Miscellaneous bug fixes

divide by zero, inaccurate discount and totals, reflection of user input


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java

@@ -0,0 +1,286 @@
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Pattern;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.Center;
+import org.apache.ecs.html.H1;
+import org.apache.ecs.html.HR;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TH;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.HtmlEncoder;
+
+/*******************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created    October 28, 2003
+ */
+
+public class TraceXSS extends LessonAdapter
+{
+
+    /**
+     *  Description of the Method
+     *
+     * @param  s  Description of the Parameter
+     * @return    Description of the Return Value
+     */
+
+    protected Element createContent(WebSession s)
+    {
+
+	ElementContainer ec = new ElementContainer();
+	String regex1 = "^[0-9]{3}$";// any three digits
+	Pattern pattern1 = Pattern.compile(regex1);
+
+	try
+	{
+	    String param1 = s.getParser().getRawParameter("field1", "111");
+	    String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
+		    "field2", "4128 3214 0002 1999"));
+	    float quantity = 1.0f;
+	    float total = 0.0f;
+	    float runningTotal = 0.0f;
+
+	    // test input field1
+	    if (!pattern1.matcher(param1).matches())
+	    {
+		if (param1.toLowerCase().indexOf("script") != -1
+			&& param1.toLowerCase().indexOf("trace") != -1)
+		{
+		    makeSuccess(s);
+		}
+
+		s
+			.setMessage("Whoops! You entered "
+				+ param1
+				+ " instead of your three digit code.  Please try again.");
+	    }
+
+	    // FIXME: encode output of field2, then s.setMessage( field2 );
+
+	    ec.addElement(new HR().setWidth("90%"));
+	    ec.addElement(new Center().addElement(new H1()
+		    .addElement("Shopping Cart ")));
+	    Table t = new Table().setCellSpacing(0).setCellPadding(2)
+		    .setBorder(1).setWidth("90%").setAlign("center");
+
+	    if (s.isColor())
+	    {
+		t.setBorder(1);
+	    }
+
+	    TR tr = new TR();
+	    tr.addElement(new TH().addElement(
+		    "Shopping Cart Items -- To Buy Now").setWidth("80%"));
+	    tr.addElement(new TH().addElement("Price").setWidth("10%"));
+	    tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+	    tr.addElement(new TH().addElement("Total").setWidth("7%"));
+	    t.addElement(tr);
+
+	    tr = new TR();
+	    tr
+		    .addElement(new TD()
+			    .addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
+	    tr.addElement(new TD().addElement("69.99").setAlign("right"));
+	    tr.addElement(new TD().addElement(
+		    new Input(Input.TEXT, "QTY1", s.getParser()
+			    .getStringParameter("QTY1", "1")))
+		    .setAlign("right"));
+	    quantity = s.getParser().getFloatParameter("QTY1", 1.0f);
+	    total = quantity * 69.99f;
+	    runningTotal += total;
+	    tr.addElement(new TD().addElement("$" + total));
+	    t.addElement(tr);
+	    tr = new TR();
+	    tr.addElement(new TD()
+		    .addElement("Dynex - Traditional Notebook Case"));
+	    tr.addElement(new TD().addElement("27.99").setAlign("right"));
+	    tr.addElement(new TD().addElement(
+		    new Input(Input.TEXT, "QTY2", s.getParser()
+			    .getStringParameter("QTY2", "1")))
+		    .setAlign("right"));
+	    quantity = s.getParser().getFloatParameter("QTY2", 1.0f);
+	    total = quantity * 27.99f;
+	    runningTotal += total;
+	    tr.addElement(new TD().addElement("$" + total));
+	    t.addElement(tr);
+	    tr = new TR();
+	    tr
+		    .addElement(new TD()
+			    .addElement("Hewlett-Packard - Pavilion Notebook with Intel<65> Centrino<6E>"));
+	    tr.addElement(new TD().addElement("1599.99").setAlign("right"));
+	    tr.addElement(new TD().addElement(
+		    new Input(Input.TEXT, "QTY3", s.getParser()
+			    .getStringParameter("QTY3", "1")))
+		    .setAlign("right"));
