getIntParameter( + GoatHillsFinancial.EMPLOYEE_ID); + String password = s.getParser().getStringParameter( + GoatHillsFinancial.PASSWORD); + + // Attempt authentication + if (login(s, employeeId, password)) + { + // Execute the chained Action if authentication succeeded. + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + } + else + s.setMessage("Login failed"); + } + catch (ParameterNotFoundException pnfe) + { + // No credentials offered, so we log them out + setSessionAttribute(s, getLessonName() + ".isAuthenticated", + Boolean.FALSE); + } + } + + + /** + * After this.handleRequest() is called, when the View asks for the current JSP to load, + * it will get one initialized by this call. + */ + public String getNextPage(WebSession s) + { + String nextPage = GoatHillsFinancial.LOGIN_ACTION; + + if (isAuthenticated(s)) + nextPage = chainedAction.getNextPage(s); + + return nextPage; + + } + + + public boolean requiresAuthentication() + { + return false; + } + + + public boolean login(WebSession s, int userId, String password) + { + //System.out.println("Logging in to lesson"); + boolean authenticated = false; + + try + { + String query = "SELECT * FROM employee WHERE userid = " + userId + + " and password = '" + password + "'"; + + try + { + Statement answer_statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet answer_results = answer_statement.executeQuery(query); + if (answer_results.first()) + { + setSessionAttribute(s, + getLessonName() + ".isAuthenticated", Boolean.TRUE); + setSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.USER_ID, Integer + .toString(userId)); + authenticated = true; + } + + } + catch (SQLException sqle) + { + s.setMessage("Error logging in"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error logging in"); + e.printStackTrace(); + } + + //System.out.println("Lesson login result: " + authenticated); + return authenticated; + } + + + public List getAllEmployees(WebSession s) + { + List employees = new Vector(); + + // Query the database for all roles the given employee belongs to + // Query the database for all employees "owned" by these roles + + try + { + String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles " + + "where employee.userid=roles.userid"; + + try + { + Statement answer_statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet answer_results = answer_statement.executeQuery(query); + answer_results.beforeFirst(); + while (answer_results.next()) + { + int employeeId = answer_results.getInt("userid"); + String firstName = answer_results.getString("first_name"); + String lastName = answer_results.getString("last_name"); + String role = answer_results.getString("role"); + EmployeeStub stub = new EmployeeStub(employeeId, firstName, + lastName, role); + employees.add(stub); + } + } + catch (SQLException sqle) + { + s.setMessage("Error getting employees"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error getting employees"); + e.printStackTrace(); + } + + return employees; + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java new file mode 100755 index 000000000..1f2b2a05e --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java @@ -0,0 +1,87 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class Logout extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + + public Logout(AbstractLesson lesson, String lessonName, String actionName, + LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + ValidationException + { + //System.out.println("Logging out"); + + setSessionAttribute(s, getLessonName() + ".isAuthenticated", + Boolean.FALSE); + + // FIXME: Maybe we should forward to Login. + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + + } + + + public String getNextPage(WebSession s) + { + return chainedAction.getNextPage(s); + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java new file mode 100755 index 000000000..91307d3f9 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java @@ -0,0 +1,51 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class SearchStaff extends DefaultLessonAction +{ + + public SearchStaff(AbstractLesson lesson, String lessonName, + String actionName) + { + super(lesson, lessonName, actionName); + } + + + public String getNextPage(WebSession s) + { + return GoatHillsFinancial.SEARCHSTAFF_ACTION; + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java new file mode 100755 index 000000000..f93a231ea --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java @@ -0,0 +1,270 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.session.Employee; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class UpdateProfile extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + public UpdateProfile(AbstractLesson lesson, String lessonName, + String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException, + ValidationException + { + if (isAuthenticated(s)) + { + int userId = getIntSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.USER_ID); + + int subjectId = s.getParser().getIntParameter( + GoatHillsFinancial.EMPLOYEE_ID, 0); + + String firstName = s.getParser().getStringParameter( + GoatHillsFinancial.FIRST_NAME); + String lastName = s.getParser().getStringParameter( + GoatHillsFinancial.LAST_NAME); + String ssn = s.getParser().getStringParameter( + GoatHillsFinancial.SSN); + String title = s.getParser().getStringParameter( + GoatHillsFinancial.TITLE); + String phone = s.getParser().getStringParameter( + GoatHillsFinancial.PHONE_NUMBER); + String address1 = s.getParser().getStringParameter( + GoatHillsFinancial.ADDRESS1); + String address2 = s.getParser().getStringParameter( + GoatHillsFinancial.ADDRESS2); + int