dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

making ajax impovements

Browse Source 
Also convert SQL server file from Unix to DOS line endings


git-svn-id: http://webgoat.googlecode.com/svn/trunk@246 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:44:09 +00:00
parent a8c87e0704
commit a84d0e951d
3 changed files with 392 additions and 370 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

255
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
View File

@ -11,14 +11,18 @@ import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.Script;
import org.apache.ecs.html.Select;
import org.apache.ecs.html.Style;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.jsp.jsp_include;
import org.apache.ecs.xhtml.style;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.session.ECSFactory;
@ -27,9 +31,12 @@ import org.owasp.webgoat.session.WebSession;
public class ClientSideFiltering extends SequentialLessonAdapter {
private final static String ANSWER = "answer";
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
public final static A ASPECT_LOGO = new A().setHref(
"http://www.aspectsecurity.com").addElement(
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security")
.setBorder(0).setHspace(0).setVspace(0));
protected Element createContent(WebSession s) {
return super.createStagedContent(s);
}
@ -40,22 +47,47 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
try {
ec.addElement(new Script()
.setSrc("javascript/clientSideFiltering.js"));
.setSrc("javascript/clientSideFiltering.js"));
Input input = new Input(Input.HIDDEN, "userID", 102);
input.setID("userID");
ec.addElement(input);
ec.addElement(new P().addElement("Select user:"));
ec.addElement(createDropDown());
style sty = new style();
sty
.addElement("#lesson_wrapper {height: 435px;width: 500px;}"
+ "#lesson_header {background-image: url(lessons/Ajax/images/lesson1_header.jpg);"
+ "width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}"
+ ".lesson_workspace {background-image: url(lessons/Ajax/images/lesson1_workspace.jpg);"
+ "width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}");
ec.addElement(new P());
ec.addElement(sty);
Div wrapperDiv = new Div();
wrapperDiv.setID("lesson_wrapper");
Div headerDiv = new Div();
headerDiv.setID("lesson_header");
Div workspaceDiv = new Div();
workspaceDiv.setClass("lesson_workspace");
wrapperDiv.addElement(headerDiv);
wrapperDiv.addElement(workspaceDiv);
ec.addElement(wrapperDiv);
workspaceDiv.addElement(new BR());
workspaceDiv.addElement(new BR());
workspaceDiv.addElement(new P()
.addElement("     Select user:"));
workspaceDiv.addElement(createDropDown());
workspaceDiv.addElement(new P());
Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(1).setWidth("90%").setAlign("center");
@ -63,7 +95,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
t.setID("hiddenEmployeeRecords");
t.setStyle("display: none");
ec.addElement(t);
workspaceDiv.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
.setWidth("90%").setAlign("center");
@ -79,8 +111,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
tr.setID("employeeRecord");
t.addElement(tr);
ec.addElement(t);
workspaceDiv.addElement(t);
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
@ -111,7 +143,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
}
if (answer == 450000) {
getLessonTracker(s).setStage(2);
s.setMessage("Stage 1 completed.");
@ -125,12 +156,10 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return ec;
}
protected Element doStage2(WebSession s){
protected Element doStage2(WebSession s) {
ElementContainer ec = new ElementContainer();
/**
* They pass iff:
*
@ -138,16 +167,14 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
*/
String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
String content = getFileContent(file);
if(content.indexOf("[Managers/Manager/text()") != -1)
{
if (content.indexOf("[Managers/Manager/text()") != -1) {
makeSuccess(s);
ec.addElement(stage2Content(s));
}
else{
} else {
ec.addElement(stage2Content(s));
}
return ec;
}
@ -157,9 +184,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
ec.addElement(createMainContent(s));
ec.addElement(new BR());
ec.addElement(new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
if (s.isColor()) {
@ -183,8 +207,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return ec;
}
protected ElementContainer stage2Content(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
@ -202,9 +225,10 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
TR tr = new TR();
/*tr.addElement(new TD()
.addElement("Press 'Submit' when you believe you have completed the lesson."));
*/
