making ajax impovements
Also convert SQL server file from Unix to DOS line endings git-svn-id: http://webgoat.googlecode.com/svn/trunk@246 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
parent
a8c87e0704
commit
a84d0e951d
@ -11,14 +11,18 @@ import org.apache.ecs.Element;
|
|||||||
import org.apache.ecs.ElementContainer;
|
import org.apache.ecs.ElementContainer;
|
||||||
import org.apache.ecs.html.A;
|
import org.apache.ecs.html.A;
|
||||||
import org.apache.ecs.html.BR;
|
import org.apache.ecs.html.BR;
|
||||||
|
import org.apache.ecs.html.Div;
|
||||||
import org.apache.ecs.html.IMG;
|
import org.apache.ecs.html.IMG;
|
||||||
import org.apache.ecs.html.Input;
|
import org.apache.ecs.html.Input;
|
||||||
import org.apache.ecs.html.P;
|
import org.apache.ecs.html.P;
|
||||||
import org.apache.ecs.html.Script;
|
import org.apache.ecs.html.Script;
|
||||||
import org.apache.ecs.html.Select;
|
import org.apache.ecs.html.Select;
|
||||||
|
import org.apache.ecs.html.Style;
|
||||||
import org.apache.ecs.html.TD;
|
import org.apache.ecs.html.TD;
|
||||||
import org.apache.ecs.html.TR;
|
import org.apache.ecs.html.TR;
|
||||||
import org.apache.ecs.html.Table;
|
import org.apache.ecs.html.Table;
|
||||||
|
import org.apache.ecs.jsp.jsp_include;
|
||||||
|
import org.apache.ecs.xhtml.style;
|
||||||
import org.owasp.webgoat.lessons.Category;
|
import org.owasp.webgoat.lessons.Category;
|
||||||
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
|
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
|
||||||
import org.owasp.webgoat.session.ECSFactory;
|
import org.owasp.webgoat.session.ECSFactory;
|
||||||
@ -27,9 +31,12 @@ import org.owasp.webgoat.session.WebSession;
|
|||||||
public class ClientSideFiltering extends SequentialLessonAdapter {
|
public class ClientSideFiltering extends SequentialLessonAdapter {
|
||||||
|
|
||||||
private final static String ANSWER = "answer";
|
private final static String ANSWER = "answer";
|
||||||
|
|
||||||
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
|
public final static A ASPECT_LOGO = new A().setHref(
|
||||||
|
"http://www.aspectsecurity.com").addElement(
|
||||||
|
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security")
|
||||||
|
.setBorder(0).setHspace(0).setVspace(0));
|
||||||
|
|
||||||
protected Element createContent(WebSession s) {
|
protected Element createContent(WebSession s) {
|
||||||
return super.createStagedContent(s);
|
return super.createStagedContent(s);
|
||||||
}
|
}
|
||||||
@ -40,22 +47,47 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
try {
|
try {
|
||||||
|
|
||||||
ec.addElement(new Script()
|
ec.addElement(new Script()
|
||||||
.setSrc("javascript/clientSideFiltering.js"));
|
.setSrc("javascript/clientSideFiltering.js"));
|
||||||
|
|
||||||
|
|
||||||
Input input = new Input(Input.HIDDEN, "userID", 102);
|
Input input = new Input(Input.HIDDEN, "userID", 102);
|
||||||
|
|
||||||
input.setID("userID");
|
input.setID("userID");
|
||||||
|
|
||||||
ec.addElement(input);
|
ec.addElement(input);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
ec.addElement(new P().addElement("Select user:"));
|
|
||||||
|
|
||||||
ec.addElement(createDropDown());
|
style sty = new style();
|
||||||
|
sty
|
||||||
|
.addElement("#lesson_wrapper {height: 435px;width: 500px;}"
|
||||||
|
+ "#lesson_header {background-image: url(lessons/Ajax/images/lesson1_header.jpg);"
|
||||||
|
+ "width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}"
|
||||||
|
+ ".lesson_workspace {background-image: url(lessons/Ajax/images/lesson1_workspace.jpg);"
|
||||||
|
+ "width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}");
|
||||||
|
|
||||||
ec.addElement(new P());
|
ec.addElement(sty);
|
||||||
|
|
||||||
|
Div wrapperDiv = new Div();
|
||||||
|
wrapperDiv.setID("lesson_wrapper");
|
||||||
|
|
||||||
|
Div headerDiv = new Div();
|
||||||
|
headerDiv.setID("lesson_header");
|
||||||
|
|
||||||
|
Div workspaceDiv = new Div();
|
||||||
|
workspaceDiv.setClass("lesson_workspace");
|
||||||
|
|
||||||
|
wrapperDiv.addElement(headerDiv);
|
||||||
|
wrapperDiv.addElement(workspaceDiv);
|
||||||
|
|
||||||
|
ec.addElement(wrapperDiv);
|
||||||
|
|
||||||
|
workspaceDiv.addElement(new BR());
|
||||||
|
workspaceDiv.addElement(new BR());
|
||||||
|
|
||||||
|
workspaceDiv.addElement(new P()
|
||||||
|
.addElement(" Select user:"));
|
||||||
|
|
||||||
|
workspaceDiv.addElement(createDropDown());
|
||||||
|
|
||||||
|
workspaceDiv.addElement(new P());
|
