dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Miscellaneous bug fixes

Browse Source 
divide by zero, inaccurate discount and totals, reflection of user input


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
2008-01-14 14:02:11 +00:00
commit b0b94c4688
917 changed files with 73689 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
main/project/JavaSource/org/owasp/webgoat/session/Authorization.java Normal file
View File

@ -0,0 +1,55 @@
package org.owasp.webgoat.session;
import java.util.Hashtable;
import java.util.Map;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Authorization
{
Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
public Authorization()
{}
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}

443
main/project/JavaSource/org/owasp/webgoat/session/Course.java Normal file
View File

@ -0,0 +1,443 @@
package org.owasp.webgoat.session;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import java.util.LinkedList;
import javax.servlet.ServletContext;
import org.owasp.webgoat.HammerHead;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Course
{
private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private WebgoatProperties properties = null;
private List<String> files = new LinkedList<String>();
private WebgoatContext webgoatContext;
public Course()
{
try
{
properties = new WebgoatProperties(PROPERTIES_FILENAME);
}
catch (IOException e)
{
System.out.println("Error loading WebGoat properties");
e.printStackTrace();
}
}
/**
* Take an absolute file and return the filename.
*
* Ex. /etc/password becomes password
*
* @param s
* @return the file name
*/
private static String getFileName(String s)
{
String fileName = new File(s).getName();
if(fileName.indexOf("/") != -1)
{
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
}
if(fileName.indexOf(".") != -1)
{
fileName = fileName.substring(0, fileName.indexOf("."));
}
return fileName;
}
/**
* Take a class name and return the equivalent file name
*
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
*
* @param className
* @return
*/
private static String getSourceFile(String className)
{
StringBuffer sb = new StringBuffer();
sb.append(className.replace(".", "/"));
sb.append(".java");
return sb.toString();
}
/**
* Takes a file name and builds the class file name
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @return Description of the Return Value
*/
private static String getClassFile(String fileName, String path)
{
String ext = ".class";
fileName = fileName.trim();
/**
* We do not handle directories.
* We do not handle files with different extensions
*/
if(fileName.endsWith("/") || !fileName.endsWith(ext))
{
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1)
{
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
}
else
{
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length());
}
return fileName;
}
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories()
{
List<Category> categories = new ArrayList<Category>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (!categories.contains(lesson.getCategory()))
{
categories.add(lesson.getCategory());
}
}
Collections.sort(categories);
return categories;
}
/**
* Gets the firstLesson attribute of the Course object
*
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson()
{
List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is noramally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(1),
roles).get(0));
}
/**
* Gets the lesson attribute of the Course object
*
* @param lessonId Description of the Parameter
* @param role Description of the Parameter
* @return The lesson value
*/
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
//System.out.println("getLesson() with roles: " + roles);
Iterator<AbstractLesson> iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = iter.next();
//System.out.println("getLesson() at role: " + lesson.getRole());
if (lesson.getScreenId() == lessonId
&& roles.contains(lesson.getRole()))
{
return lesson;
}
}
return null;
}
public AbstractLesson getLesson(WebSession s, int lessonId, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLesson(s, lessonId, roles);
}
public List getLessons(WebSession s, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param role Description of the Parameter
* @return The lessons value
*/
public List<AbstractLesson> getLessons(WebSession s, List<String> roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext())
{
lessonList.addAll(getLessons(s, (Category) categoryIter.next(),
roles));
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category Description of the Parameter
* @param role Description of the Parameter
* @return The lessons value
*/
private List<AbstractLesson> getLessons(Category category, List roles)
{
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (lesson.getCategory().equals(category)
&& roles.contains(lesson.getRole()))
{
lessonList.add(lesson);
}
}
Collections.sort(lessonList);
// System.out.println(java.util.Arrays.asList(lessonList));
return lessonList;
}
public List getLessons(WebSession s, Category category, String role)
{
List<String> roles = new Vector<String>();
roles.add(role);
return getLessons(s, category, roles);
}
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* Load all of the filenames into a temporary cache
*
* @param context
* @param path
*/
private void loadFiles(ServletContext context, String path)
{
Set resourcePaths = context.getResourcePaths(path);
Iterator itr = resourcePaths.iterator();
while(itr.hasNext())
{
String file = (String)itr.next();
if(file.length() != 1 && file.endsWith("/"))
{
loadFiles(context, file);
}
else
{
files.add(file);
}
}
}
/**
* Instantiate all the lesson objects into a cache
*
* @param path
*/
private void loadLessons(String path)
{
Iterator itr = files.iterator();
while(itr.hasNext())
{
String file = (String)itr.next();
String className = getClassFile(file, path);
if(className != null && !className.endsWith("_i"))
{
try
{
Class c = Class.forName(className);
Object o = c.newInstance();
if(o instanceof AbstractLesson)
{
AbstractLesson lesson = (AbstractLesson)o;
lesson.setWebgoatContext(webgoatContext);
lesson.update(properties);
if(lesson.getHidden() == false)
{
lessons.add(lesson);
}
}
}
catch (Exception e)
{
//System.out.println("Warning: " + e.getMessage());
}
}
}
}
/**
* For each lesson, set the source file and lesson file
*/
private void loadResources()
{
Iterator lessonItr = lessons.iterator();
while(lessonItr.hasNext())
{
AbstractLesson lesson = (AbstractLesson)lessonItr.next();
String className = lesson.getClass().getName();
String classFile = getSourceFile(className);
Iterator fileItr = files.iterator();
while(fileItr.hasNext())
{
String absoluteFile = (String)fileItr.next();
String fileName = getFileName(absoluteFile);
//System.out.println("Course: looking at file: " + absoluteFile);
if(absoluteFile.endsWith(classFile))
{
//System.out.println("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile);
}
if(absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{
//System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for lesson " + lesson.getClass().getName());
//System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonPlanFileName(absoluteFile);
}
if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
{
//System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
//System.out.println("fileName: " + fileName + " == className: " + className );
lesson.setLessonSolutionFileName(absoluteFile);
}
}
}
}
/**
* Description of the Method
*
* @param path Description of the Parameter
* @param context Description of the Parameter
*/
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path)
{
this.webgoatContext = webgoatContext;
loadFiles(context, path);
loadLessons(path);
loadResources();
}
}

788
main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java Normal file
View File