Element b = ECSFactory.makeButton("Click here when you believe you have completed the lesson.");
.addElement("Press 'Submit' when you believe you have completed the lesson."));
*/
Element b = ECSFactory
.makeButton("Click here when you believe you have completed the lesson.");
tr.addElement(new TD(b).setAlign("CENTER"));
t1.addElement(tr);
@ -217,9 +241,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return ec;
}
protected Select createDropDown(){
protected Select createDropDown() {
Select select = new Select("UserSelect");
select.setID("UserSelect");
@ -234,11 +257,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
select.addElement(option);
option = new org.apache.ecs.html.Option("Moe Stooge", "102",
"Moe Stooge");
select.addElement(option);
option = new org.apache.ecs.html.Option("Curly Stooge", "103",
"Curly Stooge");
@ -278,17 +296,12 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
select.addElement(option);
option = new org.apache.ecs.html.Option("John Wayne", "111",
"John Wayne");
select.addElement(option);
select.setOnChange("selectUser()");
select.setOnFocus("fetchUserData()");
return select;
}
protected Category getDefaultCategory() {
@ -300,55 +313,53 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
*
* @return The hints value
*/
public List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
hints.add("Use Firebug to find where the information is stored on the client side.");
hints.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
hints.add("Look in the last row of the hidden table.");
public List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>();
hints.add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>" +
"to see what results are being returned");
hints.add("The server uses an XPath query agasinst an XML database.");
hints
.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
hints.add("The query currently returns all of the contents of the database.");
hints
.add("Use Firebug to find where the information is stored on the client side.");
hints.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
hints
.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
hints.add("Try using a filter operator.");
hints.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
return hints;
}
hints.add("Look in the last row of the hidden table.");
hints
.add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
+ "to see what results are being returned");
hints.add("The server uses an XPath query agasinst an XML database.");
hints
.add("The query currently returns all of the contents of the database.");
hints
.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
hints.add("Try using a filter operator.");
hints
.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
return hints;
}
public String getInstructions(WebSession s) {
String instructions = "";
if (getLessonTracker(s).getStage() == 1) {
instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Bank. "
instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Financial. "
+ "You have access to everyone in the company's information, except the CEO, "
+ "Neville Bartholomew. Or at least you shouldn't have access to the CEO's information."
+ " For this exercise, "
+ "examine the contents of the page to see what extra information you can find.";
} else if (getLessonTracker(s).getStage() == 2) {
instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return " +
"results that Moe Stooge is allowed to see.";
instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return "
+ "results that Moe Stooge is allowed to see.";
}
return (instructions);
}
@ -384,47 +395,35 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
public String getTitle() {
return ("LAB: Client Side Filtering");
}
private String getFileContent(String content)
{
BufferedReader is = null;
StringBuffer sb = new StringBuffer();
try
{
is = new BufferedReader(new FileReader(new File(content)));
String s = null;
while((s = is.readLine()) != null)
{
sb.append(s);
}
}
catch (Exception e)
{
e.printStackTrace();
}
finally
{
if(is != null)
{
try
{
is.close();
}
catch (IOException ioe)
{
}
}
}
return sb.toString();
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
private String getFileContent(String content) {
BufferedReader is = null;
StringBuffer sb = new StringBuffer();
try {
is = new BufferedReader(new FileReader(new File(content)));
String s = null;
while ((s = is.readLine()) != null) {
sb.append(s);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (is != null) {
try {
is.close();
} catch (IOException ioe) {
}
}
}
return sb.toString();
}
public Element getCredits() {
return super.getCustomCredits("", ASPECT_LOGO);
}
}