||||||
|
|
||||||
Table t = new Table().setCellSpacing(0).setCellPadding(2)
|
Table t = new Table().setCellSpacing(0).setCellPadding(2)
|
||||||
.setBorder(1).setWidth("90%").setAlign("center");
|
.setBorder(1).setWidth("90%").setAlign("center");
|
||||||
@ -63,7 +95,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
t.setID("hiddenEmployeeRecords");
|
t.setID("hiddenEmployeeRecords");
|
||||||
t.setStyle("display: none");
|
t.setStyle("display: none");
|
||||||
|
|
||||||
ec.addElement(t);
|
workspaceDiv.addElement(t);
|
||||||
|
|
||||||
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
|
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
|
||||||
.setWidth("90%").setAlign("center");
|
.setWidth("90%").setAlign("center");
|
||||||
@ -79,8 +111,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
tr.setID("employeeRecord");
|
tr.setID("employeeRecord");
|
||||||
t.addElement(tr);
|
t.addElement(tr);
|
||||||
|
|
||||||
ec.addElement(t);
|
workspaceDiv.addElement(t);
|
||||||
|
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
s.setMessage("Error generating " + this.getClass().getName());
|
s.setMessage("Error generating " + this.getClass().getName());
|
||||||
e.printStackTrace();
|
e.printStackTrace();
|
||||||
@ -111,7 +143,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (answer == 450000) {
|
if (answer == 450000) {
|
||||||
|
|
||||||
|
|
||||||
getLessonTracker(s).setStage(2);
|
getLessonTracker(s).setStage(2);
|
||||||
s.setMessage("Stage 1 completed.");
|
s.setMessage("Stage 1 completed.");
|
||||||
@ -125,12 +156,10 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
return ec;
|
return ec;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected Element doStage2(WebSession s){
|
protected Element doStage2(WebSession s) {
|
||||||
ElementContainer ec = new ElementContainer();
|
ElementContainer ec = new ElementContainer();
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* They pass iff:
|
* They pass iff:
|
||||||
*
|
*
|
||||||
@ -138,16 +167,14 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
*/
|
*/
|
||||||
String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
|
String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
|
||||||
String content = getFileContent(file);
|
String content = getFileContent(file);
|
||||||
|
|
||||||
if(content.indexOf("[Managers/Manager/text()") != -1)
|
if (content.indexOf("[Managers/Manager/text()") != -1) {
|
||||||
{
|
|
||||||
makeSuccess(s);
|
makeSuccess(s);
|
||||||
ec.addElement(stage2Content(s));
|
ec.addElement(stage2Content(s));
|
||||||
}
|
} else {
|
||||||
else{
|
|
||||||
ec.addElement(stage2Content(s));
|
ec.addElement(stage2Content(s));
|
||||||
}
|
}
|
||||||
|
|
||||||
return ec;
|
return ec;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -157,9 +184,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
|
|
||||||
ec.addElement(createMainContent(s));
|
ec.addElement(createMainContent(s));
|
||||||
|
|
||||||
ec.addElement(new BR());
|
|
||||||
ec.addElement(new BR());
|
|
||||||
|
|
||||||
Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
|
Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
|
||||||
|
|
||||||
if (s.isColor()) {
|
if (s.isColor()) {
|
||||||
@ -183,8 +207,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
|
|
||||||
return ec;
|
return ec;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected ElementContainer stage2Content(WebSession s) {
|
protected ElementContainer stage2Content(WebSession s) {
|
||||||
ElementContainer ec = new ElementContainer();
|
ElementContainer ec = new ElementContainer();
|
||||||
try {
|
try {
|
||||||
@ -202,9 +225,10 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
|
|
||||||
TR tr = new TR();
|
TR tr = new TR();
|
||||||
/*tr.addElement(new TD()
|
/*tr.addElement(new TD()
|
||||||
.addElement("Press 'Submit' when you believe you have completed the lesson."));
|
.addElement("Press 'Submit' when you believe you have completed the lesson."));
|
||||||
*/
|
*/
|
||||||
Element b = ECSFactory.makeButton("Click here when you believe you have completed the lesson.");
|
Element b = ECSFactory
|
||||||
|
.makeButton("Click here when you believe you have completed the lesson.");
|
||||||
tr.addElement(new TD(b).setAlign("CENTER"));
|
tr.addElement(new TD(b).setAlign("CENTER"));
|
||||||
t1.addElement(tr);
|
t1.addElement(tr);
|
||||||
|
|
||||||
@ -217,9 +241,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
|
|
||||||
return ec;
|