@ -0,0 +1,788 @@
package org.owasp.webgoat.session;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
import org.owasp.webgoat.lessons.AbstractLesson;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class CreateDB
{
/**
* Description of the Method
*
* @param connection Description of the Parameter
*
* @exception SQLException Description of the Exception
*/
private void createMessageTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
// Drop admin user table
try
{
String dropTable = "DROP TABLE messages";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping message database");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE messages ("
+ "num int not null," + "title varchar(50),"
+ "message varchar(200),"
+ "user_name varchar(50) not null " + ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating message database");
e.printStackTrace();
}
}
/**
* Description of the Method
*
* @param connection Description of the Parameter
*
* @exception SQLException Description of the Exception
*/
private void createProductTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
// Drop admin user table
try
{
String dropTable = "DROP TABLE product_system_data";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping product database");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE product_system_data ("
+ "productid varchar(6) not null primary key,"
+ "product_name varchar(20)," + "price varchar(10)" + ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating product database");
e.printStackTrace();
}
// Populate
String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')";
String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')";
String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')";
String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')";
String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
}
/**
* Description of the Method
*
* @param connection Description of the Parameter
*
* @exception SQLException Description of the Exception
*/
private void createUserAdminTable(Connection connection)
throws SQLException
{
Statement statement = connection.createStatement();
// Drop admin user table
try
{
String dropTable = "DROP TABLE user_system_data";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping user admin database");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE user_system_data ("
+ "userid varchar(5) not null primary key,"
+ "user_name varchar(12)," + "password varchar(10),"
+ "cookie varchar(30)" + ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating user admin database");
e.printStackTrace();
}
// Populate
String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')";
String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')";
String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')";
String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')";
String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
}
/**
* Description of the Method
*
* @param connection Description of the Parameter
*
* @exception SQLException Description of the Exception
*/
private void createUserDataTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
// Delete table if there is one
try
{
String dropTable = "DROP TABLE user_data";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping user database");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE user_data ("
+ "userid int not null," + "first_name varchar(20),"
+ "last_name varchar(20)," + "cc_number varchar(30),"
+ "cc_type varchar(10)," + "cookie varchar(20),"
+ "login_count int" + ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating user database");
e.printStackTrace();
}
// Populate it
String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)";
String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)";
String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)";
String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)";
String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)";
String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)";
String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)";
String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)";
String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','White','673834489','MC',' ',0)";
String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','White','33413003333','AMEX',' ',0)";
String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)";
String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)";
String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
statement.executeUpdate(insertData6);
statement.executeUpdate(insertData7);
statement.executeUpdate(insertData8);
statement.executeUpdate(insertData9);
statement.executeUpdate(insertData10);
statement.executeUpdate(insertData11);
statement.executeUpdate(insertData12);
statement.executeUpdate(insertData13);
}
private void createLoginTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
// Delete table if there is one
try
{
String dropTable = "DROP TABLE user_login";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping user_login table");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE user_login ("
+ "userid varchar(5)," + "webgoat_user varchar(20)" + ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating user database");
e.printStackTrace();
}
}
/**
* Description of the Method
*
* @param connection Description of the Parameter
*
* @exception SQLException Description of the Exception
*/
private void createWeatherDataTable(Connection connection)
throws SQLException
{
Statement statement = connection.createStatement();
// Delete table if there is one
try
{
String dropTable = "DROP TABLE weather_data";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error dropping weather database");
}
// Create the new table
try
{
String createTableStatement = "CREATE TABLE weather_data ("
+ "station int not null," + "name varchar(20) not null,"
+ "state char(2) not null," + "min_temp int not null,"
+ "max_temp int not null" + ")";
statement.executeUpdate(createTableStatement);
}
catch (SQLException e)
{
System.out.println("Error creating weather database");
e.printStackTrace();
}
// Populate it
String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)";
String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)";
String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)";
String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)";
String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)";
String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
statement.executeUpdate(insertData6);
}
//--------------------------------------------------------------------------
//--------------------------------------------------------------------------
//
// The tables below are for WebGoat Financials
//
// DO NOT MODIFY THESE TABLES - unless you change the org chart
// and access control matrix documents
//
//--------------------------------------------------------------------------
//--------------------------------------------------------------------------
private void createEmployeeTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
try
{
String dropTable = "DROP TABLE employee";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to drop employee table");
}
// Create Table
try
{
String createTable = "CREATE TABLE employee ("
//+ "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,"
+ "userid INT NOT NULL PRIMARY KEY,"
+ "first_name VARCHAR(20)," + "last_name VARCHAR(20),"
+ "ssn VARCHAR(12)," + "password VARCHAR(10),"
+ "title VARCHAR(20)," + "phone VARCHAR(13),"
+ "address1 VARCHAR(80)," + "address2 VARCHAR(80),"
+ "manager INT," + "start_date CHAR(8)," + "salary INT,"
+ "ccn VARCHAR(30)," + "ccn_limit INT,"
+ "email VARCHAR(30)," // reason for the recent write-up
+ "disciplined_date CHAR(8)," // date of write up, NA otherwise
+ "disciplined_notes VARCHAR(60)," // reason for the recent write-up
+ "personal_description VARCHAR(60)" // We can be rude here
//+ ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)"
+ ")";
statement.executeUpdate(createTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to create employee table");
}
String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry',"
+ "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547',"
+ "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')";
String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe',"
+ "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, "
+ "'Hit Curly over head', 'Very dominating over Larry and Curly')";
String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly',"
+ "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, "
+ "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')";
String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric',"
+ "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, "
+ "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')";
String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom',"
+ "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, "
+ "'NA', 'Co-Owner.')";
String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry',"
+ "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, "
+ "'NA', 'Co-Owner.')";
String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david',"
+ "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, "
+ "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')";
String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce',"
+ "'Engineer','610-282-1103', '8899 FreeBSD Drive<script>alert(document.cookie)</script> ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, "
+ "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')";
String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean',"
+ "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, "
+ "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')";
String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne',"
+ "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, "
+ "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')";
String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john',"
+ "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, "
+ "'', '')";
String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks',"
+ "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, "
+ "'', '')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
statement.executeUpdate(insertData6);
statement.executeUpdate(insertData7);
statement.executeUpdate(insertData8);
statement.executeUpdate(insertData9);
statement.executeUpdate(insertData10);
statement.executeUpdate(insertData11);
statement.executeUpdate(insertData12);
}
private void createRolesTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
try
{
String dropTable = "DROP TABLE roles";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to drop roles");
}
try
{
String createTable = "CREATE TABLE roles ("
+ "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL,"
+ "PRIMARY KEY (userid, role)" + ")";
statement.executeUpdate(createTable);
}
catch (SQLException e)
{
System.out.println("Error: Unable to create role table");
}
String insertData1 = "INSERT INTO roles VALUES (101, 'employee')";
String insertData2 = "INSERT INTO roles VALUES (102, 'manager')";
String insertData3 = "INSERT INTO roles VALUES (103, 'employee')";
String insertData4 = "INSERT INTO roles VALUES (104, 'employee')";
String insertData5 = "INSERT INTO roles VALUES (105, 'employee')";
String insertData6 = "INSERT INTO roles VALUES (106, 'hr')";
String insertData7 = "INSERT INTO roles VALUES (107, 'manager')";
String insertData8 = "INSERT INTO roles VALUES (108, 'employee')";
String insertData9 = "INSERT INTO roles VALUES (109, 'employee')";
String insertData10 = "INSERT INTO roles VALUES (110, 'hr')";
String insertData11 = "INSERT INTO roles VALUES (111, 'admin')";
String insertData12 = "INSERT INTO roles VALUES (112, 'admin')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData5);
statement.executeUpdate(insertData6);
statement.executeUpdate(insertData7);
statement.executeUpdate(insertData8);
statement.executeUpdate(insertData9);
statement.executeUpdate(insertData10);
statement.executeUpdate(insertData11);
statement.executeUpdate(insertData12);
}
private void createAuthTable(Connection connection) throws SQLException
{
Statement statement = connection.createStatement();
try
{
String dropTable = "DROP TABLE auth";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to drop auth");
}
try
{
String createTable = "CREATE TABLE auth ("
+ "role VARCHAR(10) NOT NULL,"
+ "functionid VARCHAR(20) NOT NULL,"
+ "PRIMARY KEY (role, functionid)" + ")";
statement.executeUpdate(createTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to create auth table");
}
String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')";
String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')";
String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')";
String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')";
String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')";
String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')";
String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')";
String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')";
String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')";
String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')";
String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')";
// String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')";
// String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')";
// String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')";
// String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')";
String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')";
String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')";
String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')";
String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')";
String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')";
String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')";
String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')";
String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')";
String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')";
String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')";
String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')";
String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')";
String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')";
String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')";
String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')";
String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')";
String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')";
String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')";
// Add a permission for the webgoat role to see the source.
// The challenge(s) will change the default role to "challenge"
String insertData26 = "INSERT INTO auth VALUES('"
+ AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
+ "')";
String insertData27 = "INSERT INTO auth VALUES('"
+ AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
+ "')";
// Add a permission for the webgoat role to see the solution.
// The challenge(s) will change the default role to "challenge"
String insertData28 = "INSERT INTO auth VALUES('"
+ AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
+ "')";
statement.executeUpdate(insertData1);
statement.executeUpdate(insertData2);
statement.executeUpdate(insertData3);
statement.executeUpdate(insertData4);
statement.executeUpdate(insertData4_1);
statement.executeUpdate(insertData4_2);
statement.executeUpdate(insertData5);
statement.executeUpdate(insertData6);
statement.executeUpdate(insertData7);
statement.executeUpdate(insertData7_1);
statement.executeUpdate(insertData7_2);
// statement.executeUpdate(insertData8);
// statement.executeUpdate(insertData9);
// statement.executeUpdate(insertData10);
// statement.executeUpdate(insertData11);
statement.executeUpdate(insertData12);
statement.executeUpdate(insertData13);
statement.executeUpdate(insertData14);
statement.executeUpdate(insertData15);
statement.executeUpdate(insertData16);
statement.executeUpdate(insertData17);
statement.executeUpdate(insertData18);
statement.executeUpdate(insertData18_1);
statement.executeUpdate(insertData18_2);
statement.executeUpdate(insertData19);
statement.executeUpdate(insertData20);
statement.executeUpdate(insertData21);
statement.executeUpdate(insertData22);
statement.executeUpdate(insertData23);
statement.executeUpdate(insertData24);
statement.executeUpdate(insertData25);
statement.executeUpdate(insertData25_1);
statement.executeUpdate(insertData25_2);
statement.executeUpdate(insertData26);
statement.executeUpdate(insertData27);
statement.executeUpdate(insertData28);
}
private void createOwnershipTable(Connection connection)
throws SQLException
{
Statement statement = connection.createStatement();
try
{
String dropTable = "DROP TABLE ownership";
statement.executeUpdate(dropTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to drop ownership");
}
try
{
String createTable = "CREATE TABLE ownership ("
+ "employer_id INT NOT NULL," + "employee_id INT NOT NULL,"
+ "PRIMARY KEY (employee_id, employer_id)" + ")";
statement.executeUpdate(createTable);
}
catch (SQLException e)
{
System.out.println("Error: unable to create ownership table");
}
String inputData = "INSERT INTO ownership VALUES (112, 101)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 102)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 103)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 104)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 105)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 106)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 107)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 108)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 109)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 110)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 111)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (112, 112)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 101)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 102)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 103)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 104)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 105)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 106)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 107)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 108)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 109)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 110)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (102, 111)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 101)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 102)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 103)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 104)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 105)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 106)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 107)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 108)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 109)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 110)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (111, 111)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (106, 105)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (106, 106)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (106, 110)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (101, 101)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (103, 103)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (107, 104)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (107, 108)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (107, 109)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (107, 107)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (105, 105)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (110, 110)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (104, 104)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (108, 108)";
statement.executeUpdate(inputData);
inputData = "INSERT INTO ownership VALUES (109, 109)";
statement.executeUpdate(inputData);
}
//--------------------------------------------------------------------------
//
// End of WebGoat Financials
//
//--------------------------------------------------------------------------
/**
* Description of the Method
*
* @param connection Description of the Parameter
*
* @exception SQLException Description of the Exception
*/
public void makeDB(Connection connection) throws SQLException
{
System.out.println("Successful connection to database");
createUserDataTable(connection);
createLoginTable(connection);
createUserAdminTable(connection);
createProductTable(connection);
createMessageTable(connection);
createEmployeeTable(connection);
createRolesTable(connection);
createAuthTable(connection);
createOwnershipTable(connection);
createWeatherDataTable(connection);
System.out.println("Success: creating tables.");
}
}