452
webgoat/main/project/WebContent/WEB-INF/webgoat_sqlserver.sql
View File

@ -1,226 +1,226 @@
EXEC sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
USE master;
go
DROP LOGIN webgoat_guest;
go
DROP database webgoat;
go
CREATE database webgoat;
go
USE webgoat;
go
CREATE SCHEMA webgoat_guest;
go
CREATE LOGIN webgoat_guest with password = '_webgoat';
go
CREATE USER webgoat_guest with default_schema = webgoat_guest;
go
GRANT CONTROL TO webgoat_guest;
go
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE'
)
BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.RegexMatch
END
GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'c:\AspectClassCD\WebGoat\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX),
@pattern NVARCHAR(MAX)
) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO
EXEC sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO
USE master;
go
DROP LOGIN webgoat_guest;
go
DROP database webgoat;
go
CREATE database webgoat;
go
USE webgoat;
go
CREATE SCHEMA webgoat_guest;
go
CREATE LOGIN webgoat_guest with password = '_webgoat';
go
CREATE USER webgoat_guest with default_schema = webgoat_guest;
go
GRANT CONTROL TO webgoat_guest;
go
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
userid INT NOT NULL PRIMARY KEY,
first_name VARCHAR(20),
last_name VARCHAR(20),
ssn VARCHAR(12),
password VARCHAR(10),
title VARCHAR(20),
phone VARCHAR(13),
address1 VARCHAR(80),
address2 VARCHAR(80),
manager INT,
start_date CHAR(8),
salary INT,
ccn VARCHAR(30),
ccn_limit INT,
disciplined_date CHAR(8),
disciplined_notes VARCHAR(60),
personal_description VARCHAR(60)
);
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'PROCEDURE'
)
BEGIN
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
END
GO
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
@v_userid INT,
@v_first_name VARCHAR(20),
@v_last_name VARCHAR(20),
@v_ssn VARCHAR(12),
@v_title VARCHAR(20),
@v_phone VARCHAR(13),
@v_address1 VARCHAR(80),
@v_address2 VARCHAR(80),
@v_manager INT,
@v_start_date CHAR(8),
@v_salary INT,
@v_ccn VARCHAR(30),
@v_ccn_limit INT,
@v_disciplined_date CHAR(8),
@v_disciplined_notes VARCHAR(60),
@v_personal_description VARCHAR(60)
AS
UPDATE EMPLOYEE
SET
first_name = @v_first_name,
last_name = @v_last_name,
ssn = @v_ssn,
title = @v_title,
phone = @v_phone,
address1 = @v_address1,
address2 = @v_address2,
manager = @v_manager,
start_date = @v_Start_date,
salary = @v_salary,
ccn = @v_ccn,
ccn_limit = @v_ccn_limit,
disciplined_date = @v_disciplined_date,
disciplined_notes = @v_disciplined_notes,
personal_description = @v_personal_description
WHERE
userid = @v_userid;
go
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
@v_id INT,
@v_password VARCHAR(100)
) RETURNS INTEGER
AS
BEGIN
DECLARE @sql nvarchar(4000), @count int
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
return @count
END
GO
IF EXISTS
(
SELECT 1
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'RegexMatch'
AND ROUTINE_SCHEMA = 'webgoat_guest'
AND ROUTINE_TYPE = 'FUNCTION'
)
BEGIN
DROP FUNCTION webgoat_guest.RegexMatch
END
GO
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
DROP ASSEMBLY RegexMatch;
GO
CREATE ASSEMBLY RegexMatch FROM 'c:\AspectClassCD\WebGoat\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
GO
CREATE FUNCTION webgoat_guest.RegexMatch (
@input NVARCHAR(MAX),
@pattern NVARCHAR(MAX)
) RETURNS BIT
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
GO

55
webgoat/main/project/WebContent/lessons/Ajax/employees.xml
View File

@ -17,6 +17,8 @@
<DisciplinaryDate>10106</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
@ -35,8 +37,8 @@
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>103</UserID>
@ -54,8 +56,10 @@
<DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
<DisciplinaryDate>101014</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>104</UserID>
@ -73,7 +77,10 @@
<DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>107</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
@ -92,7 +99,10 @@
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>106</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
@ -111,8 +121,10 @@
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>107</UserID>
@ -130,7 +142,9 @@
<DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
<DisciplinaryDate>61402</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
@ -149,8 +163,11 @@
<DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
<DisciplinaryDate>61502</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
<Manager>107</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>109</UserID>
@ -168,8 +185,11 @@
<DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
<DisciplinaryDate>72804</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
<Manager>107</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>110</UserID>
@ -187,7 +207,10 @@
<DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
<Manager>106</Manager>
<Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
@ -206,8 +229,8 @@
<DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate>
<Managers>
<Manager>102</Manager>
</Managers>
<Manager>112</Manager>
</Managers>
</Employee>
<Employee>
<UserID>112</UserID>