return ec;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected Select createDropDown() {
|
||||||
protected Select createDropDown(){
|
|
||||||
Select select = new Select("UserSelect");
|
Select select = new Select("UserSelect");
|
||||||
|
|
||||||
select.setID("UserSelect");
|
select.setID("UserSelect");
|
||||||
@ -234,11 +257,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
|
|
||||||
select.addElement(option);
|
select.addElement(option);
|
||||||
|
|
||||||
option = new org.apache.ecs.html.Option("Moe Stooge", "102",
|
|
||||||
"Moe Stooge");
|
|
||||||
|
|
||||||
select.addElement(option);
|
|
||||||
|
|
||||||
option = new org.apache.ecs.html.Option("Curly Stooge", "103",
|
option = new org.apache.ecs.html.Option("Curly Stooge", "103",
|
||||||
"Curly Stooge");
|
"Curly Stooge");
|
||||||
|
|
||||||
@ -278,17 +296,12 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
|
|
||||||
select.addElement(option);
|
select.addElement(option);
|
||||||
|
|
||||||
option = new org.apache.ecs.html.Option("John Wayne", "111",
|
|
||||||
"John Wayne");
|
|
||||||
|
|
||||||
select.addElement(option);
|
|
||||||
|
|
||||||
select.setOnChange("selectUser()");
|
select.setOnChange("selectUser()");
|
||||||
|
|
||||||
select.setOnFocus("fetchUserData()");
|
select.setOnFocus("fetchUserData()");
|
||||||
|
|
||||||
return select;
|
return select;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected Category getDefaultCategory() {
|
protected Category getDefaultCategory() {
|
||||||
@ -300,55 +313,53 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
*
|
*
|
||||||
* @return The hints value
|
* @return The hints value
|
||||||
*/
|
*/
|
||||||
public List<String> getHints(WebSession s)
|
public List<String> getHints(WebSession s) {
|
||||||
{
|
List<String> hints = new ArrayList<String>();
|
||||||
List<String> hints = new ArrayList<String>();
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
hints.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
|
|
||||||
|
|
||||||
hints.add("Use Firebug to find where the information is stored on the client side.");
|
|
||||||
|
|
||||||
hints.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
|
|
||||||
|
|
||||||
hints.add("Look in the last row of the hidden table.");
|
|
||||||
|
|
||||||
|
|
||||||
hints.add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>" +
|
hints
|
||||||
"to see what results are being returned");
|
.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
|
||||||
|
|
||||||
hints.add("The server uses an XPath query agasinst an XML database.");
|
|
||||||
|
|
||||||
hints.add("The query currently returns all of the contents of the database.");
|
hints
|
||||||
|
.add("Use Firebug to find where the information is stored on the client side.");
|
||||||
|
|
||||||
hints.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
|
hints
|
||||||
|
.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
|
||||||
|
|
||||||
|
|
||||||
hints.add("Try using a filter operator.");
|
hints.add("Look in the last row of the hidden table.");
|
||||||
|
|
||||||
hints.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
|
hints
|
||||||
|
.add("You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
|
||||||
|
+ "to see what results are being returned");
|
||||||
return hints;
|
|
||||||
|
hints.add("The server uses an XPath query agasinst an XML database.");
|
||||||
}
|
|
||||||
|
hints
|
||||||
|
.add("The query currently returns all of the contents of the database.");
|
||||||
|
|
||||||
|
hints
|
||||||
|
.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
|
||||||
|
|
||||||
|
hints.add("Try using a filter operator.");
|
||||||
|
|
||||||
|
hints
|
||||||
|
.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
|
||||||
|
|
||||||
|
return hints;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
public String getInstructions(WebSession s) {
|
public String getInstructions(WebSession s) {
|
||||||
String instructions = "";
|
String instructions = "";
|
||||||
|
|
||||||
if (getLessonTracker(s).getStage() == 1) {
|
if (getLessonTracker(s).getStage() == 1) {
|
||||||
instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Bank. "
|
instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Financial. "
|
||||||
+ "You have access to everyone in the company's information, except the CEO, "
|
+ "You have access to everyone in the company's information, except the CEO, "
|
||||||
+ "Neville Bartholomew. Or at least you shouldn't have access to the CEO's information."
