diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java index 3a729531b..dd4d738fa 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java @@ -278,19 +278,6 @@ public abstract class DefaultLessonAction implements LessonAction e.printStackTrace(); } - // Update lesson status if necessary. - if (getStage(s) == 2) - { - //System.out.println("Checking for stage 2 completion handling action " + functionId); - if (lessonName.equals("RoleBasedAccessControl") && !calledFromJsp("isAuthorized") && !authorized && - functionId.equals(RoleBasedAccessControl.DELETEPROFILE_ACTION)) - { - s.setMessage( "Welcome to stage 3 -- exploiting the data layer" ); - setStage(s, 3); - } - } - //System.out.println("isAuthorized() exit stage: " + getStage(s)); - //System.out.println("Authorized? " + authorized); return authorized; } @@ -326,51 +313,8 @@ public abstract class DefaultLessonAction implements LessonAction e.printStackTrace(); } - // Update lesson status if necessary. - if (getStage(s) == 4) - { - //System.out.println("Checking for stage 4 completion"); - if (lessonName.equals("RoleBasedAccessControl") && !calledFromJsp("isAuthorized") && !authorized) - { - s.setMessage("Congratulations. You have successfully completed this lesson."); - getLesson().getLessonTracker( s ).setCompleted( true ); - } - } - return authorized; } - /** - * Determine if the calling method was in turn called from a compiled JSP class. - * This skips calling methods that start with the given string (e.g. isAuthorized). - * @return - */ - private boolean calledFromJsp(String caller) - { - boolean fromJsp = false; - - Throwable throwable = new Throwable(); - StackTraceElement[] trace = throwable.getStackTrace(); - int callerIndex = 0; - boolean done = false; - for (int i = 1; i < trace.length && !done; i++) - { - String callerMethodName = trace[i].getMethodName(); - //System.out.println("calledFromJsp() callee (" + i + ") is " + callerMethodName); - if (!callerMethodName.startsWith(caller)) // Yikes what a hack! - { - callerIndex = i; - done = true; - } - } - String callerClassName = trace[callerIndex].getClassName(); - //System.out.println("calledFromJsp() callee class (" + (callerIndex) + ") is " + callerClassName); - - if (callerClassName.endsWith("_jsp")) - fromJsp = true; - - //System.out.println("calledFromJsp() result: " + fromJsp); - return fromJsp; - } protected void setStage(WebSession s, int stage) { diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java index 505d0ccaf..acb21c77b 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java @@ -159,7 +159,8 @@ public class DeleteProfile extends DefaultLessonAction private void updateLessonStatus(WebSession s) { - // If the logged in user is not authorized to be here, stage is complete. + // If the logged in user is not authorized to be here, stage 1 is complete. + if (getStage(s) == 1) try { int userId = getIntSessionAttribute(s, getLessonName() + "." diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index d16f6d4fa..cc11bc8b9 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -12,6 +12,7 @@ import org.apache.ecs.ElementContainer; import org.apache.ecs.html.A; import org.apache.ecs.html.IMG; import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.session.DatabaseUtilities; @@ -355,6 +356,49 @@ public class RoleBasedAccessControl extends LessonAdapter } catch (UnauthorizedException ue2) { + // Update lesson status if necessary. + if (getStage(s) == 2) + { + try + { + if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) && + !isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION)) + { + s.setMessage( "Welcome to stage 3 -- exploiting the data layer" ); + setStage(s, 3); + } + } catch (ParameterNotFoundException pnfe) + { + pnfe.printStackTrace(); + } + } + //System.out.println("isAuthorized() exit stage: " + getStage(s)); + // Update lesson status if necessary. + if (getStage(s) == 4) + { + try + { + //System.out.println("Checking for stage 4 completion"); + DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s)); + int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "." + + RoleBasedAccessControl.USER_ID)); + int employeeId = s.getParser().getIntParameter( + RoleBasedAccessControl.EMPLOYEE_ID); + + if (!action.isAuthorizedForEmployee(s, userId, employeeId)) + { + s.setMessage("Congratulations. You have successfully completed this lesson."); + getLessonTracker( s ).setCompleted( true ); + } + } catch (Exception e) + { + // swallow this - shouldn't happen inthe normal course + // e.printStackTrace(); + } + } + + + s.setMessage("You are not authorized to perform this function"); System.out.println("Authorization failure"); setCurrentAction(s, ERROR_ACTION);