171
main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java Normal file
View File

@ -0,0 +1,171 @@
package org.owasp.webgoat.session;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
import org.apache.ecs.MultiPartElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class DatabaseUtilities
{
private static Map<String, Connection> connections = new HashMap<String, Connection>();
private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
public static Connection getConnection(WebSession s)
throws ClassNotFoundException, SQLException
{
return getConnection(s.getUserName(), s.getWebgoatContext());
}
public static synchronized Connection getConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
{
Connection conn = connections.get(user);
if (conn != null && !conn.isClosed())
return conn;
conn = makeConnection(user, context);
connections.put(user, conn);
if (dbBuilt.get(user) == null) {
new CreateDB().makeDB(conn);
dbBuilt.put(user, Boolean.TRUE);
}
return conn;
}
public static synchronized void returnConnection(String user)
{
try
{
Connection connection = connections.get(user);
if (connection == null || connection.isClosed())
return;
if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle"))
connection.close();
}
catch (SQLException sqle)
{
sqle.printStackTrace();
}
}
private static Connection makeConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
{
Class.forName(context.getDatabaseDriver());
if (context.getDatabaseConnectionString().contains("hsqldb"))
return getHsqldbConnection(user, context);
String userPrefix = context.getDatabaseUser();
String password = context.getDatabasePassword();
String url = context.getDatabaseConnectionString();
return DriverManager.getConnection(url, userPrefix + "_" + user, password);
}
private static Connection getHsqldbConnection(String user, WebgoatContext context)
throws ClassNotFoundException, SQLException
{
String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
return DriverManager.getConnection(url, "sa", "");
}
/**
* Description of the Method
*
* @param results Description of the Parameter
* @param resultsMetaData Description of the Parameter
*
* @return Description of the Return Value
*
* @exception IOException Description of the Exception
* @exception SQLException Description of the Exception
*/
public static MultiPartElement writeTable(ResultSet results,
ResultSetMetaData resultsMetaData) throws IOException, SQLException
{
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
if (results.next())
{
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
TR tr = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
t.addElement(tr);
results.beforeFirst();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
String str = results.getString(i);
if (str == null)
str = "";
row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
}
t.addElement(row);
}
return (t);
}
else
{
return (new B(
"Query Successful; however no data was returned from this query."));
}
}
}

715
main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java Normal file
View File