|
+ "Neville Bartholomew. Or at least you shouldn't have access to the CEO's information."
|
||||||
+ " For this exercise, "
|
+ " For this exercise, "
|
||||||
+ "examine the contents of the page to see what extra information you can find.";
|
+ "examine the contents of the page to see what extra information you can find.";
|
||||||
} else if (getLessonTracker(s).getStage() == 2) {
|
} else if (getLessonTracker(s).getStage() == 2) {
|
||||||
instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return " +
|
instructions = "STAGE 2:\tNow, fix the problem. Modify the server to only return "
|
||||||
"results that Moe Stooge is allowed to see.";
|
+ "results that Moe Stooge is allowed to see.";
|
||||||
}
|
}
|
||||||
return (instructions);
|
return (instructions);
|
||||||
}
|
}
|
||||||
@ -384,47 +395,35 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
|
|||||||
public String getTitle() {
|
public String getTitle() {
|
||||||
return ("LAB: Client Side Filtering");
|
return ("LAB: Client Side Filtering");
|
||||||
}
|
}
|
||||||
|
|
||||||
private String getFileContent(String content)
|
private String getFileContent(String content) {
|
||||||
{
|
BufferedReader is = null;
|
||||||
BufferedReader is = null;
|
StringBuffer sb = new StringBuffer();
|
||||||
StringBuffer sb = new StringBuffer();
|
|
||||||
|
try {
|
||||||
try
|
is = new BufferedReader(new FileReader(new File(content)));
|
||||||
{
|
String s = null;
|
||||||
is = new BufferedReader(new FileReader(new File(content)));
|
|
||||||
String s = null;
|
while ((s = is.readLine()) != null) {
|
||||||
|
sb.append(s);
|
||||||
while((s = is.readLine()) != null)
|
}
|
||||||
{
|
} catch (Exception e) {
|
||||||
sb.append(s);
|
e.printStackTrace();
|
||||||
}
|
} finally {
|
||||||
}
|
if (is != null) {
|
||||||
catch (Exception e)
|
try {
|
||||||
{
|
is.close();
|
||||||
e.printStackTrace();
|
} catch (IOException ioe) {
|
||||||
}
|
|
||||||
finally
|
}
|
||||||
{
|
}
|
||||||
if(is != null)
|
}
|
||||||
{
|
|
||||||
try
|
return sb.toString();
|
||||||
{
|
}
|
||||||
is.close();
|
|
||||||
}
|
public Element getCredits() {
|
||||||
catch (IOException ioe)
|
return super.getCustomCredits("", ASPECT_LOGO);
|
||||||
{
|
}
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return sb.toString();
|
|
||||||
}
|
|
||||||
|
|
||||||
public Element getCredits()
|
|
||||||
{
|
|
||||||
return super.getCustomCredits("", ASPECT_LOGO);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,226 +1,226 @@
|
|||||||
EXEC sp_configure 'clr enabled', 1
|
EXEC sp_configure 'clr enabled', 1
|
||||||
GO
|
GO
|
||||||
|
|
||||||
RECONFIGURE
|
RECONFIGURE
|
||||||
GO
|
GO
|
||||||
|
|
||||||
USE master;
|
USE master;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
DROP LOGIN webgoat_guest;
|
DROP LOGIN webgoat_guest;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
DROP database webgoat;
|
DROP database webgoat;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
|
|
||||||
CREATE database webgoat;
|
CREATE database webgoat;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
USE webgoat;
|
USE webgoat;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
CREATE SCHEMA webgoat_guest;
|
CREATE SCHEMA webgoat_guest;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
CREATE LOGIN webgoat_guest with password = '_webgoat';
|
CREATE LOGIN webgoat_guest with password = '_webgoat';
