Reformat of Java source. Added JavaStyle format definitions.
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@287 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
@ -1,9 +1,9 @@
|
||||
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.html.BR;
|
||||
@ -19,276 +19,248 @@ import org.owasp.webgoat.session.ECSFactory;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.util.HtmlEncoder;
|
||||
|
||||
/*******************************************************************************
|
||||
|
||||
/***************************************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
* Source for this application is maintained at code.google.com, a repository for free software
|
||||
* projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
|
||||
public class ReflectedXSS extends LessonAdapter
|
||||
{
|
||||
/**
|
||||
* Description of the Method
|
||||
*
|
||||
* @param s Description of the Parameter
|
||||
* @return Description of the Return Value
|
||||
*/
|
||||
/**
|
||||
* Description of the Method
|
||||
*
|
||||
* @param s
|
||||
* Description of the Parameter
|
||||
* @return Description of the Return Value
|
||||
*/
|
||||
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
|
||||
ElementContainer ec = new ElementContainer();
|
||||
String regex1 = "^[0-9]{3}$";// any three digits
|
||||
Pattern pattern1 = Pattern.compile(regex1);
|
||||
|
||||
try
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
String param1 = s.getParser().getRawParameter("field1", "111");
|
||||
String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
|
||||
"field2", "4128 3214 0002 1999"));
|
||||
float quantity = 1.0f;
|
||||
float total = 0.0f;
|
||||
float runningTotal = 0.0f;
|
||||
|
||||
// test input field1
|
||||
if (!pattern1.matcher(param1).matches())
|
||||
{
|
||||
if (param1.toLowerCase().indexOf("script") != -1)
|
||||
ElementContainer ec = new ElementContainer();
|
||||
String regex1 = "^[0-9]{3}$";// any three digits
|
||||
Pattern pattern1 = Pattern.compile(regex1);
|
||||
|
||||
try
|
||||
{
|
||||
makeSuccess(s);
|
||||
String param1 = s.getParser().getRawParameter("field1", "111");
|
||||
String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
|
||||
float quantity = 1.0f;
|
||||
float total = 0.0f;
|
||||
float runningTotal = 0.0f;
|
||||
|
||||
// test input field1
|
||||
if (!pattern1.matcher(param1).matches())
|
||||
{
|
||||
if (param1.toLowerCase().indexOf("script") != -1)
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
|
||||
s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code. Please try again.");
|
||||
}
|
||||
|
||||
// FIXME: encode output of field2, then s.setMessage( field2 );
|
||||
|
||||
ec.addElement(new HR().setWidth("90%"));
|
||||
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
|
||||
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
|
||||
|
||||
if (s.isColor())
|
||||
{
|
||||
t.setBorder(1);
|
||||
}
|
||||
|
||||
TR tr = new TR();
|
||||
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
|
||||
tr.addElement(new TH().addElement("Price").setWidth("10%"));
|
||||
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
|
||||
tr.addElement(new TH().addElement("Total").setWidth("7%"));
|
||||
t.addElement(tr);
|
||||
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
|
||||
tr.addElement(new TD().addElement("69.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
|
||||
total = quantity * 69.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
|
||||
tr.addElement(new TD().addElement("27.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
|
||||
total = quantity * 27.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
|
||||
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
|
||||
total = quantity * 1599.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
|
||||
tr.addElement(new TD().addElement("299.99").setAlign("right"));
|
||||
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
|
||||
"1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
|
||||
total = quantity * 299.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
|
||||
ec.addElement(t);
|
||||
|
||||
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
|
||||
|
||||
if (s.isColor())
|
||||
{
|
||||
t.setBorder(1);
|
||||
}
|
||||
|
||||
ec.addElement(new BR());
|
||||
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("The total charged to your credit card:"));
|
||||
tr.addElement(new TD().addElement("$" + runningTotal));
|
||||
tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement(" ").setColSpan(2));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Enter your credit card number:"));
|
||||
tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement("Enter your three digit access code:"));
|
||||
tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
|
||||
// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
|
||||
t.addElement(tr);
|
||||
|
||||
Element b = ECSFactory.makeButton("Purchase");
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
|
||||
t.addElement(tr);
|
||||
|
||||
ec.addElement(t);
|
||||
ec.addElement(new BR());
|
||||
ec.addElement(new HR().setWidth("90%"));
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error generating " + this.getClass().getName());
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
s
|
||||
.setMessage("Whoops! You entered "
|
||||
+ param1
|
||||
+ " instead of your three digit code. Please try again.");
|
||||
}
|
||||
|
||||
// FIXME: encode output of field2, then s.setMessage( field2 );
|
||||
|
||||
ec.addElement(new HR().setWidth("90%"));
|
||||
ec.addElement(new Center().addElement(new H1()
|
||||
.addElement("Shopping Cart ")));
|
||||
Table t = new Table().setCellSpacing(0).setCellPadding(2)
|
||||
.setBorder(1).setWidth("90%").setAlign("center");
|
||||
|
||||
if (s.isColor())
|
||||
{
|
||||
t.setBorder(1);
|
||||
}
|
||||
|
||||
TR tr = new TR();
|
||||
tr.addElement(new TH().addElement(
|
||||
"Shopping Cart Items -- To Buy Now").setWidth("80%"));
|
||||
tr.addElement(new TH().addElement("Price").setWidth("10%"));
|
||||
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
|
||||
tr.addElement(new TH().addElement("Total").setWidth("7%"));
|
||||
t.addElement(tr);
|
||||
|
||||
tr = new TR();
|
||||
tr
|
||||
.addElement(new TD()
|
||||
.addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
|
||||
tr.addElement(new TD().addElement("69.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY1", s.getParser()
|
||||