@ -0,0 +1,715 @@
package org.owasp.webgoat.session;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import java.util.Vector;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Label;
import org.apache.ecs.html.Option;
import org.apache.ecs.html.P;
import org.apache.ecs.html.Select;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.U;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams (jeff.williams@aspectsecurity.com)
* @created October 29, 2003
*/
public class ECSFactory
{
/**
* Description of the Field
*/
public final static String ON = "On";
/**
* Description of the Field
*/
public final static String PASSWORD = "Password";
/**
* Don't let anyone instantiate this class
*/
private ECSFactory()
{}
/**
* Description of the Method
*
* @param name Description of the Parameter
* @param value Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeBox(String name, String value)
{
Input i = new Input(Input.CHECKBOX, name, ON);
i.setChecked(value.equals(ON));
return (i);
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeButton(String text)
{
Input b = new Input();
b.setType(Input.SUBMIT);
b.setValue(text);
b.setName(Input.SUBMIT);
return (b);
}
public static Element makeButton(String text, String onClickFunction)
{
Input b = (Input)makeButton(text);
b.setOnClick(onClickFunction);
return (b);
}
/**
* Description of the Method
*
* @param labeltext Description of the Parameter
* @param value Description of the Parameter
* @param e Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeField(String labeltext, String value, Element e)
{
TD left = new TD().setAlign("right");
Label label = new Label().addElement(labeltext);
left.addElement(label);
TD right = new TD().setAlign("left");
right.addElement(e);
TR row = new TR();
row.addElement(left);
row.addElement(right);
return (row);
}
/**
* Description of the Method
*
* @param labeltext Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @param size Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeField(String labeltext, String name, String value,
int size)
{
Input field = new Input().setName(name).setValue(value).setSize(size)
.setMaxlength(size);
// double check in case someone means to make a * starred out password field
if (name.equals(PASSWORD))
{
field.setType(Input.PASSWORD);
}
return (makeField(labeltext, value, field));
}
/**
* Description of the Method
*
* @param label Description of the Parameter
* @param type Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @param alignment Description of the Parameter
* @param selected Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name,
boolean value, boolean selected, String alignment)
{
return makeInput(label, type, name, new Boolean(value).toString(),
selected, alignment);
}
/**
* Description of the Method
*
* @param label Description of the Parameter
* @param type Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name,
String value)
{
return makeInput(label, type, name, value, new Boolean(value)
.booleanValue(), "RIGHT");
}
/**
* Description of the Method
*
* @param label Description of the Parameter
* @param type Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @param alignment Description of the Parameter
* @param selected Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeInput(String label, String type, String name,
String value, boolean selected, String alignment)
{
ElementContainer ec = new ElementContainer();
if (!alignment.equalsIgnoreCase("LEFT"))
{
ec.addElement(new StringElement(label));
}
Input input = new Input(type, name, value);
ec.addElement(input);
if (alignment.equalsIgnoreCase("LEFT"))
{
ec.addElement(new StringElement(label));
}
if (type.equalsIgnoreCase("CHECKBOX"))
{
input.setChecked(selected);
}
return (ec);
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, String value)
{
String href = "attack?" + name;
if (value.length() > 0)
{
href = href + "=" + value;
}
A a = new A(href);
a.addElement(new U().addElement(text));
a.addAttribute("style", "cursor:hand");
return (a);
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, int value)
{
return (makeLink(text, name, Integer.toString(value)));
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @param name Description of the Parameter
* @param value Description of the Parameter
* @return Description of the Return Value
*/
public static A makeLink(String text, String name, boolean value)
{
return (makeLink(text, name, new Boolean(value).toString()));
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @param clickAction Description of the Parameter
* @param type Description of the Parameter
* @return Description of the Return Value
*/
public static Input makeOnClickInput(String text, String clickAction,
String type)
{
Input b = new Input();
b.setType(type);
b.setValue(text);
b.setOnClick(clickAction);
return (b);
}
/**
* Description of the Method
*
* @param labeltext Description of the Parameter
* @param value Description of the Parameter
* @param e Description of the Parameter
* @return Description of the Return Value
*/
public static TR makeOption(String labeltext, String value, Element e)
{
TD left = new TD().setAlign("left").setWidth("10%");
left.addElement(e);
TD right = new TD().setAlign("right");
Label label = new Label().addElement(labeltext);
right.addElement(label);
TR row = new TR();
row.addElement(right);
row.addElement(left);
return (row);
}
/**
* Description of the Method
*
* @param label Description of the Parameter
* @param value Description of the Parameter
* @return Description of the Return Value
*/
public static Option makeOption(String label, boolean value)
{
Option option = new Option(label, new Boolean(value).toString());
option.setSelected(value);
return option;
}
/**
* Description of the Method
*
* @param line Description of the Parameter
* @return Description of the Return Value
*/
private static org.apache.ecs.html.Option makeOption(String line)
{
StringTokenizer st = new StringTokenizer(line, "|");
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option();
String token = "";
if (st.hasMoreTokens())
{
token = st.nextToken();
}
o.addElement(token);
return (o);
}
/**
* Description of the Method
*
* @param name Description of the Parameter
* @param options Description of the Parameter
* @return Description of the Return Value
*/
public static Element makePulldown(String name, List<String> options)
{
Select s = new Select(name);
s.addElement(options.toArray(new String[options.size()]));
return (s);
}
/**
* Description of the Method
*
* @param results Description of the Parameter
* @return Description of the Return Value
*/
public static Element makePulldown(String name, String results)
{
Select select = new Select(name);
StringTokenizer st = new StringTokenizer(results, "\n");
if (!st.hasMoreTokens())
{
return (new StringElement(""));
}
while (st.hasMoreTokens())
{
String line = st.nextToken();
select.addElement(makeOption(line));
}
select.addElement("-------------------------");
return (select);
}
/**
* Description of the Method
*
* @param name Description of the Parameter
* @param list Description of the Parameter
* @param selected Description of the Parameter
* @param rowsShowing Description of the Parameter
* @return Description of the Return Value
*/
public static Select makePulldown(String name, Object[] list,
String selected, int rowsShowing)
{
Select select = new Select(name);
for (int loop = 0; loop < list.length; loop++)
{
String value = list[loop].toString();
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(
value, value, value);
if (value.equals(selected))
{
o.setSelected(true);
}
select.addElement(o);
}
select.setSize(rowsShowing);
return select;
}
/**
* Default size of 1 for rows showing in select box.
*
* @param diffNames Description of the Parameter
* @param select Description of the Parameter
* @param name Description of the Parameter
* @param options Description of the Parameter
* @param list Description of the Parameter
* @param selected Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeSelect(boolean diffNames, Select select,
String name, Vector<Option> options, String[] list, String selected)
{
return makeSelect(diffNames, select, name, options, list, selected, 1);
}
/**
* Description of the Method
*
* @param diffNames Description of the Parameter
* @param select Description of the Parameter
* @param name Description of the Parameter
* @param options Description of the Parameter
* @param list Description of the Parameter
* @param selected Description of the Parameter
* @param rowsShowing Description of the Parameter
* @return Description of the Return Value
*/
public static Select makeSelect(boolean diffNames, Select select,
String name, Vector<Option> options, String[] list, String selected,
int rowsShowing)
{
if (select == null)
{
select = new Select(name);
if (diffNames)
{
for (int loop = 0; loop < list.length; loop += 2)
{
String value = list[loop];
String label = list[loop + 1];
Option o = new Option(value);
if (loop == 0)
{
o.setSelected(true);
}
options.addElement(o);// add to Vector containing all options
select.addElement(o);
select.addElement(label);
}
}
else
{
for (int loop = 0; loop < list.length; loop++)
{
String value = list[loop];
org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(
value);
if (loop == 0)
{
o.setSelected(true);
}
options.addElement(o);// add to Vector containing all options
select.addElement(o);
select.addElement(value);
}
}
}
// find selected option and set selected
Iterator i = options.iterator();
while (i.hasNext())
{
org.apache.ecs.html.Option o = (org.apache.ecs.html.Option) i
.next();
if (selected.equalsIgnoreCase(o.getAttribute("value")))
{
o.setSelected(true);
}
}
select.setSize(rowsShowing);
return (select);
}
/**
* Description of the Method
*
* @param title Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeTallHeader(String title)
{
StringBuffer buff = new StringBuffer();
for (int i = 0; i < title.length(); i++)
{
buff.append(title.charAt(i));
buff.append("<BR>");
}
return new TH(buff.toString());
}
/**
* Description of the Method
*
* @param title Description of the Parameter
* @param text Description of the Parameter
* @return Description of the Return Value
*/
public static Element makeTextArea(String title, String text)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new BR());
ec.addElement(new H3().addElement(title));
ec.addElement(new P());
ec.addElement("<CENTER><TEXTAREA ROWS=10 COLS=90 READONLY>" + text
+ "</TEXTAREA></CENTER>");
ec.addElement(new BR());
ec.addElement(new BR());
return (ec);
}
}

