dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reformat of Java source. Added JavaStyle format definitions.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@287 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2008-02-27 00:29:19 +00:00
parent cbdff41aa8
commit a8db8989c8
126 changed files with 20713 additions and 22183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
main/project/JavaSource/org/owasp/webgoat/session/Authorization.java
View File

@ -1,55 +1,53 @@
package org.owasp.webgoat.session;
import java.util.Hashtable;
import java.util.Map;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Authorization
{
Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
public Authorization()
{
}
public Authorization()
{}
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}

729
main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -1,3 +1,4 @@
package org.owasp.webgoat.session;
import java.io.File;
@ -9,435 +10,425 @@ import java.util.List;
import java.util.Set;
import java.util.Vector;
import java.util.LinkedList;
import javax.servlet.ServletContext;
import org.owasp.webgoat.HammerHead;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Course
{
private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private WebgoatProperties properties = null;
private List<String> files = new LinkedList<String>();
private WebgoatProperties properties = null;
private WebgoatContext webgoatContext;
private List<String> files = new LinkedList<String>();
public Course()
{
private WebgoatContext webgoatContext;
public Course()
{
try
{
properties = new WebgoatProperties(PROPERTIES_FILENAME);
}
catch (IOException e)
properties = new WebgoatProperties(PROPERTIES_FILENAME);
} catch (IOException e)
{
System.out.println("Error loading WebGoat properties");
e.printStackTrace();
System.out.println("Error loading WebGoat properties");
e.printStackTrace();
}
}
/**
* Take an absolute file and return the filename.
*
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s)
{
String fileName = new File(s).getName();
if(fileName.indexOf("/") != -1)
}
/**
* Take an absolute file and return the filename.
*
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s)
{
String fileName = new File(s).getName();
if (fileName.indexOf("/") != -1)
{
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
}
if(fileName.indexOf(".") != -1)
if (fileName.indexOf(".") != -1)
{
fileName = fileName.substring(0, fileName.indexOf("."));
}
return fileName;
}
/**
* Take a class name and return the equivalent file name
*
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className)
{
StringBuffer sb = new StringBuffer();
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
}
/**
* Take a class name and return the equivalent file name
*
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className)
{
StringBuffer sb = new StringBuffer();
/**
* Takes a file name and builds the class file name
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path)
{
String ext = ".class";
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
/**
* Takes a file name and builds the class file name
*
* @param fileName
* Description of the Parameter
* @param path
* Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path)
{
String ext = ".class";
fileName = fileName.trim();
/**
* We do not handle directories.
* We do not handle files with different extensions
* We do not handle directories. We do not handle files with different extensions
*/
if(fileName.endsWith("/") || !fileName.endsWith(ext))
{
return null;
}
if (fileName.endsWith("/") || !fileName.endsWith(ext)) { return null; }
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1)
{
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
}
else
{
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
}
return fileName;
}
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories()
{
List<Category> categories = new ArrayList<Category>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (!categories.contains(lesson.getCategory()))
{
categories.add(lesson.getCategory());
}
}
Collections.sort(categories);
return categories;
}
/**
* Gets the firstLesson attribute of the Course object
*
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson()
{
List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is noramally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(1),
roles).get(0));
}
/**
* Gets the lesson attribute of the Course object
*
* @param lessonId Description of the Parameter
* @param role Description of the Parameter
* @return The lesson value
*/
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles)
{
if (s.isHackedAdmin())
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories()
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
//System.out.println("getLesson() with roles: " + roles);
Iterator<AbstractLesson> iter = lessons.iterator();
List<Category> categories = new ArrayList<Category>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = iter.next();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
//System.out.println("getLesson() at role: " + lesson.getRole());
if (lesson.getScreenId() == lessonId
&& roles.contains(lesson.getRole()))
{
return lesson;
}
if (!categories.contains(lesson.getCategory()))
{
categories.add(lesson.getCategory());
}
}
Collections.sort(categories);
return categories;
}
return null;
}
public AbstractLesson getLesson(WebSession s, int lessonId, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLesson(s, lessonId, roles);
}
public List getLessons(WebSession s, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param role Description of the Parameter
* @return The lessons value
*/
public List<AbstractLesson> getLessons(WebSession s, List<String> roles)
{
if (s.isHackedAdmin())
/**
* Gets the firstLesson attribute of the Course object
*
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson()
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext())
{
lessonList.addAll(getLessons(s, (Category) categoryIter.next(),
roles));
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category Description of the Parameter
* @param role Description of the Parameter
* @return The lessons value
*/
private List<AbstractLesson> getLessons(Category category, List roles)
{
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (lesson.getCategory().equals(category)
&& roles.contains(lesson.getRole()))
{
lessonList.add(lesson);
}
List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is noramally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(1), roles).get(0));
}
Collections.sort(lessonList);
// System.out.println(java.util.Arrays.asList(lessonList));
return lessonList;
}
public List getLessons(WebSession s, Category category, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLessons(s, category, roles);
}
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles)
{
if (s.isHackedAdmin())
/**
* Gets the lesson attribute of the Course object
*
* @param lessonId
* Description of the Parameter
* @param role
* Description of the Parameter
* @return The lesson value
*/
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles)
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* Load all of the filenames into a temporary cache
*
* @param context
* @param path
*/
private void loadFiles(ServletContext context, String path)
{
Set resourcePaths = context.getResourcePaths(path);
Iterator itr = resourcePaths.iterator();
while(itr.hasNext())
{
String file = (String)itr.next();
if(file.length() != 1 && file.endsWith("/"))
{
loadFiles(context, file);
}
else
{
files.add(file);
}
}
}
/**
* Instantiate all the lesson objects into a cache
*
* @param path
*/
private void loadLessons(String path)
{
Iterator itr = files.iterator();
while(itr.hasNext())
{
String file = (String)itr.next();
String className = getClassFile(file, path);
if(className != null && !className.endsWith("_i"))
{
try
{
Class c = Class.forName(className);
Object o = c.newInstance();
if(o instanceof AbstractLesson)
{
AbstractLesson lesson = (AbstractLesson)o;
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if(lesson.getHidden() == false)
{
lessons.add(lesson);
}
}
}
catch (Exception e)
{
//System.out.println("Warning: " + e.getMessage());
}
}
}
}
/**
* For each lesson, set the source file and lesson file
*/
private void loadResources()
{
Iterator lessonItr = lessons.iterator();
while(lessonItr.hasNext())
{
AbstractLesson lesson = (AbstractLesson)lessonItr.next();
String className = lesson.getClass().getName();
String classFile = getSourceFile(className);
Iterator fileItr = files.iterator();
while(fileItr.hasNext())
{
String absoluteFile = (String)fileItr.next();
String fileName = getFileName(absoluteFile);
//System.out.println("Course: looking at file: " + absoluteFile);
if(absoluteFile.endsWith(classFile))
{
//System.out.println("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile);
}
if(absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{
//System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for lesson " + lesson.getClass().getName());
//System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonPlanFileName(absoluteFile);
}
if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{
//System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
//System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonSolutionFileName(absoluteFile);
}
}
}
}
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
// System.out.println("getLesson() with roles: " + roles);
Iterator<AbstractLesson> iter = lessons.iterator();
/**
* Description of the Method
*
* @param path Description of the Parameter
* @param context Description of the Parameter
*/
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path)
{
this.webgoatContext = webgoatContext;
loadFiles(context, path);
loadLessons(path);
loadResources();
}
while (iter.hasNext())
{
AbstractLesson lesson = iter.next();
// System.out.println("getLesson() at role: " + lesson.getRole());
if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) { return lesson; }
}
return null;
}
public AbstractLesson getLesson(WebSession s, int lessonId, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLesson(s, lessonId, roles);
}
public List getLessons(WebSession s, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param role
* Description of the Parameter
* @return The lessons value
*/
public List<AbstractLesson> getLessons(WebSession s, List<String> roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext())
{
lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category
* Description of the Parameter
* @param role
* Description of the Parameter
* @return The lessons value
*/
private List<AbstractLesson> getLessons(Category category, List roles)
{
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole()))
{
lessonList.add(lesson);
}
}
Collections.sort(lessonList);
// System.out.println(java.util.Arrays.asList(lessonList));
return lessonList;
}
public List getLessons(WebSession s, Category category, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLessons(s, category, roles);
}
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* Load all of the filenames into a temporary cache
*
* @param context
* @param path
*/
private void loadFiles(ServletContext context, String path)
{
Set resourcePaths = context.getResourcePaths(path);
Iterator itr = resourcePaths.iterator();
while (itr.hasNext())
{
String file = (String) itr.next();
if (file.length() != 1 && file.endsWith("/"))
{
loadFiles(context, file);
}
else
{
files.add(file);
}
}
}
/**
* Instantiate all the lesson objects into a cache
*
* @param path
*/
private void loadLessons(String path)
{
Iterator itr = files.iterator();
while (itr.hasNext())
{
String file = (String) itr.next();
String className = getClassFile(file, path);
if (className != null && !className.endsWith("_i"))
{
try
{
Class c = Class.forName(className);
Object o = c.newInstance();
if (o instanceof AbstractLesson)
{
AbstractLesson lesson = (AbstractLesson) o;
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if (lesson.getHidden() == false)
{
lessons.add(lesson);
}
}
} catch (Exception e)
{
// System.out.println("Warning: " + e.getMessage());
}
}
}
}
/**
* For each lesson, set the source file and lesson file
*/
private void loadResources()
{
Iterator lessonItr = lessons.iterator();
while (lessonItr.hasNext())
{
AbstractLesson lesson = (AbstractLesson) lessonItr.next();
String className = lesson.getClass().getName();
String classFile = getSourceFile(className);
Iterator fileItr = files.iterator();
while (fileItr.hasNext())
{
String absoluteFile = (String) fileItr.next();
String fileName = getFileName(absoluteFile);
// System.out.println("Course: looking at file: " + absoluteFile);
if (absoluteFile.endsWith(classFile))
{
// System.out.println("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile);
}
if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName))
{
// System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for
// lesson " +
// lesson.getClass().getName());
// System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonPlanFileName(absoluteFile);
}
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName))
{
// System.out.println("DEBUG: setting lesson solution file " + absoluteFile + "
// for lesson " +
// lesson.getClass().getName());
// System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonSolutionFileName(absoluteFile);
}
}
}
}
/**
* Description of the Method
*
* @param path
* Description of the Parameter
* @param context
* Description of the Parameter
*/
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path)
{
this.webgoatContext = webgoatContext;
loadFiles(context, path);
loadLessons(path);
loadResources();
}
}

