Miscellaneous bug fixes
divide by zero, inaccurate discount and totals, reflection of user input git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
@ -0,0 +1,261 @@
|
||||
package org.owasp.webgoat.lessons.DBCrossSiteScripting;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/**
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*
|
||||
*/
|
||||
public class DBCrossSiteScripting extends GoatHillsFinancial
|
||||
{
|
||||
private final static Integer DEFAULT_RANKING = new Integer(100);
|
||||
|
||||
public final static String STAGE1 = "Stored XSS";
|
||||
|
||||
public final static String STAGE2 = "Block Stored XSS using DB Input Validation";
|
||||
|
||||
protected void registerActions(String className)
|
||||
{
|
||||
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
|
||||
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
|
||||
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
|
||||
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
|
||||
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
|
||||
|
||||
// These actions are special in that they chain to other actions.
|
||||
registerAction(new Login(this, className, LOGIN_ACTION,
|
||||
getAction(LISTSTAFF_ACTION)));
|
||||
registerAction(new Logout(this, className, LOGOUT_ACTION,
|
||||
getAction(LOGIN_ACTION)));
|
||||
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
|
||||
getAction(VIEWPROFILE_ACTION)));
|
||||
registerAction(new UpdateProfile(this, className,
|
||||
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
||||
registerAction(new DeleteProfile(this, className,
|
||||
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the category attribute of the CrossSiteScripting object
|
||||
*
|
||||
* @return The category value
|
||||
*/
|
||||
public Category getDefaultCategory()
|
||||
{
|
||||
return Category.XSS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the DirectoryScreen object
|
||||
*
|
||||
* @return The hints value
|
||||
*/
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
|
||||
// Stage 1
|
||||
hints.add("You can put HTML tags in form input fields.");
|
||||
hints
|
||||
.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
|
||||
hints
|
||||
.add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields.");
|
||||
hints
|
||||
.add("Enter this: <script>alert(\"document.cookie\");</script> in message fields.");
|
||||
|
||||
// Stage 2
|
||||
hints
|
||||
.add("Many scripts rely on the use of special characters such as: <");
|
||||
hints
|
||||
.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
|
||||
hints
|
||||
.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the instructions attribute of the ParameterInjection object
|
||||
*
|
||||
* @return The instructions value
|
||||
*/
|
||||
public String getInstructions(WebSession s)
|
||||
{
|
||||
String instructions = "";
|
||||
|
||||
if (!getLessonTracker(s).getCompleted())
|
||||
{
|
||||
String stage = getStage(s);
|
||||
if (STAGE1.equals(stage))
|
||||
{
|
||||
instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
|
||||
+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. "
|
||||
+ "Verify that 'Jerry' is affected by the attack. "
|
||||
+ "A sample JavaScript snippet you can use is: <SCRIPT>alert('bang!');</SCRIPT>.";
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
|
||||
+ "Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. ";
|
||||
if (getWebgoatContext().getDatabaseDriver().contains("jtds"))
|
||||
instructions += "Use the provided user-defined function RegexMatch to test the data against a pattern. ";
|
||||
instructions += "A sample regular expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ "
|
||||
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
|
||||
}
|
||||
}
|
||||
|
||||
return instructions;
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getStages() {
|
||||
if (getWebgoatContext().isCodingExercises())
|
||||
return new String[] {STAGE1, STAGE2};
|
||||
return new String[] {STAGE1};
|
||||
}
|
||||
|
||||
public void handleRequest(WebSession s)
|
||||
{
|
||||
if (s.getLessonSession(this) == null)
|
||||
s.openLessonSession(this);
|
||||
|
||||
String requestedActionName = null;
|
||||
try
|
||||
{
|
||||
requestedActionName = s.getParser().getStringParameter("action");
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
// Let them eat login page.
|
||||
requestedActionName = LOGIN_ACTION;
|
||||
}
|
||||
|
||||
if (requestedActionName != null)
|
||||
{
|
||||
try
|
||||
{
|
||||
LessonAction action = getAction(requestedActionName);
|
||||
|
||||
if (action != null)
|
||||
{
|
||||
if (!action.requiresAuthentication()
|
||||
|| action.isAuthenticated(s))
|
||||
{
|
||||
action.handleRequest(s);
|
||||
//setCurrentAction(s, action.getNextPage(s));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
System.out.println("Missing parameter");
|
||||
pnfe.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ValidationException ve)
|
||||
{
|
||||
System.out.println("Validation failed");
|
||||
ve.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (UnauthenticatedException ue)
|
||||
{
|
||||
s.setMessage("Login failed");
|
||||
System.out.println("Authentication failure");
|
||||
ue.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
s.setMessage("You are not authorized to perform this function");
|
||||
System.out.println("Authorization failure");
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
// All other errors send the user to the generic error page
|
||||
System.out.println("handleRequest() error");
|
||||
e.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
}
|
||||
|
||||
// All this does for this lesson is ensure that a non-null content exists.