271
main/project/JavaSource/org/owasp/webgoat/session/Employee.java Normal file
View File

@ -0,0 +1,271 @@
package org.owasp.webgoat.session;
import java.io.Serializable;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Employee implements Serializable
{
/**
*
*/
private static final long serialVersionUID = -1901957360367218399L;
public final static String EMPLOYEE_ROLE = "employee";
public final static String MANAGER_ROLE = "manager";
public final static String HR_ROLE = "hr";
private int id;
private String firstName;
private String lastName;
private String title;
private String ssn;
private String phone;
private String address1;
private String address2;
private int manager;
private String startDate;
private int salary;
private String ccn;
private int ccnLimit;
private String disciplinaryActionDate;
private String disciplinaryActionNotes;
private String personalDescription;
// FIXME: To be deleted
public Employee()
{}
public Employee(int id, String firstName, String lastName, String ssn,
String title, String phone, String address1, String address2,
int manager, String startDate, int salary, String ccn,
int ccnLimit, String disciplinaryActionDate,
String disciplinaryActionNotes, String personalDescription)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.ssn = ssn;
this.title = title;
this.phone = phone;
this.address1 = address1;
this.address2 = address2;
this.manager = manager;
this.startDate = startDate;
this.salary = salary;
this.ccn = ccn;
this.ccnLimit = ccnLimit;
this.disciplinaryActionDate = disciplinaryActionDate;
this.disciplinaryActionNotes = disciplinaryActionNotes;
this.personalDescription = personalDescription;
}
public String getAddress1()
{
return address1;
}
public void setAddress1(String address1)
{
this.address1 = address1;
}
public String getAddress2()
{
return address2;
}
public void setAddress2(String address2)
{
this.address2 = address2;
}
public String getCcn()
{
return ccn;
}
public void setCcn(String ccn)
{
this.ccn = ccn;
}
public int getCcnLimit()
{
return ccnLimit;
}
public void setCcnLimit(int ccnLimit)
{
this.ccnLimit = ccnLimit;
}
public String getFirstName()
{
return firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
public String getLastName()
{
return lastName;
}
public void setLastName(String lastName)
{
this.lastName = lastName;
}
public String getPhoneNumber()
{
return phone;
}
public void setPhoneNumber(String phone)
{
this.phone = phone;
}
public int getSalary()
{
return salary;
}
public void setSalary(int salary)
{
this.salary = salary;
}
public String getSsn()
{
return ssn;
}
public void setSsn(String ssn)
{
this.ssn = ssn;
}
public String getStartDate()
{
return startDate;
}
public void setStartDate(String startDate)
{
this.startDate = startDate;
}
public int getId()
{
return id;
}
public void setId(int id)
{
this.id = id;
}
public String getTitle()
{
return this.title;
}
public int getManager()
{
return this.manager;
}
public String getDisciplinaryActionDate()
{
return this.disciplinaryActionDate;
}
public String getDisciplinaryActionNotes()
{
return this.disciplinaryActionNotes;
}
public String getPersonalDescription()
{
return this.personalDescription;
}
}

88
main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java Normal file
View File

@ -0,0 +1,88 @@
package org.owasp.webgoat.session;
import java.io.Serializable;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class EmployeeStub implements Serializable
{
/**
*
*/
private static final long serialVersionUID = -7109162877797765632L;
private int id;
private String firstName;
private String lastName;
private String role;
public EmployeeStub(int id, String firstName, String lastName)
{
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
}
public EmployeeStub(int id, String firstName, String lastName, String role)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.role = role;
}
public String getFirstName()
{
return firstName;
}
public int getId()
{
return id;
}
public String getLastName()
{
return lastName;
}
public String getRole()
{
return role;
}
}

278
main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java Normal file
View File

@ -0,0 +1,278 @@
package org.owasp.webgoat.session;
import java.io.ByteArrayOutputStream;
import java.io.PrintWriter;
import java.util.StringTokenizer;
import javax.servlet.ServletException;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.Small;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created November 4, 2003
*/
public class ErrorScreen extends Screen
{
/**
* Description of the Field
*/
protected Throwable error;
/**
* Description of the Field
*/
protected String message;
/**
* Constructor for the ErrorScreen object
*
* @param s Description of the Parameter
* @param t Description of the Parameter
*/
public ErrorScreen( WebSession s, Throwable t )
{
this.error = t;
fixCurrentScreen( s );
setup( s );
}
/**
* Constructor for the ErrorScreen object
*
* @param s Description of the Parameter
* @param msg Description of the Parameter
*/
public ErrorScreen( WebSession s, String msg )
{
this.message = msg;
fixCurrentScreen( s );
setup( s );
}
public void fixCurrentScreen( WebSession s )
{
// So the user can't get stuck on the error screen, reset the
// current screen to something known
if ( s!= null )
{
try
{
s.setCurrentScreen( s.getCourse().getFirstLesson().getScreenId() );
}
catch ( Throwable t )
{
s.setCurrentScreen( WebSession.WELCOME );
}
}
}
public void setup( WebSession s )
{
// call createContent first so messages will go somewhere
Form form = new Form( "attack", Form.POST ).setName( "form" ).setEncType( "" );
form.addElement( wrapForm( s ) );
TD lowerright = new TD().setHeight( "100%" ).setVAlign( "top" ).setAlign( "left" ).addElement( form );
TR row = new TR().addElement( lowerright );
Table layout = new Table().setBgColor( HtmlColor.WHITE ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
layout.addElement( row );
setContent(layout);
}
protected Element wrapForm( WebSession s )
{
if ( s == null )
{
return new StringElement( "Invalid Session" );
}
Table container = new Table().setWidth( "100%" ).setCellSpacing( 10 ).setCellPadding( 0 ).setBorder( 0 );
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent( s );
container.addElement( new TR().addElement( new TD().setColSpan( 2 ).setVAlign( "TOP" ).addElement(
makeMessages( s ) ) ) );
container.addElement( new TR().addElement( new TD().setColSpan( 2 ).addElement( content ) ) );
container.addElement( new TR() );
return ( container );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( WebSession s )
{
System.out.println( "errorscreen createContent Error:" + this.error + " message:" + this.message );
Element content;
if ( this.error != null )
{
content = createContent( this.error );
}
else if ( this.message != null )
{
content = createContent( this.message );
}
else
{
content = new StringElement( "An unknown error occurred." );
}
return content;
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( String s )
{
StringElement list = new StringElement( s );
return ( list );
}
/**
* Description of the Method
*
* @param t Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent( Throwable t )
{
StringElement list = new StringElement();
list.addElement( new H2().addElement( new StringElement( "Error Message: " + t.getMessage() ) ) );
list.addElement( formatStackTrace( t ) );
if ( t instanceof ServletException )
{
Throwable root = ( (ServletException) t ).getRootCause();
if ( root != null )
{
list.addElement( new H2().addElement( new StringElement( "Root Message: " + root.getMessage() ) ) );
list.addElement( formatStackTrace( root ) );
}
}
return ( new Small().addElement( list ) );
}
public Element getCredits()
{
return new ElementContainer();
}
/**
* Description of the Method
*
* @param t Description of the Parameter
* @return Description of the Return Value
*/
public static Element formatStackTrace( Throwable t )
{
String trace = getStackTrace( t );
StringElement list = new StringElement();
StringTokenizer st = new StringTokenizer( trace, "\r\n\t" );
while ( st.hasMoreTokens() )
{
String line = st.nextToken();
list.addElement( new Div( line ) );
}
return ( list );
}
/**
* Gets the stackTrace attribute of the ErrorScreen class
*
* @param t Description of the Parameter
* @return The stackTrace value
*/
public static String getStackTrace( Throwable t )
{
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
PrintWriter writer = new PrintWriter( bytes, true );
t.printStackTrace( writer );
return ( bytes.toString() );
}
/**
* Gets the title attribute of the ErrorScreen object
*
* @return The title value
*/
public String getTitle()
{
return ( "Error" );
}
public String getRole() {
return AbstractLesson.USER_ROLE;
}
}