1419
main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

File diff suppressed because it is too large Load Diff

193
main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
View File

@ -1,3 +1,4 @@
package org.owasp.webgoat.session;
import java.io.IOException;
@ -8,42 +9,40 @@ import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
import org.apache.ecs.MultiPartElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class DatabaseUtilities
@ -51,121 +50,119 @@ public class DatabaseUtilities
private static Map<String, Connection> connections = new HashMap<String, Connection>();
private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
public static Connection getConnection(WebSession s)
throws ClassNotFoundException, SQLException
public static Connection getConnection(WebSession s) throws ClassNotFoundException, SQLException
{
return getConnection(s.getUserName(), s.getWebgoatContext());
}
public static synchronized Connection getConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
public static synchronized Connection getConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
{
Connection conn = connections.get(user);
if (conn != null && !conn.isClosed())
return conn;
if (conn != null && !conn.isClosed()) return conn;
conn = makeConnection(user, context);
connections.put(user, conn);
if (dbBuilt.get(user) == null) {
if (dbBuilt.get(user) == null)
{
new CreateDB().makeDB(conn);
dbBuilt.put(user, Boolean.TRUE);
}
return conn;
}
public static synchronized void returnConnection(String user)
{
try
{
Connection connection = connections.get(user);
if (connection == null || connection.isClosed())
return;
if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle"))
connection.close();
}
catch (SQLException sqle)
Connection connection = connections.get(user);
if (connection == null || connection.isClosed()) return;
if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close();
} catch (SQLException sqle)
{
sqle.printStackTrace();
}
}
private static Connection makeConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
{
private static Connection makeConnection(String user, WebgoatContext context) throws ClassNotFoundException,
SQLException
{
Class.forName(context.getDatabaseDriver());
if (context.getDatabaseConnectionString().contains("hsqldb"))
return getHsqldbConnection(user, context);
if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context);
String userPrefix = context.getDatabaseUser();
String password = context.getDatabasePassword();
String url = context.getDatabaseConnectionString();
return DriverManager.getConnection(url, userPrefix + "_" + user, password);
}
}
private static Connection getHsqldbConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException,
SQLException
{
String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
return DriverManager.getConnection(url, "sa", "");
}
/**
* Description of the Method
*
* @param results Description of the Parameter
* @param resultsMetaData Description of the Parameter
*
* @return Description of the Return Value
*
* @exception IOException Description of the Exception
* @exception SQLException Description of the Exception
*/
public static MultiPartElement writeTable(ResultSet results,
ResultSetMetaData resultsMetaData) throws IOException, SQLException
{
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
if (results.next())
/**
* Description of the Method
*
* @param results
* Description of the Parameter
* @param resultsMetaData
* Description of the Parameter
*
* @return Description of the Return Value
*
* @exception IOException
* Description of the Exception
* @exception SQLException
* Description of the Exception
*/
public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
SQLException
{
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
TR tr = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
t.addElement(tr);
results.beforeFirst();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
if (results.next())
{
String str = results.getString(i);
if (str == null)
str = "";
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
TR tr = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
t.addElement(tr);
results.beforeFirst();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
String str = results.getString(i);
if (str == null) str = "";
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
}
t.addElement(row);
}
return (t);
}
else
{
return (new B("Query Successful; however no data was returned from this query."));
}
t.addElement(row);
}
return (t);
}
else
{
return (new B(
"Query Successful; however no data was returned from this query."));
}
}
}

1227
main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
View File

File diff suppressed because it is too large Load Diff

418
main/project/JavaSource/org/owasp/webgoat/session/Employee.java
View File

@ -1,271 +1,241 @@
package org.owasp.webgoat.session;
import java.io.Serializable;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Employee implements Serializable
{
/**
/**
*
*/
private static final long serialVersionUID = -1901957360367218399L;
public final static String EMPLOYEE_ROLE = "employee";
public final static String MANAGER_ROLE = "manager";
public final static String MANAGER_ROLE = "manager";
public final static String HR_ROLE = "hr";
public final static String HR_ROLE = "hr";
private int id;
private int id;
private String firstName;
private String firstName;
private String lastName;
private String lastName;
private String title;
private String title;
private String ssn;
private String ssn;
private String phone;
private String phone;
private String address1;
private String address1;
private String address2;
private String address2;
private int manager;
private int manager;
private String startDate;
private String startDate;
private int salary;
private int salary;
private String ccn;
private String ccn;
private int ccnLimit;
private int ccnLimit;
private String disciplinaryActionDate;
private String disciplinaryActionDate;
private String disciplinaryActionNotes;
private String disciplinaryActionNotes;
private String personalDescription;
private String personalDescription;
// FIXME: To be deleted
public Employee()
{
}
// FIXME: To be deleted
public Employee()
{}
public Employee(int id, String firstName, String lastName, String ssn, String title, String phone, String address1,
String address2, int manager, String startDate, int salary, String ccn, int ccnLimit,
String disciplinaryActionDate, String disciplinaryActionNotes, String personalDescription)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.ssn = ssn;
this.title = title;
this.phone = phone;
this.address1 = address1;
this.address2 = address2;
this.manager = manager;
this.startDate = startDate;
this.salary = salary;
this.ccn = ccn;
this.ccnLimit = ccnLimit;
this.disciplinaryActionDate = disciplinaryActionDate;
this.disciplinaryActionNotes = disciplinaryActionNotes;
this.personalDescription = personalDescription;
}
public Employee(int id, String firstName, String lastName, String ssn,
String title, String phone, String address1, String address2,
int manager, String startDate, int salary, String ccn,
int ccnLimit, String disciplinaryActionDate,
String disciplinaryActionNotes, String personalDescription)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.ssn = ssn;
this.title = title;
this.phone = phone;
this.address1 = address1;
this.address2 = address2;
this.manager = manager;
this.startDate = startDate;
this.salary = salary;
this.ccn = ccn;
this.ccnLimit = ccnLimit;
this.disciplinaryActionDate = disciplinaryActionDate;
this.disciplinaryActionNotes = disciplinaryActionNotes;
this.personalDescription = personalDescription;
}
public String getAddress1()
{
return address1;
}
public void setAddress1(String address1)
{
this.address1 = address1;
}
public String getAddress2()
{
return address2;
}
public void setAddress2(String address2)
{
this.address2 = address2;
}
public String getCcn()
{
return ccn;
}
public void setCcn(String ccn)
{
this.ccn = ccn;
}
public int getCcnLimit()
{
return ccnLimit;
}
public void setCcnLimit(int ccnLimit)
{
this.ccnLimit = ccnLimit;
}
public String getFirstName()
{
return firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
public String getLastName()
{
return lastName;
}
public void setLastName(String lastName)
{
this.lastName = lastName;
}
public String getPhoneNumber()
{
return phone;
}
public void setPhoneNumber(String phone)
{
this.phone = phone;
}
public int getSalary()
{
return salary;
}
public void setSalary(int salary)
{
this.salary = salary;
}
public String getSsn()
{
return ssn;
}
public void setSsn(String ssn)
{
this.ssn = ssn;
}
public String getStartDate()
{
return startDate;
}
public void setStartDate(String startDate)
{
this.startDate = startDate;
}
public int getId()
{
return id;
}
public void setId(int id)
{
this.id = id;
}
public String getTitle()
{
return this.title;
}
public int getManager()
{
return this.manager;
}
public String getDisciplinaryActionDate()
{
return this.disciplinaryActionDate;
}
public String getDisciplinaryActionNotes()
{
return this.disciplinaryActionNotes;
}
public String getPersonalDescription()
{
return this.personalDescription;
}
public String getAddress1()
{
return address1;
}
public void setAddress1(String address1)
{
this.address1 = address1;
}
public String getAddress2()
{
return address2;
}
public void setAddress2(String address2)
{
this.address2 = address2;
}
public String getCcn()
{
return ccn;
}
public void setCcn(String ccn)
{
this.ccn = ccn;
}
public int getCcnLimit()
{
return ccnLimit;
}
public void setCcnLimit(int ccnLimit)
{
this.ccnLimit = ccnLimit;
}
public String getFirstName()
{
return firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
public String getLastName()
{
return lastName;
}
public void setLastName(String lastName)
{
this.lastName = lastName;
}
public String getPhoneNumber()
{
return phone;
}
public void setPhoneNumber(String phone)
{
this.phone = phone;
}
public int getSalary()
{
return salary;
}
public void setSalary(int salary)
{
this.salary = salary;
}
public String getSsn()
{
return ssn;
}
public void setSsn(String ssn)
{
this.ssn = ssn;
}
public String getStartDate()
{
return startDate;
}
public void setStartDate(String startDate)
{
this.startDate = startDate;
}
public int getId()
{
return id;
}
public void setId(int id)
{
this.id = id;
}
public String getTitle()
{
return this.title;
}
public int getManager()
{
return this.manager;
}
public String getDisciplinaryActionDate()
{
return this.disciplinaryActionDate;
}
public String getDisciplinaryActionNotes()
{
return this.disciplinaryActionNotes;
}
public String getPersonalDescription()
{
return this.personalDescription;
}
}