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
CREATE USER webgoat_guest with default_schema = webgoat_guest;
|
CREATE USER webgoat_guest with default_schema = webgoat_guest;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
GRANT CONTROL TO webgoat_guest;
|
GRANT CONTROL TO webgoat_guest;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
|
|
||||||
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
|
CREATE TABLE WEBGOAT_guest.EMPLOYEE (
|
||||||
userid INT NOT NULL PRIMARY KEY,
|
userid INT NOT NULL PRIMARY KEY,
|
||||||
first_name VARCHAR(20),
|
first_name VARCHAR(20),
|
||||||
last_name VARCHAR(20),
|
last_name VARCHAR(20),
|
||||||
ssn VARCHAR(12),
|
ssn VARCHAR(12),
|
||||||
password VARCHAR(10),
|
password VARCHAR(10),
|
||||||
title VARCHAR(20),
|
title VARCHAR(20),
|
||||||
phone VARCHAR(13),
|
phone VARCHAR(13),
|
||||||
address1 VARCHAR(80),
|
address1 VARCHAR(80),
|
||||||
address2 VARCHAR(80),
|
address2 VARCHAR(80),
|
||||||
manager INT,
|
manager INT,
|
||||||
start_date CHAR(8),
|
start_date CHAR(8),
|
||||||
salary INT,
|
salary INT,
|
||||||
ccn VARCHAR(30),
|
ccn VARCHAR(30),
|
||||||
ccn_limit INT,
|
ccn_limit INT,
|
||||||
disciplined_date CHAR(8),
|
disciplined_date CHAR(8),
|
||||||
disciplined_notes VARCHAR(60),
|
disciplined_notes VARCHAR(60),
|
||||||
personal_description VARCHAR(60)
|
personal_description VARCHAR(60)
|
||||||
);
|
);
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
IF EXISTS
|
IF EXISTS
|
||||||
(
|
(
|
||||||
SELECT 1
|
SELECT 1
|
||||||
FROM INFORMATION_SCHEMA.ROUTINES
|
FROM INFORMATION_SCHEMA.ROUTINES
|
||||||
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
|
WHERE ROUTINE_NAME = 'UPDATE_EMPLOYEE'
|
||||||
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
||||||
AND ROUTINE_TYPE = 'PROCEDURE'
|
AND ROUTINE_TYPE = 'PROCEDURE'
|
||||||
)
|
)
|
||||||
BEGIN
|
BEGIN
|
||||||
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||||
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
|
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
|
||||||
END
|
END
|
||||||
GO
|
GO
|
||||||
|
|
||||||
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||||
@v_userid INT,
|
@v_userid INT,
|
||||||
@v_first_name VARCHAR(20),
|
@v_first_name VARCHAR(20),
|
||||||
@v_last_name VARCHAR(20),
|
@v_last_name VARCHAR(20),
|
||||||
@v_ssn VARCHAR(12),
|
@v_ssn VARCHAR(12),
|
||||||
@v_title VARCHAR(20),
|
@v_title VARCHAR(20),
|
||||||
@v_phone VARCHAR(13),
|
@v_phone VARCHAR(13),
|
||||||
@v_address1 VARCHAR(80),
|
@v_address1 VARCHAR(80),
|
||||||
@v_address2 VARCHAR(80),
|
@v_address2 VARCHAR(80),
|
||||||
@v_manager INT,
|
@v_manager INT,
|
||||||
@v_start_date CHAR(8),
|
@v_start_date CHAR(8),
|
||||||
@v_salary INT,
|
@v_salary INT,
|
||||||
@v_ccn VARCHAR(30),
|
@v_ccn VARCHAR(30),
|
||||||
@v_ccn_limit INT,
|
@v_ccn_limit INT,
|
||||||
@v_disciplined_date CHAR(8),
|
@v_disciplined_date CHAR(8),
|
||||||
@v_disciplined_notes VARCHAR(60),
|
@v_disciplined_notes VARCHAR(60),
|
||||||
@v_personal_description VARCHAR(60)
|
@v_personal_description VARCHAR(60)
|
||||||
AS
|
AS
|
||||||
UPDATE EMPLOYEE
|
UPDATE EMPLOYEE
|
||||||
SET
|
SET
|
||||||
first_name = @v_first_name,
|
first_name = @v_first_name,
|
||||||
last_name = @v_last_name,
|
last_name = @v_last_name,
|
||||||
ssn = @v_ssn,
|
ssn = @v_ssn,
|
||||||
title = @v_title,
|
title = @v_title,
|
||||||
phone = @v_phone,
|