manager = s.getParser().getIntParameter( + GoatHillsFinancial.MANAGER); + String startDate = s.getParser().getStringParameter( + GoatHillsFinancial.START_DATE); + int salary = s.getParser().getIntParameter( + GoatHillsFinancial.SALARY); + String ccn = s.getParser().getStringParameter( + GoatHillsFinancial.CCN); + int ccnLimit = s.getParser().getIntParameter( + GoatHillsFinancial.CCN_LIMIT); + String disciplinaryActionDate = s.getParser().getStringParameter( + GoatHillsFinancial.DISCIPLINARY_DATE); + String disciplinaryActionNotes = s.getParser().getStringParameter( + GoatHillsFinancial.DISCIPLINARY_NOTES); + String personalDescription = s.getParser().getStringParameter( + GoatHillsFinancial.DESCRIPTION); + + Employee employee = new Employee(subjectId, firstName, lastName, + ssn, title, phone, address1, address2, manager, startDate, + salary, ccn, ccnLimit, disciplinaryActionDate, + disciplinaryActionNotes, personalDescription); + + if (subjectId > 0) + { + this.changeEmployeeProfile(s, userId, subjectId, employee); + setRequestAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ID, Integer + .toString(subjectId)); + } + else + this.createEmployeeProfile(s, userId, employee); + + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + } + else + throw new UnauthenticatedException(); + } + + public String getNextPage(WebSession s) + { + return GoatHillsFinancial.VIEWPROFILE_ACTION; + } + + public void changeEmployeeProfile(WebSession s, int userId, int subjectId, + Employee employee) throws UnauthorizedException + { + try + { + // Note: The password field is ONLY set by ChangePassword + String query = "UPDATE employee SET first_name = '" + + employee.getFirstName() + "', last_name = '" + + employee.getLastName() + "', ssn = '" + employee.getSsn() + + "', title = '" + employee.getTitle() + "', phone = '" + + employee.getPhoneNumber() + "', address1 = '" + + employee.getAddress1() + "', address2 = '" + + employee.getAddress2() + "', manager = " + + employee.getManager() + + ", start_date = '" + + employee.getStartDate() + + "', ccn = '" + + employee.getCcn() + + "', ccn_limit = " + + employee.getCcnLimit() + + + // "', disciplined_date = '" + employee.getDisciplinaryActionDate() + + // "', disciplined_notes = '" + employee.getDisciplinaryActionNotes() + + ", personal_description = '" + + employee.getPersonalDescription() + "' WHERE userid = " + + subjectId; + //System.out.println("Query: " + query); + try + { + Statement answer_statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + answer_statement.execute(query); + } + catch (SQLException sqle) + { + s.setMessage("Error updating employee profile"); + sqle.printStackTrace(); + } + + } + catch (Exception e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + } + } + + private int getNextUID(WebSession s) + { + int uid = -1; + try + { + Statement statement = WebSession.getConnection(s).createStatement( + ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet results = statement + .executeQuery("select max(userid) as uid from employee"); + results.first(); + uid = results.getInt("uid"); + } + catch (SQLException sqle) + { + sqle.printStackTrace(); + s.setMessage("Error updating employee profile"); + } + catch (ClassNotFoundException e) + { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return uid + 1; + } + + public void createEmployeeProfile(WebSession s, int userId, + Employee employee) throws UnauthorizedException + { + try + { + int newUID = getNextUID(s); + // FIXME: This max() thing doesn't work on InstantDB. + String query = "INSERT INTO employee VALUES (" + newUID + ", '" + + employee.getFirstName() + "','" + employee.getLastName() + + "','" + employee.getSsn() + "','goober57x','" + + employee.getTitle() + "','" + employee.getPhoneNumber() + + "','" + employee.getAddress1() + "','" + + employee.getAddress2() + "'," + employee.getManager() + + ",'" + employee.getStartDate() + "'," + + employee.getSalary() + ",'" + employee.getCcn() + "'," + + employee.getCcnLimit() + ",'" + + employee.getDisciplinaryActionDate() + "','" + + employee.getDisciplinaryActionNotes() + "','" + + employee.getPersonalDescription() + "')"; + + //System.out.println("Query: " + query); + + try + { + Statement statement = WebSession.getConnection(s) + .createStatement(); + statement.executeUpdate(query); + } + catch (SQLException sqle) + { + sqle.printStackTrace(); + s.setMessage("Error updating employee profile"); + } + + query = "INSERT INTO roles VALUES (" + newUID + ", 'hr')"; + + //System.out.println("Query: " + query); + + try + { + Statement statement = WebSession.getConnection(s) + .createStatement(); + statement.executeUpdate(query); + } + catch (SQLException sqle) + { + sqle.printStackTrace(); + s.setMessage("Error updating employee profile"); + } + } + catch (Exception e) + { + e.printStackTrace(); + s.setMessage("Error updating employee profile"); + } + } +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java new file mode 100755 index 000000000..260a4f48d --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java @@ -0,0 +1,148 @@ +package org.owasp.webgoat.lessons.GoatHillsFinancial; + +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.session.Employee; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class ViewProfile extends DefaultLessonAction +{ + + public ViewProfile(AbstractLesson lesson, String lessonName, + String actionName) + { + super(lesson, lessonName, actionName); + } + + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException + { + getLesson().setCurrentAction(s, getActionName()); + + if (isAuthenticated(s)) + { + int userId = getIntSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.USER_ID); + int employeeId = -1; + try + { + // User selected employee + employeeId = s.getParser().getIntParameter( + GoatHillsFinancial.EMPLOYEE_ID); + } + catch (ParameterNotFoundException e) + { + // May be an internally selected employee + employeeId = getIntRequestAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ID); + } + + Employee employee = getEmployeeProfile(s, userId, employeeId); + setSessionAttribute(s, getLessonName() + "." + + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee); + } + else + throw new UnauthenticatedException(); + + } + + public String getNextPage(WebSession s) + { + return GoatHillsFinancial.VIEWPROFILE_ACTION; + } + + + protected Employee getEmployeeProfile(WebSession s, int userId, + int subjectUserId) throws UnauthorizedException + { + Employee profile = null; + + // Query the database for the profile data of the given employee + try + { + String query = "SELECT * FROM employee WHERE userid = " + + subjectUserId; + + try + { + Statement answer_statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet answer_results = answer_statement.executeQuery(query); + if (answer_results.next()) + { + // Note: Do NOT get the password field. + profile = new Employee(answer_results.getInt("userid"), + answer_results.getString("first_name"), + answer_results.getString("last_name"), + answer_results.getString("ssn"), answer_results + .getString("title"), answer_results + .getString("phone"), answer_results + .getString("address1"), answer_results + .getString("address2"), answer_results + .getInt("manager"), answer_results + .getString("start_date"), answer_results + .getInt("salary"), answer_results + .getString("ccn"), answer_results + .getInt("ccn_limit"), answer_results + .getString("disciplined_date"), + answer_results.getString("disciplined_notes"), + answer_results.getString("personal_description")); + /* System.out.println("Retrieved employee from db: " + + profile.getFirstName() + " " + profile.getLastName() + + " (" + profile.getId() + ")"); + */} + } + catch (SQLException sqle) + { + s.setMessage("Error getting employee profile"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error getting employee profile"); + e.printStackTrace(); + } + + return profile; + } + +} diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/EditProfile.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/EditProfile.jsp new file mode 100755 index 000000000..adc43dceb --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/EditProfile.jsp @@ -0,0 +1,137 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + Employee employee = (Employee) session.getAttribute("GoatHillsFinancial.Employee"); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%> - Edit Profile Page
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ First Name: + + + + Last Name: + +
+ Street: + + + + City/State: + + +
+ Phone: + + + + Start Date: + + +
+ SSN: + + + + Salary: + + +
+ Credit Card: + + + + Credit Card Limit: + + +
+ Comments: + + +
+ Disciplinary Explanation: + + Disc. Date: + + +
+ +
+ Manager: + + +
+
+
+ + + + + + + + +
+ + + + + + + +
+
+
+ \ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/GoatHillsFinancial.css b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/GoatHillsFinancial.css new file mode 100755 index 000000000..61e93f63c --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/GoatHillsFinancial.css @@ -0,0 +1,14 @@ +#lesson_wrapper {height: 435px;width: 500px;} +#lesson_header {background-image: url(lessons/GoatHillsFinancial/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;} +.lesson_workspace {background-image: url(lessons/GoatHillsFinancial/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} +.lesson_text {height: 240px;width: 460px;padding-top: 5px;} +#lesson_buttons_bottom {height: 20px;width: 460px;} +#lesson_b_b_left {width: 300px;float: left;} +#lesson_b_b_right input {width: 100px;float: right;} +.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} +.lesson_workspace { } +.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} +.lesson_text_db {color: #0066FF} +#lesson_login {background-image: url(lessons/GoatHillsFinancial/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} +#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;} +#lesson_search {background-image: url(lessons/GoatHillsFinancial/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/GoatHillsFinancial.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/GoatHillsFinancial.jsp new file mode 100755 index 000000000..90dbef989 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/GoatHillsFinancial.jsp @@ -0,0 +1,30 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*" + errorPage="" %> +<%@page import="org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;"%> + +<% +WebSession webSession = ((WebSession)session.getAttribute("websession")); +System.out.println("WebSession is " + webSession); +GoatHillsFinancial currentLesson = (GoatHillsFinancial) webSession.getCurrentLesson(); +System.out.println("CurrentLesson = " + currentLesson); +%> +
+
+
+ <% + String subViewPage = currentLesson.getPage(webSession); + System.out.println("SubViewPage is " + subViewPage); + if (subViewPage != null) + { + //System.out.println("Including sub view page: " + subViewPage); + %> + + <% + } + %> + +
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ListStaff.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ListStaff.jsp new file mode 100755 index 000000000..8bb414b0d --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ListStaff.jsp @@ -0,0 +1,55 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + int myUserId = webSession.getUserIdInLesson(); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%> - Staff Listing Page