100
main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java
View File

@ -1,88 +1,82 @@
package org.owasp.webgoat.session;
import java.io.Serializable;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class EmployeeStub implements Serializable
{
/**
/**
*
*/
private static final long serialVersionUID = -7109162877797765632L;
private int id;
private String firstName;
private String firstName;
private String lastName;
private String lastName;
private String role;
private String role;
public EmployeeStub(int id, String firstName, String lastName)
{
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
}
public EmployeeStub(int id, String firstName, String lastName)
{
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
}
public EmployeeStub(int id, String firstName, String lastName, String role)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.role = role;
}
public String getFirstName()
{
return firstName;
}
public EmployeeStub(int id, String firstName, String lastName, String role)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.role = role;
}
public int getId()
{
return id;
}
public String getLastName()
{
return lastName;
}
public String getFirstName()
{
return firstName;
}
public int getId()
{
return id;
}
public String getLastName()
{
return lastName;
}
public String getRole()
{
return role;
}
public String getRole()
{
return role;
}
}

257
main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java
View File

@ -1,12 +1,11 @@
package org.owasp.webgoat.session;
import java.io.ByteArrayOutputStream;
import java.io.PrintWriter;
import java.util.StringTokenizer;
import javax.servlet.ServletException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
@ -20,201 +19,194 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created November 4, 2003
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created November 4, 2003
*/
public class ErrorScreen extends Screen
{
/**
* Description of the Field
* Description of the Field
*/
protected Throwable error;
/**
* Description of the Field
* Description of the Field
*/
protected String message;
/**
* Constructor for the ErrorScreen object
*
* @param s Description of the Parameter
* @param t Description of the Parameter
* Constructor for the ErrorScreen object
*
* @param s
* Description of the Parameter
* @param t
* Description of the Parameter
*/
public ErrorScreen( WebSession s, Throwable t )
public ErrorScreen(WebSession s, Throwable t)
{
this.error = t;
fixCurrentScreen( s );
setup( s );
fixCurrentScreen(s);
setup(s);
}
/**
* Constructor for the ErrorScreen object
*
* @param s Description of the Parameter
* @param msg Description of the Parameter
* Constructor for the ErrorScreen object
*
* @param s
* Description of the Parameter
* @param msg
* Description of the Parameter
*/
public ErrorScreen( WebSession s, String msg )
public ErrorScreen(WebSession s, String msg)
{
this.message = msg;
fixCurrentScreen( s );
setup( s );
fixCurrentScreen(s);
setup(s);
}
public void fixCurrentScreen( WebSession s )
public void fixCurrentScreen(WebSession s)
{
// So the user can't get stuck on the error screen, reset the
// current screen to something known
if ( s!= null )
{
try
if (s != null)
{
try
{
s.setCurrentScreen( s.getCourse().getFirstLesson().getScreenId() );
}
catch ( Throwable t )
s.setCurrentScreen(s.getCourse().getFirstLesson().getScreenId());
} catch (Throwable t)
{
s.setCurrentScreen( WebSession.WELCOME );
s.setCurrentScreen(WebSession.WELCOME);
}
}
}
public void setup( WebSession s )
public void setup(WebSession s)
{
// call createContent first so messages will go somewhere
Form form = new Form( "attack", Form.POST ).setName( "form" ).setEncType( "" );
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
form.addElement( wrapForm( s ) );
form.addElement(wrapForm(s));
TD lowerright = new TD().setHeight( "100%" ).setVAlign( "top" ).setAlign( "left" ).addElement( form );
TR row = new TR().addElement( lowerright );
Table layout = new Table().setBgColor( HtmlColor.WHITE ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
layout.addElement( row );
setContent(layout);
layout.addElement(row);
setContent(layout);
}
protected Element wrapForm( WebSession s )
protected Element wrapForm(WebSession s)
{
if ( s == null )
{
return new StringElement( "Invalid Session" );
}
if (s == null) { return new StringElement("Invalid Session"); }
Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
Table container = new Table().setWidth( "100%" ).setCellSpacing( 10 ).setCellPadding( 0 ).setBorder( 0 );
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent( s );
container.addElement( new TR().addElement( new TD().setColSpan( 2 ).setVAlign( "TOP" ).addElement(
makeMessages( s ) ) ) );
container.addElement( new TR().addElement( new TD().setColSpan( 2 ).addElement( content ) ) );
container.addElement( new TR() );
Element content = createContent(s);
container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
container.addElement(new TR());
return ( container );
return (container);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
protected Element createContent(WebSession s)
{
System.out.println( "errorscreen createContent Error:" + this.error + " message:" + this.message );
System.out.println("errorscreen createContent Error:" + this.error + " message:" + this.message);
Element content;
if ( this.error != null )
if (this.error != null)
{
content = createContent( this.error );
content = createContent(this.error);
}
else if ( this.message != null )
else if (this.message != null)
{
content = createContent( this.message );
content = createContent(this.message);
}
else
{
content = new StringElement( "An unknown error occurred." );
content = new StringElement("An unknown error occurred.");
}
return content;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( String s )
protected Element createContent(String s)
{
StringElement list = new StringElement( s );
StringElement list = new StringElement(s);
return ( list );
return (list);
}
/**
* Description of the Method
*
* @param t Description of the Parameter
* @return Description of the Return Value
* Description of the Method
*
* @param t
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( Throwable t )
protected Element createContent(Throwable t)
{
StringElement list = new StringElement();
list.addElement( new H2().addElement( new StringElement( "Error Message: " + t.getMessage() ) ) );
list.addElement( formatStackTrace( t ) );
list.addElement(new H2().addElement(new StringElement("Error Message: " + t.getMessage())));
list.addElement(formatStackTrace(t));
if ( t instanceof ServletException )
if (t instanceof ServletException)
{
Throwable root = ( (ServletException) t ).getRootCause();
Throwable root = ((ServletException) t).getRootCause();
if ( root != null )
if (root != null)
{
list.addElement( new H2().addElement( new StringElement( "Root Message: " + root.getMessage() ) ) );
list.addElement( formatStackTrace( root ) );
list.addElement(new H2().addElement(new StringElement("Root Message: " + root.getMessage())));
list.addElement(formatStackTrace(root));
}
}
return ( new Small().addElement( list ) );
return (new Small().addElement(list));
}
public Element getCredits()
@ -222,57 +214,56 @@ public class ErrorScreen extends Screen
return new ElementContainer();
}
/**
* Description of the Method
*
* @param t Description of the Parameter
* @return Description of the Return Value
* Description of the Method
*
* @param t
* Description of the Parameter
* @return Description of the Return Value
*/
public static Element formatStackTrace( Throwable t )
public static Element formatStackTrace(Throwable t)
{
String trace = getStackTrace( t );
String trace = getStackTrace(t);
StringElement list = new StringElement();
StringTokenizer st = new StringTokenizer( trace, "\r\n\t" );
StringTokenizer st = new StringTokenizer(trace, "\r\n\t");
while ( st.hasMoreTokens() )
while (st.hasMoreTokens())
{
String line = st.nextToken();
list.addElement( new Div( line ) );
list.addElement(new Div(line));
}
return ( list );
return (list);
}
/**
* Gets the stackTrace attribute of the ErrorScreen class
*
* @param t Description of the Parameter
* @return The stackTrace value
* Gets the stackTrace attribute of the ErrorScreen class
*
* @param t
* Description of the Parameter
* @return The stackTrace value
*/
public static String getStackTrace( Throwable t )
public static String getStackTrace(Throwable t)
{
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
PrintWriter writer = new PrintWriter( bytes, true );
t.printStackTrace( writer );
PrintWriter writer = new PrintWriter(bytes, true);
t.printStackTrace(writer);
return ( bytes.toString() );
return (bytes.toString());
}
/**
* Gets the title attribute of the ErrorScreen object
*
* @return The title value
* Gets the title attribute of the ErrorScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Error" );
return ("Error");
}
public String getRole() {
public String getRole()
{
return AbstractLesson.USER_ROLE;
}
}