phone = @v_phone,
|
||||||
address1 = @v_address1,
|
address1 = @v_address1,
|
||||||
address2 = @v_address2,
|
address2 = @v_address2,
|
||||||
manager = @v_manager,
|
manager = @v_manager,
|
||||||
start_date = @v_Start_date,
|
start_date = @v_Start_date,
|
||||||
salary = @v_salary,
|
salary = @v_salary,
|
||||||
ccn = @v_ccn,
|
ccn = @v_ccn,
|
||||||
ccn_limit = @v_ccn_limit,
|
ccn_limit = @v_ccn_limit,
|
||||||
disciplined_date = @v_disciplined_date,
|
disciplined_date = @v_disciplined_date,
|
||||||
disciplined_notes = @v_disciplined_notes,
|
disciplined_notes = @v_disciplined_notes,
|
||||||
personal_description = @v_personal_description
|
personal_description = @v_personal_description
|
||||||
WHERE
|
WHERE
|
||||||
userid = @v_userid;
|
userid = @v_userid;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
|
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE_BACKUP
|
||||||
@v_userid INT,
|
@v_userid INT,
|
||||||
@v_first_name VARCHAR(20),
|
@v_first_name VARCHAR(20),
|
||||||
@v_last_name VARCHAR(20),
|
@v_last_name VARCHAR(20),
|
||||||
@v_ssn VARCHAR(12),
|
@v_ssn VARCHAR(12),
|
||||||
@v_title VARCHAR(20),
|
@v_title VARCHAR(20),
|
||||||
@v_phone VARCHAR(13),
|
@v_phone VARCHAR(13),
|
||||||
@v_address1 VARCHAR(80),
|
@v_address1 VARCHAR(80),
|
||||||
@v_address2 VARCHAR(80),
|
@v_address2 VARCHAR(80),
|
||||||
@v_manager INT,
|
@v_manager INT,
|
||||||
@v_start_date CHAR(8),
|
@v_start_date CHAR(8),
|
||||||
@v_salary INT,
|
@v_salary INT,
|
||||||
@v_ccn VARCHAR(30),
|
@v_ccn VARCHAR(30),
|
||||||
@v_ccn_limit INT,
|
@v_ccn_limit INT,
|
||||||
@v_disciplined_date CHAR(8),
|
@v_disciplined_date CHAR(8),
|
||||||
@v_disciplined_notes VARCHAR(60),
|
@v_disciplined_notes VARCHAR(60),
|
||||||
@v_personal_description VARCHAR(60)
|
@v_personal_description VARCHAR(60)
|
||||||
AS
|
AS
|
||||||
UPDATE EMPLOYEE
|
UPDATE EMPLOYEE
|
||||||
SET
|
SET
|
||||||
first_name = @v_first_name,
|
first_name = @v_first_name,
|
||||||
last_name = @v_last_name,
|
last_name = @v_last_name,
|
||||||
ssn = @v_ssn,
|
ssn = @v_ssn,
|
||||||
title = @v_title,
|
title = @v_title,
|
||||||
phone = @v_phone,
|
phone = @v_phone,
|
||||||
address1 = @v_address1,
|
address1 = @v_address1,
|
||||||
address2 = @v_address2,
|
address2 = @v_address2,
|
||||||
manager = @v_manager,
|
manager = @v_manager,
|
||||||
start_date = @v_Start_date,
|
start_date = @v_Start_date,
|
||||||
salary = @v_salary,
|
salary = @v_salary,
|
||||||
ccn = @v_ccn,
|
ccn = @v_ccn,
|
||||||
ccn_limit = @v_ccn_limit,
|
ccn_limit = @v_ccn_limit,
|
||||||
disciplined_date = @v_disciplined_date,
|
disciplined_date = @v_disciplined_date,
|
||||||
disciplined_notes = @v_disciplined_notes,
|
disciplined_notes = @v_disciplined_notes,
|
||||||
personal_description = @v_personal_description
|
personal_description = @v_personal_description
|
||||||
WHERE
|
WHERE
|
||||||
userid = @v_userid;
|
userid = @v_userid;
|
||||||
|
|
||||||
go
|
go
|
||||||
|
|
||||||
IF EXISTS
|
IF EXISTS
|
||||||
(
|
(
|
||||||
SELECT 1
|
SELECT 1
|
||||||
FROM INFORMATION_SCHEMA.ROUTINES
|
FROM INFORMATION_SCHEMA.ROUTINES
|
||||||
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
|
WHERE ROUTINE_NAME = 'EMPLOYEE_LOGIN'
|
||||||
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
||||||
AND ROUTINE_TYPE = 'FUNCTION'
|
AND ROUTINE_TYPE = 'FUNCTION'
|
||||||
)
|
)
|
||||||
BEGIN
|
BEGIN
|
||||||