+
+
+
+

Select from the list below

+ +
+ + + + + +
+
+
+ <% + if (webSession.isAuthorizedInLesson(myUserId, GoatHillsFinancial.CREATEPROFILE_ACTION)) + { + %> +
+ <% + } + %> + <% + if (webSession.isAuthorizedInLesson(myUserId, GoatHillsFinancial.DELETEPROFILE_ACTION)) + { + %> +
+ <% + } + %> +
+ +
+ +
+ \ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/Login.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/Login.jsp new file mode 100755 index 000000000..a48eef7a4 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/Login.jsp @@ -0,0 +1,37 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial" + errorPage="" %> +
+
+ <% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + %> +
+ +
+ +
+ +
+
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/SearchStaff.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/SearchStaff.jsp new file mode 100755 index 000000000..d88942ae5 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/SearchStaff.jsp @@ -0,0 +1,22 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial" + errorPage="" %> + \ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ViewProfile.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ViewProfile.jsp new file mode 100755 index 000000000..aa2a95fb9 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/ViewProfile.jsp @@ -0,0 +1,157 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial" + errorPage="" %> +<% + Employee employee = (Employee) session.getAttribute("GoatHillsFinancial." + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY); + WebSession webSession = ((WebSession)session.getAttribute("websession")); +// int myUserId = getIntSessionAttribute(webSession, "GoatHillsFinancial." + GoatHillsFinancial.USER_ID); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%> - View Profile Page
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ First Name: + + <%=employee.getFirstName()%> + + Last Name: + + <%=employee.getLastName()%> +
+ Street: + + <%=employee.getAddress1()%> + + City/State: + + <%=employee.getAddress2()%> +
+ Phone: + + <%=employee.getPhoneNumber()%> + + Start Date: + + <%=employee.getStartDate()%> +
+ SSN: + + <%=employee.getSsn()%> + + Salary: + + <%=employee.getSalary()%> +
+ Credit Card: + + <%=employee.getCcn()%> + + Credit Card Limit: + + <%=employee.getCcnLimit()%> +
+ Comments: + + <%=employee.getPersonalDescription()%> +
+ Disciplinary Explanation: + + Disc. Dates: + + <%=employee.getDisciplinaryActionDate()%> +
+ <%=employee.getDisciplinaryActionNotes()%> +
+ Manager: + + <%=employee.getManager()%> +
+
+
+ + + + + + + + +
+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.LISTSTAFF_ACTION)) + { + %> +
+ + +
+ <% + }%> + 		+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.EDITPROFILE_ACTION)) + { + %> +
+ + +
+ <% + } + %> + 		+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), GoatHillsFinancial.DELETEPROFILE_ACTION)) + { + %> +
+ + +
+ <% + } + %> + 		  +
+ +
+
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/error.jsp b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/error.jsp new file mode 100755 index 000000000..556f3200a --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/error.jsp @@ -0,0 +1,13 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); +// int myUserId = getIntSessionAttribute(webSession, "GoatHillsFinancial." + GoatHillsFinancial.USER_ID); +%> +


An error has occurred. +


+
+ + +
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/accessControl.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/accessControl.jpg new file mode 100755 index 000000000..e9af72c50 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/accessControl.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/dbSchema.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/dbSchema.jpg new file mode 100755 index 000000000..457b634d0 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/dbSchema.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_SearchWindow.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_SearchWindow.jpg new file mode 100755 index 000000000..39e1ed80d Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_SearchWindow.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_header.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_header.jpg new file mode 100755 index 000000000..60a809af0 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_header.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_loginWindow.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_loginWindow.jpg new file mode 100755 index 000000000..c91f8a052 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_loginWindow.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_menu.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_menu.jpg new file mode 100755 index 000000000..2c9512571 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_menu.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_workspace.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_workspace.jpg new file mode 100755 index 000000000..292d25654 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/lesson1_workspace.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/orgChart.jpg b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/orgChart.jpg new file mode 100755 index 000000000..016c0d162 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/GoatHillsFinancial/images/orgChart.jpg differ