76
main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java
View File

@ -1,36 +1,34 @@
package org.owasp.webgoat.session;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* Represents a virtual session for a lesson. Lesson-specific session data may
* be stored here.
*
* Represents a virtual session for a lesson. Lesson-specific session data may be stored here.
*
* @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created January 19, 2006
@ -38,32 +36,28 @@ package org.owasp.webgoat.session;
public class LessonSession
{
private boolean isAuthenticated = false;
private boolean isAuthenticated = false;
private String currentLessonScreen;
private String currentLessonScreen;
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
}

757
main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
View File

@ -1,3 +1,4 @@
package org.owasp.webgoat.session;
import java.io.FileInputStream;
@ -5,441 +6,399 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.util.Properties;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/
public class LessonTracker
{
private boolean completed = false;
private boolean completed = false;
private int maxHintLevel = 0;
private int maxHintLevel = 0;
private int numVisits = 0;
private int numVisits = 0;
private boolean viewedCookies = false;
private boolean viewedCookies = false;
private boolean viewedHtml = false;
private boolean viewedHtml = false;
private boolean viewedLessonPlan = false;
private boolean viewedLessonPlan = false;
private boolean viewedParameters = false;
private boolean viewedParameters = false;
private boolean viewedSource = false;
private boolean viewedSource = false;
private boolean viewedSolution = false;
private boolean viewedSolution = false;
Properties lessonProperties = new Properties();
Properties lessonProperties = new Properties();
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
{
return completed;
}
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
return maxHintLevel;
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits()
{
return numVisits;
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
return viewedCookies;
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
return viewedHtml;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
return viewedLessonPlan;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
return viewedParameters;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
return viewedSource;
}
public boolean getViewedSolution()
{
return viewedSource;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
numVisits++;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props The new properties value
*/
protected void setProperties(Properties props, Screen screen)
{
completed = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".completed"))
.booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".maxHintLevel"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".numVisits"));
viewedCookies = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedCookies"))
.booleanValue();
viewedHtml = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedHtml"))
.booleanValue();
viewedLessonPlan = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedLessonPlan"))
.booleanValue();
viewedParameters = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedParameters"))
.booleanValue();
viewedSource = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedSource"))
.booleanValue();
}
public static String getUserDir(WebSession s)
{
return s.getContext().getRealPath("users") + "/";
}
private static String getTrackerFile(WebSession s, String user,
Screen screen)
{
return getUserDir(s) + user + "." + screen.getClass().getName()
+ ".props";
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public static LessonTracker load(WebSession s, String user, Screen screen)
{
FileInputStream in = null;
try
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
{
String fileName = getTrackerFile(s, user, screen);
if (fileName != null)
{
Properties tempProps = new Properties();
//System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen
.createLessonTracker(tempProps);
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
}
catch (FileNotFoundException e)
{
// Normal if the lesson has not been accessed yet.
}
catch (Exception e)
{
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
}
finally
{
try
{
in.close();
}
catch (Exception e)
{}
return completed;
}
return screen.createLessonTracker();
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed The new completed value
*/
public void setCompleted(boolean completed)
{
this.completed = completed;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel)
{
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies The new viewedCookies value
*/
public void setViewedCookies(boolean viewedCookies)
{
this.viewedCookies = viewedCookies;
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml The new viewedHtml value
*/
public void setViewedHtml(boolean viewedHtml)
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan The new viewedLessonPlan value
*/
public void setViewedLessonPlan(boolean viewedLessonPlan)
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters The new viewedParameters value
*/
public void setViewedParameters(boolean viewedParameters)
{
this.viewedParameters = viewedParameters;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource The new viewedSource value
*/
public void setViewedSource(boolean viewedSource)
{
this.viewedSource = viewedSource;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource The new viewedSource value
*/
public void setViewedSolution(boolean viewedSolution)
{
this.viewedSolution = viewedSolution;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s Description of the Parameter
*/
public void store(WebSession s, Screen screen)
{
store(s, screen, s.getUserName());
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s Description of the Parameter
*/
public void store(WebSession s, Screen screen, String user)
{
FileOutputStream out = null;
String fileName = getTrackerFile(s, user, screen);
//System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean
.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel",
Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer
.toString(numVisits));
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies",
Boolean.toString(viewedCookies));
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean
.toString(viewedHtml));
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan",
Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters",
Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource",
Boolean.toString(viewedSource));
try
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
out = new FileOutputStream(fileName);
lessonProperties.store(out, s.getUserName());
}
catch (Exception e)
{
// what do we want to do, I think nothing.
System.out.println("Warning User data for " + s.getUserName()
+ " will not persist");
}
finally
{
try
{
out.close();
}
catch (Exception e)
{}
return maxHintLevel;
}
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits()
{
return numVisits;
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
return viewedCookies;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:... " + viewedParameters + "\n");
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
return buff.toString();
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
return viewedHtml;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
return viewedLessonPlan;
}
/**
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
return viewedParameters;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
return viewedSource;
}
/**
* @param lessonProperties The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
public boolean getViewedSolution()
{
return viewedSource;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
numVisits++;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props
* The new properties value
*/
protected void setProperties(Properties props, Screen screen)
{
completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits"));
viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies")).booleanValue();
viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml")).booleanValue();
viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan")).booleanValue();
viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters")).booleanValue();
viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource")).booleanValue();
}
public static String getUserDir(WebSession s)
{
return s.getContext().getRealPath("users") + "/";
}
private static String getTrackerFile(WebSession s, String user, Screen screen)
{
return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
public static LessonTracker load(WebSession s, String user, Screen screen)
{
FileInputStream in = null;
try
{
String fileName = getTrackerFile(s, user, screen);
if (fileName != null)
{
Properties tempProps = new Properties();
// System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen.createLessonTracker(tempProps);
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
} catch (FileNotFoundException e)
{
// Normal if the lesson has not been accessed yet.
} catch (Exception e)
{
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
} finally
{
try
{
in.close();
} catch (Exception e)
{
}
}
return screen.createLessonTracker();
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed
* The new completed value
*/
public void setCompleted(boolean completed)
{
this.completed = completed;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel
* The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel)
{
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies
* The new viewedCookies value
*/
public void setViewedCookies(boolean viewedCookies)
{
this.viewedCookies = viewedCookies;
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml
* The new viewedHtml value
*/
public void setViewedHtml(boolean viewedHtml)
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan
* The new viewedLessonPlan value
*/
public void setViewedLessonPlan(boolean viewedLessonPlan)
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters
* The new viewedParameters value
*/
public void setViewedParameters(boolean viewedParameters)
{
this.viewedParameters = viewedParameters;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource
* The new viewedSource value
*/
public void setViewedSource(boolean viewedSource)
{
this.viewedSource = viewedSource;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource
* The new viewedSource value
*/
public void setViewedSolution(boolean viewedSolution)
{
this.viewedSolution = viewedSolution;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s
* Description of the Parameter
*/
public void store(WebSession s, Screen screen)
{
store(s, screen, s.getUserName());
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s
* Description of the Parameter
*/
public void store(WebSession s, Screen screen, String user)
{
FileOutputStream out = null;
String fileName = getTrackerFile(s, user, screen);
// System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel", Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer.toString(numVisits));
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies", Boolean.toString(viewedCookies));
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean.toString(viewedHtml));
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource));
try
{
out = new FileOutputStream(fileName);
lessonProperties.store(out, s.getUserName());
} catch (Exception e)
{
// what do we want to do, I think nothing.
System.out.println("Warning User data for " + s.getUserName() + " will not persist");
} finally
{
try
{
out.close();
} catch (Exception e)
{
}
}
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:... " + viewedParameters + "\n");
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
return buff.toString();
}
/**
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* @param lessonProperties
* The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
}