|
||||
setContent(new ElementContainer());
|
||||
}
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the title attribute of the CrossSiteScripting object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return "LAB: DB Cross Site Scripting (XSS)";
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean getDefaultHidden() {
|
||||
String driver = getWebgoatContext().getDatabaseDriver();
|
||||
boolean hidden = ! (driver.contains("oracle") || driver.contains("jtds"));
|
||||
return hidden;
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,268 @@
|
||||
package org.owasp.webgoat.lessons.DBCrossSiteScripting;
|
||||
|
||||
import java.sql.CallableStatement;
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class UpdateProfile extends DefaultLessonAction
|
||||
{
|
||||
|
||||
private LessonAction chainedAction;
|
||||
|
||||
|
||||
public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
|
||||
String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
this.chainedAction = chainedAction;
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest(WebSession s) throws ParameterNotFoundException,
|
||||
UnauthenticatedException, UnauthorizedException,
|
||||
ValidationException
|
||||
{
|
||||
if (isAuthenticated(s))
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
|
||||
HttpServletRequest request = s.getRequest();
|
||||
int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
|
||||
String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
|
||||
String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
|
||||
String ssn = request.getParameter(DBCrossSiteScripting.SSN);
|
||||
String title = request.getParameter(DBCrossSiteScripting.TITLE);
|
||||
String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
|
||||
String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
|
||||
String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
|
||||
int manager = Integer.parseInt(request
|
||||
.getParameter(DBCrossSiteScripting.MANAGER));
|
||||
String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
|
||||
int salary = Integer.parseInt(request
|
||||
.getParameter(DBCrossSiteScripting.SALARY));
|
||||
String ccn = request.getParameter(DBCrossSiteScripting.CCN);
|
||||
int ccnLimit = Integer.parseInt(request
|
||||
.getParameter(DBCrossSiteScripting.CCN_LIMIT));
|
||||
String disciplinaryActionDate = request
|
||||
.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
|
||||
String disciplinaryActionNotes = request
|
||||
.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
|
||||
String personalDescription = request
|
||||
.getParameter(DBCrossSiteScripting.DESCRIPTION);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn,
|
||||
title, phone, address1, address2, manager, startDate, salary,
|
||||
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
try
|
||||
{
|
||||
if (subjectId > 0)
|
||||
{
|
||||
this.changeEmployeeProfile(s, userId, subjectId, employee);
|
||||
setRequestAttribute(s, getLessonName() + "."
|
||||
+ DBCrossSiteScripting.EMPLOYEE_ID, Integer
|
||||
.toString(subjectId));
|
||||
if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
|
||||
{
|
||||
address1 = address1.toLowerCase();
|
||||
boolean pass = address1.contains("<script>");
|
||||
pass &= address1.contains("alert");
|
||||
pass &= address1.contains("</script>");
|
||||
if (pass)
|
||||
{
|
||||
setStageComplete(s, DBCrossSiteScripting.STAGE1);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
this.createEmployeeProfile(s, userId, employee);
|
||||
}
|
||||
catch (SQLException e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) &&
|
||||
(e.getMessage().contains("ORA-06512") || e.getMessage().contains("Illegal characters")) &&
|
||||
!employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
|
||||
{
|
||||
setStageComplete(s, DBCrossSiteScripting.STAGE2);
|
||||
}
|
||||
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
chainedAction.handleRequest(s);
|
||||
}
|
||||
catch (UnauthenticatedException ue1)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue1.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
}
|
||||
|
||||
public String getNextPage(WebSession s)
|
||||
{
|
||||
return DBCrossSiteScripting.VIEWPROFILE_ACTION;
|
||||
}
|
||||
|
||||
|
||||
public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
|
||||
Employee employee) throws SQLException, ClassNotFoundException
|
||||
{
|
||||
try
|
||||
{
|
||||
String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
|
||||
CallableStatement call = WebSession.getConnection(s).prepareCall(update);
|
||||
// Note: The password field is ONLY set by ChangePassword
|
||||
call.setInt(1, userId);
|
||||
call.setString(2, employee.getFirstName());
|
||||
call.setString(3, employee.getLastName());
|
||||
call.setString(4, employee.getSsn());
|
||||
call.setString(5, employee.getTitle());
|
||||
call.setString(6, employee.getPhoneNumber());
|
||||
call.setString(7, employee.getAddress1());
|
||||
call.setString(8, employee.getAddress2());
|
||||
call.setInt(9, employee.getManager());
|
||||
call.setString(10, employee.getStartDate());
|
||||
call.setInt(11, employee.getSalary());
|
||||
call.setString(12, employee.getCcn());
|
||||
call.setInt(13, employee.getCcnLimit());
|
||||
call.setString(14, employee.getDisciplinaryActionDate());
|
||||
call.setString(15, employee.getDisciplinaryActionNotes());
|
||||
call.setString(16, employee.getPersonalDescription());
|
||||
call.executeUpdate();
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void createEmployeeProfile(WebSession s, int userId,
|
||||
Employee employee) throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
int nextId = getNextUID(s);
|
||||
String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
|
||||
|
||||
ps.setString(1, employee.getFirstName().toLowerCase());
|
||||
ps.setString(2, employee.getLastName());
|
||||
ps.setString(3, employee.getSsn());
|
||||
ps.setString(4, employee.getTitle());
|
||||
ps.setString(5, employee.getPhoneNumber());
|
||||
ps.setString(6, employee.getAddress1());
|
||||
ps.setString(7, employee.getAddress2());
|
||||
ps.setInt(8, employee.getManager());
|
||||
ps.setString(9, employee.getStartDate());
|
||||
ps.setString(10, employee.getCcn());
|
||||
ps.setInt(11, employee.getCcnLimit());
|
||||
ps.setString(12, employee.getDisciplinaryActionDate());
|
||||
ps.setString(13, employee.getDisciplinaryActionNotes());
|
||||
ps.setString(14, employee.getPersonalDescription());
|
||||
|
||||
ps.execute();
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
private int getNextUID(WebSession s)
|
||||
{
|
||||
int uid = -1;
|
||||
try
|
||||
{
|
||||
Statement statement = WebSession.getConnection(s).createStatement(
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
ResultSet results = statement
|
||||
.executeQuery("select max(userid) as uid from employee");
|
||||
results.first();
|
||||
uid = results.getInt("uid");
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
sqle.printStackTrace();
|
||||
s.setMessage("Error updating employee profile");
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
return uid + 1;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user