69
main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java Normal file
View File

@ -0,0 +1,69 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* Represents a virtual session for a lesson. Lesson-specific session data may
* be stored here.
*
* @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created January 19, 2006
*/
public class LessonSession
{
private boolean isAuthenticated = false;
private String currentLessonScreen;
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
}

445
main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java Normal file
View File

@ -0,0 +1,445 @@
package org.owasp.webgoat.session;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.util.Properties;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/
public class LessonTracker
{
private boolean completed = false;
private int maxHintLevel = 0;
private int numVisits = 0;
private boolean viewedCookies = false;
private boolean viewedHtml = false;
private boolean viewedLessonPlan = false;
private boolean viewedParameters = false;
private boolean viewedSource = false;
private boolean viewedSolution = false;
Properties lessonProperties = new Properties();
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
{
return completed;
}
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
return maxHintLevel;
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits()
{
return numVisits;
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
return viewedCookies;
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
return viewedHtml;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
return viewedLessonPlan;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
return viewedParameters;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
return viewedSource;
}
public boolean getViewedSolution()
{
return viewedSource;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
numVisits++;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props The new properties value
*/
protected void setProperties(Properties props, Screen screen)
{
completed = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".completed"))
.booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".maxHintLevel"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".numVisits"));
viewedCookies = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedCookies"))
.booleanValue();
viewedHtml = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedHtml"))
.booleanValue();
viewedLessonPlan = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedLessonPlan"))
.booleanValue();
viewedParameters = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedParameters"))
.booleanValue();
viewedSource = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedSource"))
.booleanValue();
}
public static String getUserDir(WebSession s)
{
return s.getContext().getRealPath("users") + "/";
}
private static String getTrackerFile(WebSession s, String user,
Screen screen)
{
return getUserDir(s) + user + "." + screen.getClass().getName()
+ ".props";
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public static LessonTracker load(WebSession s, String user, Screen screen)
{
FileInputStream in = null;
try
{
String fileName = getTrackerFile(s, user, screen);
if (fileName != null)
{
Properties tempProps = new Properties();
//System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen
.createLessonTracker(tempProps);
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
}
catch (FileNotFoundException e)
{
// Normal if the lesson has not been accessed yet.
}
catch (Exception e)
{
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
}
finally
{
try
{
in.close();
}
catch (Exception e)
{}
}
return screen.createLessonTracker();
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed The new completed value
*/
public void setCompleted(boolean completed)
{
this.completed = completed;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel)
{
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies The new viewedCookies value
*/
public void setViewedCookies(boolean viewedCookies)
{
this.viewedCookies = viewedCookies;
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml The new viewedHtml value
*/
public void setViewedHtml(boolean viewedHtml)
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan The new viewedLessonPlan value
*/
public void setViewedLessonPlan(boolean viewedLessonPlan)
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters The new viewedParameters value
*/
public void setViewedParameters(boolean viewedParameters)
{
this.viewedParameters = viewedParameters;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource The new viewedSource value
*/
public void setViewedSource(boolean viewedSource)
{
this.viewedSource = viewedSource;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource The new viewedSource value
*/
public void setViewedSolution(boolean viewedSolution)
{
this.viewedSolution = viewedSolution;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s Description of the Parameter
*/
public void store(WebSession s, Screen screen)
{
store(s, screen, s.getUserName());
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s Description of the Parameter
*/
public void store(WebSession s, Screen screen, String user)
{
FileOutputStream out = null;
String fileName = getTrackerFile(s, user, screen);
//System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean
.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel",
Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer
.toString(numVisits));
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies",
Boolean.toString(viewedCookies));
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean
.toString(viewedHtml));
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan",
Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters",
Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource",
Boolean.toString(viewedSource));
try
{
out = new FileOutputStream(fileName);
lessonProperties.store(out, s.getUserName());
}
catch (Exception e)
{
// what do we want to do, I think nothing.
System.out.println("Warning User data for " + s.getUserName()
+ " will not persist");
}
finally
{
try
{
out.close();
}
catch (Exception e)
{}
}
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:... " + viewedParameters + "\n");
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
return buff.toString();
}
/**
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* @param lessonProperties The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
}

90
main/project/JavaSource/org/owasp/webgoat/session/Parameter.java Normal file
View File

@ -0,0 +1,90 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Parameter implements Comparable
{
String name;
String value;
public Parameter(String name, String value)
{
this.name = name;
this.value = value;
}
public String getName()
{
return name;
}
public String getValue()
{
return value;
}
//@Override
public boolean equals(Object obj)
{
if (obj instanceof Parameter)
{
Parameter other = (Parameter) obj;
return (name.equals(other.getName()) && value.equals(other
.getValue()));
}
return false;
}
//@Override
public int hashCode()
{
return toString().hashCode();
}
//@Override
public String toString()
{
return (name + "=" + value);
}
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
}

62
main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java Normal file
View File

@ -0,0 +1,62 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class ParameterNotFoundException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 3286112913299408382L;
/**
* Constructs a new ParameterNotFoundException with no detail message.
*/
public ParameterNotFoundException()
{
super();
}
/**
* Constructs a new ParameterNotFoundException with the specified detail
* message.
*
*@param s the detail message
*/
public ParameterNotFoundException(String s)
{
super(s);
}
}

1085
main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java Normal file
View File

File diff suppressed because it is too large Load Diff

90
main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java Executable file
View File