113
main/project/JavaSource/org/owasp/webgoat/session/Parameter.java
View File

@ -1,90 +1,81 @@
package org.owasp.webgoat.session;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Parameter implements Comparable
{
String name;
String name;
String value;
String value;
public Parameter(String name, String value)
{
this.name = name;
this.value = value;
}
public String getName()
{
return name;
}
public String getValue()
{
return value;
}
//@Override
public boolean equals(Object obj)
{
if (obj instanceof Parameter)
public Parameter(String name, String value)
{
Parameter other = (Parameter) obj;
return (name.equals(other.getName()) && value.equals(other
.getValue()));
this.name = name;
this.value = value;
}
return false;
}
public String getName()
{
return name;
}
//@Override
public int hashCode()
{
return toString().hashCode();
}
public String getValue()
{
return value;
}
// @Override
public boolean equals(Object obj)
{
if (obj instanceof Parameter)
{
Parameter other = (Parameter) obj;
return (name.equals(other.getName()) && value.equals(other.getValue()));
}
return false;
}
//@Override
public String toString()
{
return (name + "=" + value);
}
// @Override
public int hashCode()
{
return toString().hashCode();
}
// @Override
public String toString()
{
return (name + "=" + value);
}
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
}

69
main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java
View File

@ -1,62 +1,59 @@
package org.owasp.webgoat.session;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class ParameterNotFoundException extends Exception
{
/**
/**
*
*/
private static final long serialVersionUID = 3286112913299408382L;
/**
* Constructs a new ParameterNotFoundException with no detail message.
*/
public ParameterNotFoundException()
{
super();
}
/**
* Constructs a new ParameterNotFoundException with no detail message.
*/
public ParameterNotFoundException()
{
super();
}
/**
* Constructs a new ParameterNotFoundException with the specified detail
* message.
*
*@param s the detail message
*/
public ParameterNotFoundException(String s)
{
super(s);
}
* Constructs a new ParameterNotFoundException with the specified detail message.
*
* @param s
* the detail message
*/
public ParameterNotFoundException(String s)
{
super(s);
}
}

237
main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
View File

@ -1,40 +1,38 @@
package org.owasp.webgoat.session;
import java.util.Enumeration;
import java.util.StringTokenizer;
import java.util.Vector;
import java.util.regex.Pattern;
import javax.servlet.ServletRequest;
import org.owasp.webgoat.util.HtmlEncoder;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
@ -44,15 +42,14 @@ public class ParameterParser
{
private final static String ALLOWED_CHARACTERS = "$()-?.@!,:;=//+"; // Don't
// allow
// #&
// specifically
// allow
// #&
// specifically
private ServletRequest request;
/**
* Constructs a new ParameterParser to handle the parameters of the given
* request.
* Constructs a new ParameterParser to handle the parameters of the given request.
*
* @param request
* the servlet request
@ -80,7 +77,8 @@ public class ParameterParser
if (Character.isLetterOrDigit(c) || Character.isWhitespace(c) || (ALLOWED_CHARACTERS.indexOf(c) != -1))
{
clean.append(c);
} else
}
else
{
clean.append('.');
}
@ -104,8 +102,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a boolean, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a boolean, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -118,8 +116,7 @@ public class ParameterParser
try
{
return getBooleanParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -141,8 +138,7 @@ public class ParameterParser
try
{
return new Boolean(getSubParameter(first, next)).booleanValue();
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -165,9 +161,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a byte, with a default. Returns the
* default value if the parameter is not found or cannot be converted to a
* byte.
* Gets the named parameter value as a byte, with a default. Returns the default value if the
* parameter is not found or cannot be converted to a byte.
*
* @param name
* the parameter name
@ -180,8 +175,7 @@ public class ParameterParser
try
{
return getByteParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -203,15 +197,16 @@ public class ParameterParser
if (param.length() == 0)
{
throw new ParameterNotFoundException(name + " is empty string");
} else
}
else
{
return (param.charAt(0));
}
}
/**
* Gets the named parameter value as a char, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a char, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -224,8 +219,7 @@ public class ParameterParser
try
{
return getCharParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -262,8 +256,7 @@ public class ParameterParser
try
{
return getClassNameParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -286,8 +279,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a double, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a double, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -300,8 +293,7 @@ public class ParameterParser
try
{
return getDoubleParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -324,8 +316,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a float, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a float, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -338,16 +330,15 @@ public class ParameterParser
try
{
return getFloatParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
}
/**
* Gets the named parameter value as an IP String, with a default. Returns
* the default value if the parameter is not found or is the empty string.
* Gets the named parameter value as an IP String, with a default. Returns the default value if
* the parameter is not found or is the empty string.
*
* @param name
* the parameter name
@ -360,8 +351,7 @@ public class ParameterParser
try
{
return getIPParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -372,8 +362,7 @@ public class ParameterParser
*
* @param name
* the parameter name
* @return the parameter value as a valid IP String or an Empty string if
* invalid
* @return the parameter value as a valid IP String or an Empty string if invalid
* @exception ParameterNotFoundException
* if the parameter was not found or was the empty string
*/
@ -386,10 +375,12 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
} else if (values[0].length() == 0)
}
else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(name + " was empty");
} else
}
else
{
// trim illegal characters
value = clean(values[0].trim());
@ -430,15 +421,15 @@ public class ParameterParser
{
valid = false;
}
}
catch (Exception e)
} catch (Exception e)
{
valid = false;
}
octetCount++;
}
} else
}
else
{
// Not a valid IP
valid = false;
@ -472,8 +463,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a int, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a int, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -486,8 +477,7 @@ public class ParameterParser
try
{
return getIntParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -510,8 +500,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a long, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a long, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -524,16 +514,15 @@ public class ParameterParser
try
{
return getLongParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
}
/**
* Determines which of the required parameters were missing from the
* request. Returns null if all the parameters are present.
* Determines which of the required parameters were missing from the request. Returns null if
* all the parameters are present.
*
* @param requestuired
* Description of the Parameter
@ -556,7 +545,8 @@ public class ParameterParser
if (missing.size() == 0)
{
return null;
} else
}
else
{
String[] ret = new String[missing.size()];
missing.copyInto(ret);
@ -572,10 +562,7 @@ public class ParameterParser
*/
public Enumeration getParameterNames()
{
if (request == null)
{
return (null);
}
if (request == null) { return (null); }
return request.getParameterNames();
}
@ -589,10 +576,7 @@ public class ParameterParser
*/
public String[] getParameterValues(String name)
{
if (request == null)
{
return (null);
}
if (request == null) { return (null); }
return request.getParameterValues(name);
}
@ -611,8 +595,7 @@ public class ParameterParser
try
{
return getRawParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -634,10 +617,8 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
} else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(name + " was empty");
}
else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }
return (values[0]);
}
@ -659,8 +640,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a short, with a default. Returns the
* default value if the parameter is not found.
* Gets the named parameter value as a short, with a default. Returns the default value if the
* parameter is not found.
*
* @param name
* the parameter name
@ -673,8 +654,7 @@ public class ParameterParser
try
{
return getShortParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -697,10 +677,12 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(name + " not found");
} else if (values[0].length() == 0)
}
else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(name + " was empty");
} else
}
else
{
// trim illegal characters
value = clean(values[0].trim());
@ -716,8 +698,8 @@ public class ParameterParser
}
/**
* Gets the named parameter value as a String, with a default. Returns the
* default value if the parameter is not found or is the empty string.
* Gets the named parameter value as a String, with a default. Returns the default value if the
* parameter is not found or is the empty string.
*
* @param name
* the parameter name
@ -730,8 +712,7 @@ public class ParameterParser
try
{
return getStringParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
@ -753,16 +734,15 @@ public class ParameterParser
try
{
return getSubParameter(first, next);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
}
/**
* Gets the parameter named 'next' following the parameter 'first'. Presumes
* the structure: first=firstvalue&next=nextValue
* Gets the parameter named 'next' following the parameter 'first'. Presumes the structure:
* first=firstvalue&next=nextValue
*
* @param first
* Description of the Parameter
@ -780,20 +760,19 @@ public class ParameterParser
if (values == null)
{
throw new ParameterNotFoundException(first + " not found");
} else if (values[0].length() == 0)
}
else if (values[0].length() == 0)
{
throw new ParameterNotFoundException(first + " was empty");
} else
}
else
{
value = clean(values[0].trim());
int idx = value.indexOf("&") + 1;
// index of first char of first sub-param name
if (idx == 0)
{
throw new ParameterNotFoundException("No subparameter key");
}
if (idx == 0) { throw new ParameterNotFoundException("No subparameter key"); }
value = value.substring(idx);
@ -803,17 +782,15 @@ public class ParameterParser
// System.out.println("= = = = = =Parameter parser nextValueIndex =
// " + nextValueIndex );
if (nextValueIndex < 0)
{
throw new ParameterNotFoundException("No subparameter value");
}
if (nextValueIndex < 0) { throw new ParameterNotFoundException("No subparameter value"); }
nextValueIndex += (next.length() + 1);
if (nextValueIndex >= 0)
{
value = value.substring(nextValueIndex);
} else
}
else
{
throw new ParameterNotFoundException(next + " not found");
}
@ -861,35 +838,30 @@ public class ParameterParser
try
{
return getWordParameter(name);
}
catch (Exception e)
} catch (Exception e)
{
return def;
}
}
/**
* Gets the specified parameter from the request and validates it against
* the provided regular expression. If the regular expression check fails,
* the default value is returned instead.
* Gets the specified parameter from the request and validates it against the provided regular
* expression. If the regular expression check fails, the default value is returned instead.
*
* @param name
* The name of the parameter to retrieve from the request.
* @param def
* The default value of the parameter.
* @param regexpattern
* The precompiled regular expression to be used to validate the
* parameter.
* @return The validated parameter value, or the default value if validation
* failed.
* The precompiled regular expression to be used to validate the parameter.
* @return The validated parameter value, or the default value if validation failed.
*/
private String getRegexParameter(String name, String def, Pattern regexpattern) throws ValidationException
{
try
{
return getRegexParameter(name, regexpattern);
}
catch (Exception e)
} catch (Exception e)
{
// System.out.println("Exception occured in defined pattern match");
// e.printStackTrace();
@ -898,29 +870,27 @@ public class ParameterParser
}
/**
* Gets the specified parameter from the request and validates it against
* the provided regular expression. If the regular expression check fails,
* the default value is returned instead.
* Gets the specified parameter from the request and validates it against the provided regular
* expression. If the regular expression check fails, the default value is returned instead.
*
* @param name
* The name of the parameter to retrieve from the request.
* @param def
* The default value of the parameter.
* @param regexpattern
* The precompiled regular expression to be used to validate the
* parameter.
* @return The validated parameter value, or the default value if validation
* failed.
* The precompiled regular expression to be used to validate the parameter.
* @return The validated parameter value, or the default value if validation failed.
*/
private String getRegexParameter(String name, Pattern regexpattern) throws ParameterNotFoundException,
ValidationException
ValidationException
{
String param = getStringParameter(name);
if (regexpattern.matcher(param).matches())
{
return param;
} else
}
else
{
// System.out.println(param + " didn't match defined pattern.");
throw new ValidationException(name + " contained an invalid value");
@ -928,7 +898,7 @@ public class ParameterParser
}
public String getStrictAlphaParameter(String name, int maxLength) throws ParameterNotFoundException,
ValidationException
ValidationException
{
String alphaRegEx = "^[a-zA-Z\\s]{0," + maxLength + "}$";
Pattern alphaPattern = Pattern.compile(alphaRegEx);
@ -937,7 +907,7 @@ public class ParameterParser
}
public String getStrictNumericParameter(String name, int maxLength) throws ParameterNotFoundException,
ValidationException
ValidationException
{
String numericRegEx = "^\\d{0," + maxLength + "}$";
Pattern numericPattern = Pattern.compile(numericRegEx);
@ -1025,8 +995,7 @@ public class ParameterParser
return getRegexParameter(name, def, datepattern);
}
private static final String URLREGEX =
"^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
private static final String URLREGEX = "^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
private static final Pattern URLpattern = Pattern.compile(URLREGEX);