.getStringParameter("QTY1", "1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
|
||||
total = quantity * 69.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD()
|
||||
.addElement("Dynex - Traditional Notebook Case"));
|
||||
tr.addElement(new TD().addElement("27.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY2", s.getParser()
|
||||
.getStringParameter("QTY2", "1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
|
||||
total = quantity * 27.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr
|
||||
.addElement(new TD()
|
||||
.addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
|
||||
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY3", s.getParser()
|
||||
.getStringParameter("QTY3", "1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
|
||||
total = quantity * 1599.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr
|
||||
.addElement(new TD()
|
||||
.addElement("3 - Year Performance Service Plan $1000 and Over "));
|
||||
tr.addElement(new TD().addElement("299.99").setAlign("right"));
|
||||
|
||||
tr.addElement(new TD().addElement(
|
||||
new Input(Input.TEXT, "QTY4", s.getParser()
|
||||
.getStringParameter("QTY4", "1")))
|
||||
.setAlign("right"));
|
||||
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
|
||||
total = quantity * 299.99f;
|
||||
runningTotal += total;
|
||||
tr.addElement(new TD().addElement("$" + total));
|
||||
t.addElement(tr);
|
||||
|
||||
ec.addElement(t);
|
||||
|
||||
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
|
||||
.setWidth("90%").setAlign("center");
|
||||
|
||||
if (s.isColor())
|
||||
{
|
||||
t.setBorder(1);
|
||||
}
|
||||
|
||||
ec.addElement(new BR());
|
||||
|
||||
tr = new TR();
|
||||
tr.addElement(new TD()
|
||||
.addElement("The total charged to your credit card:"));
|
||||
tr.addElement(new TD().addElement("$" + runningTotal));
|
||||
tr.addElement(new TD().addElement(ECSFactory
|
||||
.makeButton("Update Cart")));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement(" ").setColSpan(2));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr
|
||||
.addElement(new TD()
|
||||
.addElement("Enter your credit card number:"));
|
||||
tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2",
|
||||
param2)));
|
||||
t.addElement(tr);
|
||||
tr = new TR();
|
||||
tr.addElement(new TD()
|
||||
.addElement("Enter your three digit access code:"));
|
||||
tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
|
||||
//tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
|
||||
t.addElement(tr);
|
||||
|
||||
Element b = ECSFactory.makeButton("Purchase");
|
||||
tr = new TR();
|
||||
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign(
|
||||
"center"));
|
||||
t.addElement(tr);
|
||||
|
||||
ec.addElement(t);
|
||||
ec.addElement(new BR());
|
||||
ec.addElement(new HR().setWidth("90%"));
|
||||
return (ec);
|
||||
}
|
||||
catch (Exception e)
|
||||
|
||||
/**
|
||||
* DOCUMENT ME!
|
||||
*
|
||||
* @return DOCUMENT ME!
|
||||
*/
|
||||
protected Category getDefaultCategory()
|
||||
{
|
||||
s.setMessage("Error generating " + this.getClass().getName());
|
||||
e.printStackTrace();
|
||||
return Category.XSS;
|
||||
}
|
||||
return (ec);
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the AccessControlScreen object
|
||||
*
|
||||
* @return The hints value
|
||||
*/
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("A simple script is <SCRIPT>alert('bang!');</SCRIPT>.");
|
||||
hints.add("Can you get the script to disclose the JSESSIONID cookie?");
|
||||
hints.add("You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie");
|
||||
hints.add("Can you get the script to access the credit card form field?");
|
||||
hints
|
||||
.add("Try a cross site trace (XST) Command:<br>"
|
||||
+ "<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
|
||||
+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
|
||||
+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); "
|
||||
+ "document.write(str1);}</script>");
|
||||
return hints;
|
||||
}
|
||||
|
||||
/**
|
||||
* DOCUMENT ME!
|
||||
*
|
||||
* @return DOCUMENT ME!
|
||||
*/
|
||||
protected Category getDefaultCategory()
|
||||
{
|
||||
return Category.XSS;
|
||||
}
|
||||
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
|
||||
// = new
|
||||
// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
|
||||
// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
|
||||
/**
|
||||
* Gets the instructions attribute of the WeakAccessControl object
|
||||
*
|
||||
* @return The instructions value
|
||||
*/
|
||||
public String getInstructions(WebSession s)
|
||||
{
|
||||
String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
|
||||
return (instructions);
|
||||
}
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(120);
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the AccessControlScreen object
|
||||
*
|
||||
* @return The hints value
|
||||
*/
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints
|
||||
.add("A simple script is <SCRIPT>alert('bang!');</SCRIPT>.");
|
||||
hints.add("Can you get the script to disclose the JSESSIONID cookie?");
|
||||
hints
|
||||
.add("You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie");
|
||||
hints
|
||||
.add("Can you get the script to access the credit card form field?");
|
||||
hints
|
||||
.add("Try a cross site trace (XST) Command:<br>"
|
||||
+ "<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
|
||||
+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
|
||||
+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); "
|
||||
+ "document.write(str1);}</script>");
|
||||
return hints;
|
||||
}
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the title attribute of the AccessControlScreen object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return "Reflected XSS Attacks";
|
||||
}
|
||||
|
||||
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
|
||||
/**
|
||||
* Gets the instructions attribute of the WeakAccessControl object
|
||||
*
|
||||
* @return The instructions value
|
||||
*/
|
||||
public String getInstructions(WebSession s)
|
||||
{
|
||||
String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
|
||||
return (instructions);
|
||||
}
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(120);
|
||||
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the title attribute of the AccessControlScreen object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return "Reflected XSS Attacks";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user