@ -0,0 +1,90 @@
package org.owasp.webgoat.session;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
public class RandomLessonTracker extends LessonTracker {
private String[] stages;
private String stage;
private Map<String, Boolean> completed = new HashMap<String, Boolean>();
public RandomLessonTracker(String[] stages) {
if (stages == null)
stages = new String[0];
this.stages = stages;
}
public void setStage(String stage) {
this.stage = stage;
}
public String getStage() {
if (this.stage == null && stages.length > 0)
return stages[0];
return this.stage;
}
public void setStageComplete(String stage, boolean complete) {
completed.put(stage, Boolean.valueOf(complete));
for (int i=0; i<stages.length-1; i++)
if (stages[i].equals(stage))
setStage(stages[i+1]);
}
public boolean hasCompleted(String stage) {
Boolean complete = completed.get(stage);
return complete == null ? false : complete.booleanValue();
}
@Override
public boolean getCompleted() {
for (int i=0; i<stages.length; i++)
if (!hasCompleted(stages[i]))
return false;
return true;
}
@Override
public void setCompleted(boolean complete) {
if (complete == true)
throw new UnsupportedOperationException("Use individual stage completion instead");
for (int i=0;i<stages.length; i++)
setStageComplete(stages[i], false);
setStage(stages[0]);
}
protected void setProperties(Properties props, Screen screen) {
super.setProperties(props, screen);
for (int i=0; i<stages.length; i++) {
String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
if (p != null) {
setStageComplete(stages[i], Boolean.valueOf(p));
}
}
setStage(props.getProperty(screen.getTitle() + ".stage"));
}
public void store(WebSession s, Screen screen, String user) {
for (int i=0; i<stages.length; i++) {
if (hasCompleted(stages[i]))
lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE.toString());
}
lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
super.store(s, screen, user);
}
public String toString() {
StringBuffer buff = new StringBuffer();
buff.append(super.toString());
for (int i=0; i<stages.length; i++) {
buff.append(" - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
}
buff.append(" - currentStage:....... " + getStage() + "\n");
return buff.toString();
}
}

336
main/project/JavaSource/org/owasp/webgoat/session/Screen.java Normal file
View File

@ -0,0 +1,336 @@
package org.owasp.webgoat.session;
import java.io.PrintWriter;
import java.util.Properties;
import org.apache.ecs.Element;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.Font;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.AbstractLesson;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public abstract class Screen
{
/**
* Description of the Field
*/
public static int MAIN_SIZE = 375;
//private Head head;
private Element content;
final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg")
.setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0);
/**
* Constructor for the Screen object
*/
public Screen()
{}
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
public abstract String getRole();
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent(WebSession s);
/**
* Gets the credits attribute of the Screen object
*
* @return The credits value
*/
public abstract Element getCredits();
/**
* Creates a new lessonTracker object.
*
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker(Properties props)
{
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
return createLessonTracker();
}
/**
* This allows the screens to provide a custom LessonTracker object if needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker()
{
return new LessonTracker();
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
/**
* Fill in a descriptive title for this lesson
*
* @return The title value
*/
public abstract String getTitle();
protected void setContent(Element content)
{
this.content = content;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeLogo()
{
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
public String getSponsor()
{
return "Aspect Security";
}
public String getSponsorLogoResource()
{
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s)
{
if (s == null)
{
return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED);
String message = s.getMessage();
f.addElement(message);
return (f);
}
/**
* Returns the content length of the the html.
*
*/
public int getContentLength()
{
return content.toString().length();
}
/**
* Description of the Method
*
* @param out Description of the Parameter
*/
public void output(PrintWriter out)
{
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(content.toString());
}
public String getContent()
{
return (content == null) ? "" : content.toString();
}
/**
* Description of the Method
*
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x)
{
StringBuffer sb = new StringBuffer();
if (x < 10)
{
sb.append(" ");
}
if (x < 100)
{
sb.append(" ");
}
sb.append(x);
return (sb.toString());
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token)
{
int mci = 0;
/*
* meta char array
*
* FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for the
* html to be automatically wrapped in client browser. It is better to add line
* length checking and only do "&nbsp" conversion in lines that won't exceed
* screen size, say less than 80 characters.
*/
String[] metaChar = { "&", "<", ">", "\"", "\t",
System.getProperty("line.separator") };
String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>" };
String replacedString = token;
for (; mci < metaChar.length; mci += 1)
{
replacedString = replacedString.replaceAll(metaChar[mci],
htmlCode[mci]);
}
return (replacedString);
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token)
{
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
//protected abstract Element wrapForm( WebSession s );
}

39
main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java Executable file
View File

@ -0,0 +1,39 @@
package org.owasp.webgoat.session;
import java.util.Properties;
public class SequentialLessonTracker extends LessonTracker {
private int currentStage = 1;
public int getStage()
{
return currentStage;
}
public void setStage(int stage)
{
currentStage = stage;
}
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".currentStage"));
}
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage",
Integer.toString(currentStage));
super.store(s, screen, user);
}
public String toString() {
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
}

40
main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java Normal file
View File

@ -0,0 +1,40 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class UnauthenticatedException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 97865025446819061L;
}

40
main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java Normal file
View File

@ -0,0 +1,40 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class UnauthorizedException extends Exception
{
/**
*
*/
private static final long serialVersionUID = 5245519486798464814L;
}

273
main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java Normal file
View File

@ -0,0 +1,273 @@
package org.owasp.webgoat.session;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.users.MemoryUserDatabase;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/
public class UserTracker
{
private static UserTracker instance;
// FIXME: persist this somehow!
private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
/**
* Constructor for the UserTracker object
*/
private UserTracker()
{}
/**
* Gets the completed attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The completed value
*/
public int getCompleted(String userName)
{
HashMap usermap = getUserMap(userName);
Iterator i = usermap.entrySet().iterator();
int count = 0;
while (i.hasNext())
{
Map.Entry entry = (Map.Entry) i.next();
int value = ((Integer) entry.getValue()).intValue();
if (value > 5)
{
count++;
}
}
return count;
}
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
{
return storage.keySet();
}
public Collection<String> getAllUsers(String roleName)
{
synchronized (usersDB)
{
Collection<String> allUsers = new ArrayList<String>();
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User user = (User) users.next();
Iterator roles = user.getRoles();
while (roles.hasNext())
{
Role role = (Role) roles.next();
if (role.getRolename().trim().equals(roleName))
{
allUsers.add(user.getUsername());
}
}
}
usersDB.close();
}
catch (Exception e)
{}
return allUsers;
}
}
public void deleteUser(String user)
{
synchronized (usersDB)
{
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User tomcatUser = (User) users.next();
if (tomcatUser.getUsername().equals(user))
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
}
usersDB.close();
}
catch (Exception e)
{}
}
}
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s, Screen screen)
{
return getLessonTracker(s, s.getUserName(), screen);
}
public LessonTracker getLessonTracker(WebSession s, String user,
Screen screen)
{
HashMap<String, LessonTracker> usermap = getUserMap(user);
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
if (tracker == null)
{
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(s, user, screen);
usermap.put(screen.getTitle(), tracker);
}
//System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " + tracker.hashCode() + " for " + screen );
return tracker;
}
/**
* Gets the status attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The status value
*/
public String getStatus(WebSession s, Screen screen)
{
return ("User [" + s.getUserName() + "] has accessed " + screen
+ " UserTracker:getStatus()LTH = " + getLessonTracker(s, screen)
.hashCode());
}
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The userMap value
*/
private HashMap<String, LessonTracker> getUserMap(String userName)
{
HashMap<String, LessonTracker> usermap = storage.get(userName);
if (usermap == null)
{
usermap = new HashMap<String, LessonTracker>();
storage.put(userName, usermap);
}
return (usermap);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
{
if (instance == null)
{
instance = new UserTracker();
}
return instance;
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
LessonTracker tracker = getLessonTracker(s, screen);
//System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
}
}