129
main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
View File

@ -1,90 +1,103 @@
package org.owasp.webgoat.session;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
public class RandomLessonTracker extends LessonTracker {
public class RandomLessonTracker extends LessonTracker
{
private String[] stages;
private String stage;
private Map<String, Boolean> completed = new HashMap<String, Boolean>();
public RandomLessonTracker(String[] stages) {
if (stages == null)
stages = new String[0];
public RandomLessonTracker(String[] stages)
{
if (stages == null) stages = new String[0];
this.stages = stages;
}
public void setStage(String stage) {
public void setStage(String stage)
{
this.stage = stage;
}
public String getStage() {
if (this.stage == null && stages.length > 0)
return stages[0];
public String getStage()
{
if (this.stage == null && stages.length > 0) return stages[0];
return this.stage;
}
public void setStageComplete(String stage, boolean complete) {
public void setStageComplete(String stage, boolean complete)
{
completed.put(stage, Boolean.valueOf(complete));
for (int i=0; i<stages.length-1; i++)
if (stages[i].equals(stage))
setStage(stages[i+1]);
for (int i = 0; i < stages.length - 1; i++)
if (stages[i].equals(stage)) setStage(stages[i + 1]);
}
public boolean hasCompleted(String stage) {
public boolean hasCompleted(String stage)
{
Boolean complete = completed.get(stage);
return complete == null ? false : complete.booleanValue();
}
@Override
public boolean getCompleted() {
for (int i=0; i<stages.length; i++)
if (!hasCompleted(stages[i]))
return false;
public boolean getCompleted()
{
for (int i = 0; i < stages.length; i++)
if (!hasCompleted(stages[i])) return false;
return true;
}
@Override
public void setCompleted(boolean complete) {
if (complete == true)
throw new UnsupportedOperationException("Use individual stage completion instead");
for (int i=0;i<stages.length; i++)
public void setCompleted(boolean complete)
{
if (complete == true) throw new UnsupportedOperationException("Use individual stage completion instead");
for (int i = 0; i < stages.length; i++)
setStageComplete(stages[i], false);
setStage(stages[0]);
}
protected void setProperties(Properties props, Screen screen) {
super.setProperties(props, screen);
for (int i=0; i<stages.length; i++) {
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
if (p != null) {
setStageComplete(stages[i], Boolean.valueOf(p));
}
}
setStage(props.getProperty(screen.getTitle() + ".stage"));
}
public void store(WebSession s, Screen screen, String user) {
for (int i=0; i<stages.length; i++) {
if (hasCompleted(stages[i]))
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE.toString());
}
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
for (int i = 0; i < stages.length; i++)
{
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
if (p != null)
{
setStageComplete(stages[i], Boolean.valueOf(p));
}
}
setStage(props.getProperty(screen.getTitle() + ".stage"));
}
public void store(WebSession s, Screen screen, String user)
{
for (int i = 0; i < stages.length; i++)
{
if (hasCompleted(stages[i]))
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
.toString());
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);
}
public String toString() {
StringBuffer buff = new StringBuffer();
buff.append(super.toString());
for (int i=0; i<stages.length; i++) {
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
}
buff.append(" - currentStage:....... " + getStage() + "\n");
return buff.toString();
}
}
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append(super.toString());
for (int i = 0; i < stages.length; i++)
{
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
}
buff.append(" - currentStage:....... " + getStage() + "\n");
return buff.toString();
}
}