+	    quantity = s.getParser().getFloatParameter("QTY3", 1.0f);
+	    total = quantity * 1599.99f;
+	    runningTotal += total;
+	    tr.addElement(new TD().addElement("$" + total));
+	    t.addElement(tr);
+	    tr = new TR();
+	    tr
+		    .addElement(new TD()
+			    .addElement("3 - Year Performance Service Plan $1000 and Over "));
+	    tr.addElement(new TD().addElement("299.99").setAlign("right"));
+
+	    tr.addElement(new TD().addElement(
+		    new Input(Input.TEXT, "QTY4", s.getParser()
+			    .getStringParameter("QTY4", "1")))
+		    .setAlign("right"));
+	    quantity = s.getParser().getFloatParameter("QTY4", 1.0f);
+	    total = quantity * 299.99f;
+	    runningTotal += total;
+	    tr.addElement(new TD().addElement("$" + total));
+	    t.addElement(tr);
+
+	    ec.addElement(t);
+
+	    t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
+		    .setWidth("90%").setAlign("center");
+
+	    if (s.isColor())
+	    {
+		t.setBorder(1);
+	    }
+
+	    ec.addElement(new BR());
+
+	    tr = new TR();
+	    tr.addElement(new TD()
+		    .addElement("The total charged to your credit card:"));
+	    tr.addElement(new TD().addElement("$" + runningTotal));
+	    tr.addElement(new TD().addElement(ECSFactory
+		    .makeButton("Update Cart")));
+	    t.addElement(tr);
+	    tr = new TR();
+	    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+	    t.addElement(tr);
+	    tr = new TR();
+	    tr
+		    .addElement(new TD()
+			    .addElement("Enter your credit card number:"));
+	    tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2",
+		    param2)));
+	    t.addElement(tr);
+	    tr = new TR();
+	    tr.addElement(new TD()
+		    .addElement("Enter your three digit access code:"));
+	    tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",
+		    param1)));
+	    t.addElement(tr);
+
+	    Element b = ECSFactory.makeButton("Purchase");
+	    tr = new TR();
+	    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign(
+		    "center"));
+	    t.addElement(tr);
+
+	    ec.addElement(t);
+	    ec.addElement(new BR());
+	    ec.addElement(new HR().setWidth("90%"));
+	}
+	catch (Exception e)
+	{
+	    s.setMessage("Error generating " + this.getClass().getName());
+	    e.printStackTrace();
+	}
+	return (ec);
+    }
+
+
+    /**
+     *  DOCUMENT ME!
+     *
+     * @return    DOCUMENT ME!
+     */
+    protected Category getDefaultCategory()
+    {
+	return Category.XSS;
+    }
+
+
+    /**
+     *  Gets the hints attribute of the AccessControlScreen object
+     *
+     * @return    The hints value
+     */
+    protected List<String> getHints(WebSession s)
+    {
+	List<String> hints = new ArrayList<String>();
+	hints
+		.add("Most web servers support GET/POST.  Many default installations also support TRACE");
+	hints
+		.add("JavaScript has the ability to post a URL:<br>"
+			+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+			+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"GET\", \"./\", false);"
+			+ " xmlHttp.send();str1=xmlHttp.responseText;  "
+			+ "document.write(str1);&lt;/script&gt;");
+	hints.add("Try changing the HTTP GET to a HTTP TRACE");
+	hints
+		.add("Try a cross site trace (XST) Command:<br>"
+			+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+			+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
+			+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
+			+ "document.write(str1);}&lt;/script&gt;");
+	return hints;
+    }
+
+    //	<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
+
+    private final static Integer DEFAULT_RANKING = new Integer(130);
+
+
+    protected Integer getDefaultRanking()
+    {
+	return DEFAULT_RANKING;
+    }
+
+
+    /**
+     *  Gets the title attribute of the AccessControlScreen object
+     *
+     * @return    The title value
+     */
+    public String getTitle()
+    {
+	return ("Cross Site Tracing (XST) Attacks");
+    }
+}