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
|
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN
|
||||||
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
|
DROP FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP
|
||||||
END
|
END
|
||||||
GO
|
GO
|
||||||
|
|
||||||
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
|
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
|
||||||
@v_id INT,
|
@v_id INT,
|
||||||
@v_password VARCHAR(100)
|
@v_password VARCHAR(100)
|
||||||
) RETURNS INTEGER
|
) RETURNS INTEGER
|
||||||
AS
|
AS
|
||||||
BEGIN
|
BEGIN
|
||||||
DECLARE @sql nvarchar(4000), @count int
|
DECLARE @sql nvarchar(4000), @count int
|
||||||
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
|
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
|
||||||
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
|
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
|
||||||
return @count
|
return @count
|
||||||
END
|
END
|
||||||
GO
|
GO
|
||||||
|
|
||||||
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
|
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN_BACKUP (
|
||||||
@v_id INT,
|
@v_id INT,
|
||||||
@v_password VARCHAR(100)
|
@v_password VARCHAR(100)
|
||||||
) RETURNS INTEGER
|
) RETURNS INTEGER
|
||||||
AS
|
AS
|
||||||
BEGIN
|
BEGIN
|
||||||
DECLARE @sql nvarchar(4000), @count int
|
DECLARE @sql nvarchar(4000), @count int
|
||||||
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
|
SELECT @sql = N'SELECT @cnt = COUNT(*) FROM EMPLOYEE WHERE USERID = ' + convert(varchar(10),@v_id) + N' AND PASSWORD = ''' + @v_password + N'''';
|
||||||
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
|
EXEC sp_executesql @sql, N'@cnt int OUTPUT', @cnt = @count OUTPUT
|
||||||
return @count
|
return @count
|
||||||
END
|
END
|
||||||
GO
|
GO
|
||||||
|
|
||||||
IF EXISTS
|
IF EXISTS
|
||||||
(
|
(
|
||||||
SELECT 1
|
SELECT 1
|
||||||
FROM INFORMATION_SCHEMA.ROUTINES
|
FROM INFORMATION_SCHEMA.ROUTINES
|
||||||
WHERE ROUTINE_NAME = 'RegexMatch'
|
WHERE ROUTINE_NAME = 'RegexMatch'
|
||||||
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
AND ROUTINE_SCHEMA = 'webgoat_guest'
|
||||||
AND ROUTINE_TYPE = 'FUNCTION'
|
AND ROUTINE_TYPE = 'FUNCTION'
|
||||||
)
|
)
|
||||||
BEGIN
|
BEGIN
|
||||||
DROP FUNCTION webgoat_guest.RegexMatch
|
DROP FUNCTION webgoat_guest.RegexMatch
|
||||||
END
|
END
|
||||||
GO
|
GO
|
||||||
|
|
||||||
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
|
IF EXISTS (SELECT name FROM sys.assemblies WHERE name = N'RegexMatch')
|
||||||
DROP ASSEMBLY RegexMatch;
|
DROP ASSEMBLY RegexMatch;
|
||||||
GO
|
GO
|
||||||
|
|
||||||
CREATE ASSEMBLY RegexMatch FROM 'c:\AspectClassCD\WebGoat\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
|
CREATE ASSEMBLY RegexMatch FROM 'c:\AspectClassCD\WebGoat\RegexMatch.dll' WITH PERMISSION_SET = SAFE;
|
||||||
GO
|
GO
|
||||||
|
|
||||||
CREATE FUNCTION webgoat_guest.RegexMatch (
|
CREATE FUNCTION webgoat_guest.RegexMatch (
|
||||||
@input NVARCHAR(MAX),
|
@input NVARCHAR(MAX),
|
||||||
@pattern NVARCHAR(MAX)
|
@pattern NVARCHAR(MAX)
|
||||||
) RETURNS BIT
|
) RETURNS BIT
|
||||||
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
|
AS EXTERNAL NAME RegexMatch.[UserDefinedFunctions].RegexMatch;
|
||||||
GO
|
GO
|
||||||
|
|||||||
@ -17,6 +17,8 @@
|
|||||||
<DisciplinaryDate>10106</DisciplinaryDate>
|
<DisciplinaryDate>10106</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