579
main/project/JavaSource/org/owasp/webgoat/session/Screen.java
View File

@ -1,8 +1,8 @@
package org.owasp.webgoat.session;
import java.io.PrintWriter;
import java.util.Properties;
import org.apache.ecs.Element;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
@ -11,326 +11,309 @@ import org.apache.ecs.html.Font;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.AbstractLesson;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public abstract class Screen
{
/**
* Description of the Field
*/
public static int MAIN_SIZE = 375;
//private Head head;
private Element content;
final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg")
.setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0);
/**
* Constructor for the Screen object
*/
public Screen()
{}
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
public abstract String getRole();
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent(WebSession s);
/**
* Gets the credits attribute of the Screen object
*
* @return The credits value
*/
public abstract Element getCredits();
/**
* Creates a new lessonTracker object.
*
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker(Properties props)
{
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
return createLessonTracker();
}
/**
* This allows the screens to provide a custom LessonTracker object if needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker()
{
return new LessonTracker();
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
/**
* Fill in a descriptive title for this lesson
*
* @return The title value
*/
public abstract String getTitle();
protected void setContent(Element content)
{
this.content = content;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeLogo()
{
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
public String getSponsor()
{
return "Aspect Security";
}
public String getSponsorLogoResource()
{
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s)
{
if (s == null)
{
return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED);
String message = s.getMessage();
f.addElement(message);
return (f);
}
/**
* Returns the content length of the the html.
*
*/
public int getContentLength()
{
return content.toString().length();
}
/**
* Description of the Method
*
* @param out Description of the Parameter
*/
public void output(PrintWriter out)
{
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(content.toString());
}
public String getContent()
{
return (content == null) ? "" : content.toString();
}
/**
* Description of the Method
*
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x)
{
StringBuffer sb = new StringBuffer();
if (x < 10)
{
sb.append(" ");
}
if (x < 100)
{
sb.append(" ");
}
sb.append(x);
return (sb.toString());
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token)
{
int mci = 0;
/*
* meta char array
*
* FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for the
* html to be automatically wrapped in client browser. It is better to add line
* length checking and only do "&nbsp" conversion in lines that won't exceed
* screen size, say less than 80 characters.
/**
* Description of the Field
*/
String[] metaChar = { "&", "<", ">", "\"", "\t",
System.getProperty("line.separator") };
public static int MAIN_SIZE = 375;
String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>" };
// private Head head;
private Element content;
String replacedString = token;
for (; mci < metaChar.length; mci += 1)
final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg").setAlt("Aspect Security").setBorder(0)
.setHspace(0).setVspace(0);
/**
* Constructor for the Screen object
*/
public Screen()
{
replacedString = replacedString.replaceAll(metaChar[mci],
htmlCode[mci]);
}
return (replacedString);
}
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
public abstract String getRole();
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token)
{
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent(WebSession s);
//protected abstract Element wrapForm( WebSession s );
/**
* Gets the credits attribute of the Screen object
*
* @return The credits value
*/
public abstract Element getCredits();
/**
* Creates a new lessonTracker object.
*
* @param props
* The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker(Properties props)
{
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
return createLessonTracker();
}
/**
* This allows the screens to provide a custom LessonTracker object if needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker()
{
return new LessonTracker();
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @param userName
* Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
/**
* Fill in a descriptive title for this lesson
*
* @return The title value
*/
public abstract String getTitle();
protected void setContent(Element content)
{
this.content = content;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeLogo()
{
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
public String getSponsor()
{
return "Aspect Security";
}
public String getSponsorLogoResource()
{
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s)
{
if (s == null) {
return (new StringElement("")); }
Font f = new Font().setColor(HtmlColor.RED);
String message = s.getMessage();
f.addElement(message);
return (f);
}
/**
* Returns the content length of the the html.
*
*/
public int getContentLength()
{
return content.toString().length();
}
/**
* Description of the Method
*
* @param out
* Description of the Parameter
*/
public void output(PrintWriter out)
{
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(content.toString());
}
public String getContent()
{
return (content == null) ? "" : content.toString();
}
/**
* Description of the Method
*
* @param x
* Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x)
{
StringBuffer sb = new StringBuffer();
if (x < 10)
{
sb.append(" ");
}
if (x < 100)
{
sb.append(" ");
}
sb.append(x);
return (sb.toString());
}
/**
* Description of the Method
*
* @param token
* Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token)
{
int mci = 0;
/*
* meta char array FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for
* the html to be automatically wrapped in client browser. It is better to add line length
* checking and only do "&nbsp" conversion in lines that won't exceed screen size, say less
* than 80 characters.
*/
String[] metaChar = { "&", "<", ">", "\"", "\t", System.getProperty("line.separator") };
String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>" };
String replacedString = token;
for (; mci < metaChar.length; mci += 1)
{
replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]);
}
return (replacedString);
}
/**
* Description of the Method
*
* @param token
* Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token)
{
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
// protected abstract Element wrapForm( WebSession s );
}

53
main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java
View File

@ -1,39 +1,38 @@
package org.owasp.webgoat.session;
import java.util.Properties;
public class SequentialLessonTracker extends LessonTracker {
private int currentStage = 1;
public class SequentialLessonTracker extends LessonTracker
{
private int currentStage = 1;
public int getStage()
{
return currentStage;
}
public int getStage()
{
return currentStage;
}
public void setStage(int stage)
{
currentStage = stage;
}
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle() + ".currentStage"));
}
public void setStage(int stage)
{
currentStage = stage;
}
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage", Integer.toString(currentStage));
super.store(s, screen, user);
}
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".currentStage"));
}
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage",
Integer.toString(currentStage));
super.store(s, screen, user);
}
public String toString() {
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
public String toString()
{
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
}

31
main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java
View File

@ -1,31 +1,30 @@
package org.owasp.webgoat.session;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/

31
main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java
View File

@ -1,31 +1,30 @@
package org.owasp.webgoat.session;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/

407
main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
View File

@ -1,3 +1,4 @@
package org.owasp.webgoat.session;
import java.util.ArrayList;
@ -5,269 +6,269 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.users.MemoryUserDatabase;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/
public class UserTracker
{
private static UserTracker instance;
private static UserTracker instance;
// FIXME: persist this somehow!
// FIXME: persist this somehow!
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
/**
* Constructor for the UserTracker object
*/
private UserTracker()
{}
/**
* Gets the completed attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The completed value
*/
public int getCompleted(String userName)
{
HashMap usermap = getUserMap(userName);
Iterator i = usermap.entrySet().iterator();
int count = 0;
while (i.hasNext())
/**
* Constructor for the UserTracker object
*/
private UserTracker()
{
Map.Entry entry = (Map.Entry) i.next();
int value = ((Integer) entry.getValue()).intValue();
if (value > 5)
{
count++;
}
}
return count;
}
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
{
return storage.keySet();
}
public Collection<String> getAllUsers(String roleName)
{
synchronized (usersDB)
/**
* Gets the completed attribute of the UserTracker object
*
* @param userName
* Description of the Parameter
* @return The completed value
*/
public int getCompleted(String userName)
{
Collection<String> allUsers = new ArrayList<String>();
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
HashMap usermap = getUserMap(userName);
Iterator i = usermap.entrySet().iterator();
int count = 0;
while (i.hasNext())
{
User user = (User) users.next();
Iterator roles = user.getRoles();
while (roles.hasNext())
{
Role role = (Role) roles.next();
if (role.getRolename().trim().equals(roleName))
Map.Entry entry = (Map.Entry) i.next();
int value = ((Integer) entry.getValue()).intValue();
if (value > 5)
{
allUsers.add(user.getUsername());
count++;
}
}
}
usersDB.close();
}
catch (Exception e)
{}
return allUsers;
return count;
}
}
public void deleteUser(String user)
{
synchronized (usersDB)
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
{
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
return storage.keySet();
}
public Collection<String> getAllUsers(String roleName)
{
synchronized (usersDB)
{
User tomcatUser = (User) users.next();
if (tomcatUser.getUsername().equals(user))
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
Collection<String> allUsers = new ArrayList<String>();
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User user = (User) users.next();
Iterator roles = user.getRoles();
while (roles.hasNext())
{
Role role = (Role) roles.next();
if (role.getRolename().trim().equals(roleName))
{
allUsers.add(user.getUsername());
}
}
}
usersDB.close();
} catch (Exception e)
{
}
return allUsers;
}
usersDB.close();
}
catch (Exception e)
{}
}
}
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s, Screen screen)
{
return getLessonTracker(s, s.getUserName(), screen);
}
public LessonTracker getLessonTracker(WebSession s, String user,
Screen screen)
{
HashMap<String, LessonTracker> usermap = getUserMap(user);
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
if (tracker == null)
public void deleteUser(String user)
{
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(s, user, screen);
usermap.put(screen.getTitle(), tracker);
synchronized (usersDB)
{
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User tomcatUser = (User) users.next();
if (tomcatUser.getUsername().equals(user))
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
}
usersDB.close();
} catch (Exception e)
{
}
}
}
//System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " + tracker.hashCode() + " for " + screen );
return tracker;
}
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen
* Description of the Parameter
* @param userName
* Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s, Screen screen)
{
return getLessonTracker(s, s.getUserName(), screen);
}
/**
* Gets the status attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The status value
*/
public String getStatus(WebSession s, Screen screen)
{
return ("User [" + s.getUserName() + "] has accessed " + screen
+ " UserTracker:getStatus()LTH = " + getLessonTracker(s, screen)
.hashCode());
}
public LessonTracker getLessonTracker(WebSession s, String user, Screen screen)
{
HashMap<String, LessonTracker> usermap = getUserMap(user);
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
if (tracker == null)
{
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(s, user, screen);
usermap.put(screen.getTitle(), tracker);
}
// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
// tracker.hashCode() + "
// for " + screen );
return tracker;
}
/**
* Gets the status attribute of the UserTracker object
*
* @param screen
* Description of the Parameter
* @param userName
* Description of the Parameter
* @return The status value
*/
public String getStatus(WebSession s, Screen screen)
{
return ("User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker(
s,
screen)
.hashCode());
}
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The userMap value
*/
private HashMap<String, LessonTracker> getUserMap(String userName)
{
HashMap<String, LessonTracker> usermap = storage.get(userName);
if (usermap == null)
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName
* Description of the Parameter
* @return The userMap value
*/
private HashMap<String, LessonTracker> getUserMap(String userName)
{
usermap = new HashMap<String, LessonTracker>();
HashMap<String, LessonTracker> usermap = storage.get(userName);
storage.put(userName, usermap);
if (usermap == null)
{
usermap = new HashMap<String, LessonTracker>();
storage.put(userName, usermap);
}
return (usermap);
}
return (usermap);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
{
if (instance == null)
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
{
instance = new UserTracker();
if (instance == null)
{
instance = new UserTracker();
}
return instance;
}
return instance;
}
/**
* Description of the Method
*
* @param screen
* Description of the Parameter
* @param s
* Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
LessonTracker tracker = getLessonTracker(s, screen);
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH
// " +
// tracker.hashCode() );
tracker.store(s, screen);
LessonTracker tracker = getLessonTracker(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
//System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
}
}
}