51
main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java Normal file
View File

@ -0,0 +1,51 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class ValidationException extends Exception
{
/**
*
*/
private static final long serialVersionUID = -8358754606830400708L;
public ValidationException()
{
super();
}
public ValidationException(String message)
{
super(message);
}
}

1069
main/project/JavaSource/org/owasp/webgoat/session/WebSession.java Normal file
View File

File diff suppressed because it is too large Load Diff

198
main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java Executable file
View File

@ -0,0 +1,198 @@
package org.owasp.webgoat.session;
import java.util.Iterator;
import javax.servlet.http.HttpServlet;
public class WebgoatContext {
public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
public final static String DATABASE_DRIVER = "DatabaseDriver";
public final static String DATABASE_USER = "DatabaseUser";
public final static String DATABASE_PASSWORD = "DatabasePassword";
public final static String ENTERPRISE = "Enterprise";
public final static String CODING_EXERCISES = "CodingExercises";
public final static String SHOWCOOKIES = "ShowCookies";
public final static String SHOWPARAMS = "ShowParams";
public final static String SHOWREQUEST = "ShowRequest";
public final static String SHOWSOURCE = "ShowSource";
public final static String SHOWSOLUTION = "ShowSolution";
public final static String SHOWHINTS = "ShowHints";
public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
public final static String DEBUG = "debug";
private String databaseConnectionString;
private String realConnectionString = null;
private String databaseDriver;
private String databaseUser;
private String databasePassword;
private boolean showCookies = false;
private boolean showParams = false;
private boolean showRequest = false;
private boolean showSource = false;
private boolean showSolution = false;
private boolean defuseOSCommands = false;
private boolean enterprise = false;
private boolean codingExercises = false;
private String feedbackAddress = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
private boolean isDebug = false;
private String servletName;
private HttpServlet servlet;
public WebgoatContext(HttpServlet servlet) {
this.servlet = servlet;
databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
databaseDriver = getParameter(servlet, DATABASE_DRIVER);
databaseUser = getParameter(servlet, DATABASE_USER);
databasePassword = getParameter(servlet, DATABASE_PASSWORD);
// initialize from web.xml
showParams = "true".equals( getParameter(servlet, SHOWPARAMS ) );
showCookies = "true".equals( getParameter(servlet, SHOWCOOKIES ) );
showSource = "true".equals( getParameter(servlet, SHOWSOURCE ) );
showSolution = "true".equals( getParameter( servlet, SHOWSOLUTION ) );
defuseOSCommands = "true".equals( getParameter(servlet, DEFUSEOSCOMMANDS ) );
enterprise = "true".equals( getParameter(servlet, ENTERPRISE ) );
codingExercises = "true".equals( getParameter(servlet, CODING_EXERCISES ) );
feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS ) != null ?
getParameter(servlet, FEEDBACK_ADDRESS ) : feedbackAddress;
showRequest = "true".equals( getParameter(servlet, SHOWREQUEST ) );
isDebug = "true".equals( getParameter(servlet, DEBUG ) );
servletName = servlet.getServletName();
}
private String getParameter(HttpServlet servlet, String key) {
String value = System.getenv().get(key);
if (value == null)
value = servlet.getInitParameter(key);
return value;
}
/**
* returns the connection string with the real path to the database
* directory inserted at the word PATH
*
* @return The databaseConnectionString value
*/
public String getDatabaseConnectionString() {
if (realConnectionString == null)
try {
String path = servlet.getServletContext().getRealPath(
"/database").replace('\\', '/');
System.out.println("PATH: " + path);
realConnectionString = databaseConnectionString.replaceAll(
"PATH", path);
System.out.println("Database Connection String: "
+ realConnectionString);
} catch (Exception e) {
System.out
.println("Couldn't open database: check web.xml database parameters");
e.printStackTrace();
}
return realConnectionString;
}
/**
* Gets the databaseDriver attribute of the WebSession object
*
* @return The databaseDriver value
*/
public String getDatabaseDriver() {
return (databaseDriver);
}
/**
* Gets the databaseUser attribute of the WebSession object
*
* @return The databaseUser value
*/
public String getDatabaseUser() {
return (databaseUser);
}
/**
* Gets the databasePassword attribute of the WebSession object
*
* @return The databasePassword value
*/
public String getDatabasePassword() {
return (databasePassword);
}
public boolean isDefuseOSCommands() {
return defuseOSCommands;
}
public boolean isEnterprise() {
return enterprise;
}
public boolean isCodingExercises() {
return codingExercises;
}
public String getFeedbackAddress() {
return feedbackAddress;
}
public boolean isDebug() {
return isDebug;
}
public String getServletName() {
return servletName;
}
public boolean isShowCookies() {
return showCookies;
}
public boolean isShowParams() {
return showParams;
}
public boolean isShowRequest() {
return showRequest;
}
public boolean isShowSource() {
return showSource;
}
public boolean isShowSolution() {
return showSolution;
}
}

133
main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java Normal file
View File

@ -0,0 +1,133 @@
package org.owasp.webgoat.session;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class WebgoatProperties extends Properties
{
/**
*
*/
private static final long serialVersionUID = 4351681705558227918L;
public WebgoatProperties(String propertiesFileName) throws IOException
{
try
{
FileInputStream in = new FileInputStream(propertiesFileName);
load(in);
}
catch (IOException e)
{
System.out
.println("Warning: Unable to open webgoat.properties file");
}
}
public int getIntProperty(String key, int defaultValue)
{
int value = defaultValue;
String s = getProperty(key);
if (s != null)
{
value = Integer.parseInt(s);
}
return value;
}
public boolean getBooleanProperty(String key, boolean defaultValue)
{
boolean value = defaultValue;
key = this.trimLesson(key);
String s = getProperty(key);
if (s != null)
{
if (s.equalsIgnoreCase("true"))
value = true;
else if (s.equalsIgnoreCase("yes"))
value = true;
else if (s.equalsIgnoreCase("on"))
value = true;
else if (s.equalsIgnoreCase("false"))
value = false;
else if (s.equalsIgnoreCase("no"))
value = false;
else if (s.equalsIgnoreCase("off"))
value = false;
}
return value;
}
private String trimLesson(String lesson)
{
String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons."))
{
result = lesson.substring("org.owasp.webgoat.lessons.".length(),
lesson.length());
}
else
{
result = lesson;
}
return result;
}
public static void main(String[] args)
{
WebgoatProperties properties = null;
try
{
properties = new WebgoatProperties("C:\\webgoat.properties");
}
catch (IOException e)
{
System.out.println("Error loading properties");
e.printStackTrace();
}
System.out.println(properties.getProperty("CommandInjection.category"));
}
}