@ -35,8 +37,8 @@
|
|||||||
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>101013</DisciplinaryDate>
|
<DisciplinaryDate>101013</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
<UserID>103</UserID>
|
<UserID>103</UserID>
|
||||||
@ -54,8 +56,10 @@
|
|||||||
<DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>101014</DisciplinaryDate>
|
<DisciplinaryDate>101014</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>102</Manager>
|
||||||
</Managers>
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
<UserID>104</UserID>
|
<UserID>104</UserID>
|
||||||
@ -73,7 +77,10 @@
|
|||||||
<DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>101013</DisciplinaryDate>
|
<DisciplinaryDate>101013</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>107</Manager>
|
||||||
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
@ -92,7 +99,10 @@
|
|||||||
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
|
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>0</DisciplinaryDate>
|
<DisciplinaryDate>0</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>106</Manager>
|
||||||
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
@ -111,8 +121,10 @@
|
|||||||
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
|
<DisciplinaryExplanation>NA</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>0</DisciplinaryDate>
|
<DisciplinaryDate>0</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>102</Manager>
|
||||||
</Managers>
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
<UserID>107</UserID>
|
<UserID>107</UserID>
|
||||||
@ -130,7 +142,9 @@
|
|||||||
<DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>61402</DisciplinaryDate>
|
<DisciplinaryDate>61402</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
@ -149,8 +163,11 @@
|
|||||||
<DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>61502</DisciplinaryDate>
|
<DisciplinaryDate>61502</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>107</Manager>
|
||||||
</Managers>
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
<UserID>109</UserID>
|
<UserID>109</UserID>
|
||||||
@ -168,8 +185,11 @@
|
|||||||
<DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>72804</DisciplinaryDate>
|
<DisciplinaryDate>72804</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>107</Manager>
|
||||||
</Managers>
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
<UserID>110</UserID>
|
<UserID>110</UserID>
|
||||||
@ -187,7 +207,10 @@
|
|||||||
<DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
|
<DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>112005</DisciplinaryDate>
|
<DisciplinaryDate>112005</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>106</Manager>
|
||||||
|
<Manager>102</Manager>
|
||||||
|
<Manager>111</Manager>
|
||||||
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
@ -206,8 +229,8 @@
|
|||||||
<DisciplinaryExplanation></DisciplinaryExplanation>
|
<DisciplinaryExplanation></DisciplinaryExplanation>
|
||||||
<DisciplinaryDate>112005</DisciplinaryDate>
|
<DisciplinaryDate>112005</DisciplinaryDate>
|
||||||
<Managers>
|
<Managers>
|
||||||
<Manager>102</Manager>
|
<Manager>112</Manager>
|
||||||
</Managers>
|
</Managers>
|
||||||
</Employee>
|
</Employee>
|
||||||
<Employee>
|
<Employee>
|
||||||
<UserID>112</UserID>
|
<UserID>112</UserID>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user