dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

making ajax impovements

Browse Source 
Also convert SQL server file from Unix to DOS line endings


git-svn-id: http://webgoat.googlecode.com/svn/trunk@246 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:44:09 +00:00
parent a8c87e0704
commit a84d0e951d
3 changed files with 392 additions and 370 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
View File

@ -11,14 +11,18 @@ import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A; import org.apache.ecs.html.A;
import org.apache.ecs.html.BR; import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.IMG; import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.apache.ecs.html.P; import org.apache.ecs.html.P;
import org.apache.ecs.html.Script; import org.apache.ecs.html.Script;
import org.apache.ecs.html.Select; import org.apache.ecs.html.Select;
import org.apache.ecs.html.Style;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.apache.ecs.jsp.jsp_include;
import org.apache.ecs.xhtml.style;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.SequentialLessonAdapter; import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
@ -28,7 +32,10 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
private final static String ANSWER = "answer"; private final static String ANSWER = "answer";
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); public final static A ASPECT_LOGO = new A().setHref(
"http://www.aspectsecurity.com").addElement(
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security")
.setBorder(0).setHspace(0).setVspace(0));
protected Element createContent(WebSession s) { protected Element createContent(WebSession s) {
return super.createStagedContent(s); return super.createStagedContent(s);
@ -42,20 +49,45 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
ec.addElement(new Script() ec.addElement(new Script()
.setSrc("javascript/clientSideFiltering.js")); .setSrc("javascript/clientSideFiltering.js"));
Input input = new Input(Input.HIDDEN, "userID", 102); Input input = new Input(Input.HIDDEN, "userID", 102);
input.setID("userID"); input.setID("userID");
ec.addElement(input); ec.addElement(input);
style sty = new style();
sty
.addElement("#lesson_wrapper {height: 435px;width: 500px;}"
+ "#lesson_header {background-image: url(lessons/Ajax/images/lesson1_header.jpg);"
+ "width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}"
+ ".lesson_workspace {background-image: url(lessons/Ajax/images/lesson1_workspace.jpg);"
+ "width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}");
ec.addElement(sty);
ec.addElement(new P().addElement("Select user:")); Div wrapperDiv = new Div();
wrapperDiv.setID("lesson_wrapper");
ec.addElement(createDropDown()); Div headerDiv = new Div();
headerDiv.setID("lesson_header");
ec.addElement(new P()); Div workspaceDiv = new Div();
workspaceDiv.setClass("lesson_workspace");
wrapperDiv.addElement(headerDiv);
wrapperDiv.addElement(workspaceDiv);
ec.addElement(wrapperDiv);
workspaceDiv.addElement(new BR());
workspaceDiv.addElement(new BR());
workspaceDiv.addElement(new P()
.addElement("     Select user:"));
workspaceDiv.addElement(createDropDown());
workspaceDiv.addElement(new P());
Table t = new Table().setCellSpacing(0).setCellPadding(2) Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(1).setWidth("90%").setAlign("center"); .setBorder(1).setWidth("90%").setAlign("center");
@ -63,7 +95,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
t.setID("hiddenEmployeeRecords"); t.setID("hiddenEmployeeRecords");
t.setStyle("display: none"); t.setStyle("display: none");
ec.addElement(t); workspaceDiv.addElement(t);
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1) t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
.setWidth("90%").setAlign("center"); .setWidth("90%").setAlign("center");
@ -79,7 +111,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
tr.setID("employeeRecord"); tr.setID("employeeRecord");
t.addElement(tr); t.addElement(tr);
ec.addElement(t); workspaceDiv.addElement(t);
} catch (Exception e) { } catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());
@ -112,7 +144,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
if (answer == 450000) { if (answer == 450000) {
getLessonTracker(s).setStage(2); getLessonTracker(s).setStage(2);
s.setMessage("Stage 1 completed."); s.setMessage("Stage 1 completed.");
@ -126,11 +157,9 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
} }
protected Element doStage2(WebSession s){ protected Element doStage2(WebSession s) {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
/** /**
* They pass iff: * They pass iff:
* *
@ -139,12 +168,10 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp"); String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
String content = getFileContent(file); String content = getFileContent(file);
if(content.indexOf("[Managers/Manager/text()") != -1) if (content.indexOf("[Managers/Manager/text()") != -1) {
{
makeSuccess(s); makeSuccess(s);
ec.addElement(stage2Content(s)); ec.addElement(stage2Content(s));
} } else {
else{
ec.addElement(stage2Content(s)); ec.addElement(stage2Content(s));
} }
@ -157,9 +184,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
ec.addElement(createMainContent(s)); ec.addElement(createMainContent(s));
ec.addElement(new BR());
ec.addElement(new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(2); Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
if (s.isColor()) { if (s.isColor()) {
@ -184,7 +208,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return ec; return ec;
} }
protected ElementContainer stage2Content(WebSession s) { protected ElementContainer stage2Content(WebSession s) {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try { try {
@ -204,7 +227,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