49
main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java
View File

@ -1,51 +1,48 @@
package org.owasp.webgoat.session;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class ValidationException extends Exception
{
/**
/**
*
*/
private static final long serialVersionUID = -8358754606830400708L;
public ValidationException()
{
super();
}
{
super();
}
public ValidationException(String message)
{
super(message);
}
public ValidationException(String message)
{
super(message);
}
}

434
main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

File diff suppressed because it is too large Load Diff

127
main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -1,10 +1,12 @@
package org.owasp.webgoat.session;
import java.util.Iterator;
import javax.servlet.http.HttpServlet;
public class WebgoatContext {
public class WebgoatContext
{
public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
@ -17,7 +19,7 @@ public class WebgoatContext {
public final static String ENTERPRISE = "Enterprise";
public final static String CODING_EXERCISES = "CodingExercises";
public final static String SHOWCOOKIES = "ShowCookies";
public final static String SHOWPARAMS = "ShowParams";
@ -25,9 +27,9 @@ public class WebgoatContext {
public final static String SHOWREQUEST = "ShowRequest";
public final static String SHOWSOURCE = "ShowSource";
public final static String SHOWSOLUTION = "ShowSolution";
public final static String SHOWHINTS = "ShowHints";
public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
@ -61,7 +63,7 @@ public class WebgoatContext {
private boolean enterprise = false;
private boolean codingExercises = false;
private String feedbackAddress = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
private boolean isDebug = false;
@ -70,57 +72,56 @@ public class WebgoatContext {
private HttpServlet servlet;
public WebgoatContext(HttpServlet servlet) {
public WebgoatContext(HttpServlet servlet)
{
this.servlet = servlet;
databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
databaseDriver = getParameter(servlet, DATABASE_DRIVER);
databaseUser = getParameter(servlet, DATABASE_USER);
databasePassword = getParameter(servlet, DATABASE_PASSWORD);
// initialize from web.xml
showParams = "true".equals( getParameter(servlet, SHOWPARAMS ) );
showCookies = "true".equals( getParameter(servlet, SHOWCOOKIES ) );
showSource = "true".equals( getParameter(servlet, SHOWSOURCE ) );
showSolution = "true".equals( getParameter( servlet, SHOWSOLUTION ) );
defuseOSCommands = "true".equals( getParameter(servlet, DEFUSEOSCOMMANDS ) );
enterprise = "true".equals( getParameter(servlet, ENTERPRISE ) );
codingExercises = "true".equals( getParameter(servlet, CODING_EXERCISES ) );
feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS ) != null ?
getParameter(servlet, FEEDBACK_ADDRESS ) : feedbackAddress;
showRequest = "true".equals( getParameter(servlet, SHOWREQUEST ) );
isDebug = "true".equals( getParameter(servlet, DEBUG ) );
showParams = "true".equals(getParameter(servlet, SHOWPARAMS));
showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
: feedbackAddress;
showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
isDebug = "true".equals(getParameter(servlet, DEBUG));
servletName = servlet.getServletName();
}
private String getParameter(HttpServlet servlet, String key) {
private String getParameter(HttpServlet servlet, String key)
{
String value = System.getenv().get(key);
if (value == null)
value = servlet.getInitParameter(key);
if (value == null) value = servlet.getInitParameter(key);
return value;
}
/**
* returns the connection string with the real path to the database
* directory inserted at the word PATH
* returns the connection string with the real path to the database directory inserted at the
* word PATH
*
* @return The databaseConnectionString value
*/
public String getDatabaseConnectionString() {
if (realConnectionString == null)
try {
String path = servlet.getServletContext().getRealPath(
"/database").replace('\\', '/');
System.out.println("PATH: " + path);
realConnectionString = databaseConnectionString.replaceAll(
"PATH", path);
System.out.println("Database Connection String: "
+ realConnectionString);
} catch (Exception e) {
System.out
.println("Couldn't open database: check web.xml database parameters");
e.printStackTrace();
}
public String getDatabaseConnectionString()
{
if (realConnectionString == null) try
{
String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
System.out.println("PATH: " + path);
realConnectionString = databaseConnectionString.replaceAll("PATH", path);
System.out.println("Database Connection String: " + realConnectionString);
} catch (Exception e)
{
System.out.println("Couldn't open database: check web.xml database parameters");
e.printStackTrace();
}
return realConnectionString;
}
@ -129,7 +130,8 @@ public class WebgoatContext {
*
* @return The databaseDriver value
*/
public String getDatabaseDriver() {
public String getDatabaseDriver()
{
return (databaseDriver);
}
@ -138,7 +140,8 @@ public class WebgoatContext {
*
* @return The databaseUser value
*/
public String getDatabaseUser() {
public String getDatabaseUser()
{
return (databaseUser);
}
@ -147,51 +150,63 @@ public class WebgoatContext {
*
* @return The databasePassword value
*/
public String getDatabasePassword() {
public String getDatabasePassword()
{
return (databasePassword);
}
public boolean isDefuseOSCommands() {
public boolean isDefuseOSCommands()
{
return defuseOSCommands;
}
public boolean isEnterprise() {
public boolean isEnterprise()
{
return enterprise;
}
public boolean isCodingExercises() {
public boolean isCodingExercises()
{
return codingExercises;
}
public String getFeedbackAddress() {
public String getFeedbackAddress()
{
return feedbackAddress;
}
public boolean isDebug() {
public boolean isDebug()
{
return isDebug;
}
public String getServletName() {
public String getServletName()
{
return servletName;
}
public boolean isShowCookies() {
public boolean isShowCookies()
{
return showCookies;
}
public boolean isShowParams() {
public boolean isShowParams()
{
return showParams;
}
public boolean isShowRequest() {
public boolean isShowRequest()
{
return showRequest;
}
public boolean isShowSource() {
public boolean isShowSource()
{
return showSource;
}
public boolean isShowSolution() {
public boolean isShowSolution()
{
return showSolution;
}

172
main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java
View File

@ -1,133 +1,123 @@
package org.owasp.webgoat.session;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
/*******************************************************************************
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class WebgoatProperties extends Properties
{
/**
/**
*
*/
private static final long serialVersionUID = 4351681705558227918L;
public WebgoatProperties(String propertiesFileName) throws IOException
{
try
{
FileInputStream in = new FileInputStream(propertiesFileName);
load(in);
}
catch (IOException e)
{
System.out
.println("Warning: Unable to open webgoat.properties file");
}
}
public int getIntProperty(String key, int defaultValue)
{
int value = defaultValue;
String s = getProperty(key);
if (s != null)
{
value = Integer.parseInt(s);
try
{
FileInputStream in = new FileInputStream(propertiesFileName);
load(in);
} catch (IOException e)
{
System.out.println("Warning: Unable to open webgoat.properties file");
}
}
return value;
}
public boolean getBooleanProperty(String key, boolean defaultValue)
{
boolean value = defaultValue;
key = this.trimLesson(key);
String s = getProperty(key);
if (s != null)
public int getIntProperty(String key, int defaultValue)
{
if (s.equalsIgnoreCase("true"))
value = true;
else if (s.equalsIgnoreCase("yes"))
value = true;
else if (s.equalsIgnoreCase("on"))
value = true;
else if (s.equalsIgnoreCase("false"))
value = false;
else if (s.equalsIgnoreCase("no"))
value = false;
else if (s.equalsIgnoreCase("off"))
value = false;
int value = defaultValue;
String s = getProperty(key);
if (s != null)
{
value = Integer.parseInt(s);
}
return value;
}
return value;
}
private String trimLesson(String lesson)
{
String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons."))
public boolean getBooleanProperty(String key, boolean defaultValue)
{
result = lesson.substring("org.owasp.webgoat.lessons.".length(),
lesson.length());
}
else
{
result = lesson;
boolean value = defaultValue;
key = this.trimLesson(key);
String s = getProperty(key);
if (s != null)
{
if (s.equalsIgnoreCase("true"))
value = true;
else if (s.equalsIgnoreCase("yes"))
value = true;
else if (s.equalsIgnoreCase("on"))
value = true;
else if (s.equalsIgnoreCase("false"))
value = false;
else if (s.equalsIgnoreCase("no"))
value = false;
else if (s.equalsIgnoreCase("off")) value = false;
}
return value;
}
return result;
}
public static void main(String[] args)
{
WebgoatProperties properties = null;
try
private String trimLesson(String lesson)
{
properties = new WebgoatProperties("C:\\webgoat.properties");
String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons."))
{
result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length());
}
else
{
result = lesson;
}
return result;
}
catch (IOException e)
public static void main(String[] args)
{
System.out.println("Error loading properties");
e.printStackTrace();
WebgoatProperties properties = null;
try
{
properties = new WebgoatProperties("C:\\webgoat.properties");
} catch (IOException e)
{
System.out.println("Error loading properties");
e.printStackTrace();
}
System.out.println(properties.getProperty("CommandInjection.category"));
}
System.out.println(properties.getProperty("CommandInjection.category"));
}
}