/*tr.addElement(new TD() /*tr.addElement(new TD()
.addElement("Press 'Submit' when you believe you have completed the lesson.")); .addElement("Press 'Submit' when you believe you have completed the lesson."));
*/ */
Element b = ECSFactory.makeButton("Click here when you believe you have completed the lesson."); Element b = ECSFactory
.makeButton("Click here when you believe you have completed the lesson.");
tr.addElement(new TD(b).setAlign("CENTER")); tr.addElement(new TD(b).setAlign("CENTER"));
t1.addElement(tr); t1.addElement(tr);
@ -218,8 +242,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return ec; return ec;
} }
protected Select createDropDown() {
protected Select createDropDown(){
Select select = new Select("UserSelect"); Select select = new Select("UserSelect");
select.setID("UserSelect"); select.setID("UserSelect");
@ -234,11 +257,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
select.addElement(option); select.addElement(option);
option = new org.apache.ecs.html.Option("Moe Stooge", "102",
"Moe Stooge");
select.addElement(option);
option = new org.apache.ecs.html.Option("Curly Stooge", "103", option = new org.apache.ecs.html.Option("Curly Stooge", "103",
"Curly Stooge"); "Curly Stooge");
@ -278,11 +296,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
select.addElement(option); select.addElement(option);
option = new org.apache.ecs.html.Option("John Wayne", "111",
"John Wayne");
select.addElement(option);
select.setOnChange("selectUser()"); select.setOnChange("selectUser()");
select.setOnFocus("fetchUserData()"); select.setOnFocus("fetchUserData()");
@ -300,55 +313,53 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
* *
* @return The hints value * @return The hints value
*/ */
public List<String> getHints(WebSession s) public List<String> getHints(WebSession s) {
{
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints
.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
hints
.add("Use Firebug to find where the information is stored on the client side.");
hints
.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
hints.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
hints.add("Use Firebug to find where the information is stored on the client side.");
hints.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
hints.add("Look in the last row of the hidden table."); hints.add("Look in the last row of the hidden table.");
hints
hints.add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>" + .add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
"to see what results are being returned"); + "to see what results are being returned");
hints.add("The server uses an XPath query agasinst an XML database."); hints.add("The server uses an XPath query agasinst an XML database.");
hints.add("The query currently returns all of the contents of the database."); hints
.add("The query currently returns all of the contents of the database.");
hints.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
hints
.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
hints.add("Try using a filter operator."); hints.add("Try using a filter operator.");
hints.add("your filter operator shoiuld look something like: [Managers/Manager/text()="); hints
.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
return hints; return hints;
} }
public String getInstructions(WebSession s) { public String getInstructions(WebSession s) {
String instructions = ""; String instructions = "";
if (getLessonTracker(s).getStage() == 1) { if (getLessonTracker(s).getStage() == 1) {
instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Bank. " instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Financial. "
+ "You have access to everyone in the company's information, except the CEO, " + "You have access to everyone in the company's information, except the CEO, "
+ "Neville Bartholomew. Or at least you shouldn't have access to the CEO's information." + "Neville Bartholomew. Or at least you shouldn't have access to the CEO's information."
+ " For this exercise, " + " For this exercise, "
+ "examine the contents of the page to see what extra information you can find."; + "examine the contents of the page to see what extra information you can find.";
} else if (getLessonTracker(s).getStage() == 2) { } else if (getLessonTracker(s).getStage() == 2) {
instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return " + instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return "
"results that Moe Stooge is allowed to see."; + "results that Moe Stooge is allowed to see.";
} }
return (instructions); return (instructions);
} }
@ -385,35 +396,24 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return ("LAB: Client Side Filtering"); return ("LAB: Client Side Filtering");
} }
private String getFileContent(String content) private String getFileContent(String content) {
{
BufferedReader is = null; BufferedReader is = null;
StringBuffer sb = new StringBuffer(); StringBuffer sb = new StringBuffer();
try try {
{
is = new BufferedReader(new FileReader(new File(content))); is = new BufferedReader(new FileReader(new File(content)));
String s = null; String s = null;
while((s = is.readLine()) != null) while ((s = is.readLine()) != null) {
{
sb.append(s); sb.append(s);
} }
} } catch (Exception e) {
catch (Exception e)
{
e.printStackTrace(); e.printStackTrace();
} } finally {
finally if (is != null) {
{ try {
if(is != null)
{
try
{
is.close(); is.close();
} } catch (IOException ioe) {
catch (IOException ioe)
{
} }
} }
@ -422,8 +422,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
return sb.toString(); return sb.toString();
} }
public Element getCredits() public Element getCredits() {
{
return super.getCustomCredits("", ASPECT_LOGO); return super.getCustomCredits("", ASPECT_LOGO);
} }

27
webgoat/main/project/WebContent/lessons/Ajax/employees.xml
View File

@ -17,6 +17,8 @@
<DisciplinaryDate>10106</DisciplinaryDate> <DisciplinaryDate>10106</DisciplinaryDate>
<Managers> <Managers>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -35,7 +37,7 @@
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation> <DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate> <DisciplinaryDate>101013</DisciplinaryDate>
<Managers> <Managers>
<Manager>102</Manager> <Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -55,6 +57,8 @@
<DisciplinaryDate>101014</DisciplinaryDate> <DisciplinaryDate>101014</DisciplinaryDate>
<Managers> <Managers>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -73,7 +77,10 @@
<DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation> <DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
<DisciplinaryDate>101013</DisciplinaryDate> <DisciplinaryDate>101013</DisciplinaryDate>
<Managers> <Managers>
<Manager>107</Manager>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -92,7 +99,10 @@
<DisciplinaryExplanation>NA</DisciplinaryExplanation> <DisciplinaryExplanation>NA</DisciplinaryExplanation>
<DisciplinaryDate>0</DisciplinaryDate> <DisciplinaryDate>0</DisciplinaryDate>
<Managers> <Managers>
<Manager>106</Manager>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -112,6 +122,8 @@
<DisciplinaryDate>0</DisciplinaryDate> <DisciplinaryDate>0</DisciplinaryDate>
<Managers> <Managers>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -131,6 +143,8 @@
<DisciplinaryDate>61402</DisciplinaryDate> <DisciplinaryDate>61402</DisciplinaryDate>
<Managers> <Managers>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -149,7 +163,10 @@
<DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation> <DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
<DisciplinaryDate>61502</DisciplinaryDate> <DisciplinaryDate>61502</DisciplinaryDate>
<Managers> <Managers>
<Manager>107</Manager>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -168,7 +185,10 @@
<DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation> <DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
<DisciplinaryDate>72804</DisciplinaryDate> <DisciplinaryDate>72804</DisciplinaryDate>
<Managers> <Managers>
<Manager>107</Manager>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -187,7 +207,10 @@
<DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation> <DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate> <DisciplinaryDate>112005</DisciplinaryDate>
<Managers> <Managers>
<Manager>106</Manager>
<Manager>102</Manager> <Manager>102</Manager>
<Manager>111</Manager>
<Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>
@ -206,7 +229,7 @@
<DisciplinaryExplanation></DisciplinaryExplanation> <DisciplinaryExplanation></DisciplinaryExplanation>
<DisciplinaryDate>112005</DisciplinaryDate> <DisciplinaryDate>112005</DisciplinaryDate>
<Managers> <Managers>
<Manager>102</Manager> <Manager>112</Manager>
</Managers> </Managers>
</Employee> </Employee>
<Employee> <Employee>