Miscellaneous bug fixes

divide by zero, inaccurate discount and totals, reflection of user input


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lessons/Ajax/clientSideFiltering.jsp

@@ -0,0 +1,114 @@
+
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>  
+    
+<% 
+
+	String userId = request.getParameter("userID");
+
+
+	NodeList nodes = null;
+	
+	
+
+	File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
+	
+	if(d.exists()){
+		System.out.print("File does exist");
+	}
+	else{
+		System.out.print("File DOES NOT exist");
+	}
+	
+	System.out.println(d.getAbsolutePath());
+	XPathFactory factory = XPathFactory.newInstance();
+	XPath xPath = factory.newXPath();
+	InputSource inputSource = new InputSource(new FileInputStream(d));
+
+
+
+
+
+	
+	StringBuffer sb = new StringBuffer();
+	
+	sb.append("/Employees/Employee/UserID | ");
+	sb.append("/Employees/Employee/FirstName | ");
+	sb.append("/Employees/Employee/LastName | ");
+	sb.append("/Employees/Employee/SSN | ");
+	sb.append("/Employees/Employee/Salary ");
+	
+	String expression = sb.toString();
+	
+	
+	System.out.print("expression:" + expression);
+
+
+
+	nodes = (NodeList) xPath.evaluate(expression, inputSource,
+	XPathConstants.NODESET);
+	int nodesLength = nodes.getLength();
+
+	
+	System.out.println("nodesLength:" + nodesLength);
+
+	TR tr;
+	
+	int COLUMNS = 5;
+	
+	Table t2 = null;
+    if (nodesLength > 0)
+    {
+		t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
+			1).setWidth("90%").setAlign("center");
+		tr = new TR();	
+		tr.addElement(new TD().addElement("UserID"));
+		tr.addElement(new TD().addElement("First Name"));
+		tr.addElement(new TD().addElement("Last Name"));
+		tr.addElement(new TD().addElement("SSN"));
+		tr.addElement(new TD().addElement("Salary"));
+		t2.addElement(tr);
+    }
+    
+
+    
+    tr = new TR();
+    
+    for (int i = 0; i < nodesLength; i++)
+    {
+		Node node = nodes.item(i);
+		
+		if(i%COLUMNS==0){
+			tr = new TR();
+			tr.setID(node.getTextContent());
+			//tr.setStyle("display: none");
+		}
+		
+		tr.addElement(new TD().addElement(node.getTextContent()));
+		
+		if(i%COLUMNS==(COLUMNS-1)){
+			t2.addElement(tr);		
+		}
+    }
+    
+    if(t2 != null){
+   	 	out.println(t2.toString());
+    }
+    else{
+    	out.println("No Results");
+    }
+    
+    
+
+    
+	
+	
+	
+	
+	
+
+
+%>
+    

main/project/WebContent/lessons/Ajax/clientSideFiltering_backup.jsp

@@ -0,0 +1,114 @@
+
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>  
+    
+<% 
+
+	String userId = request.getParameter("userID");
+
+
+	NodeList nodes = null;
+	
+	
+
+	File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
+	
+	if(d.exists()){
+		System.out.print("File does exist");
+	}
+	else{
+		System.out.print("File DOES NOT exist");
+	}
+	
+	System.out.println(d.getAbsolutePath());
+	XPathFactory factory = XPathFactory.newInstance();
+	XPath xPath = factory.newXPath();
+	InputSource inputSource = new InputSource(new FileInputStream(d));
+
+
+
+
+
+	
+	StringBuffer sb = new StringBuffer();
+	
+	sb.append("/Employees/Employee/UserID | ");
+	sb.append("/Employees/Employee/FirstName | ");
+	sb.append("/Employees/Employee/LastName | ");
+	sb.append("/Employees/Employee/SSN | ");
+	sb.append("/Employees/Employee/Salary ");
+	
+	String expression = sb.toString();
+	
+	
+	System.out.print("expression:" + expression);
+
+
+
+	nodes = (NodeList) xPath.evaluate(expression, inputSource,
+	XPathConstants.NODESET);
+	int nodesLength = nodes.getLength();
+
+	
+	System.out.println("nodesLength:" + nodesLength);
+
+	TR tr;
+	
+	int COLUMNS = 5;
+	
+	Table t2 = null;
+    if (nodesLength > 0)
+    {
+		t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
+			1).setWidth("90%").setAlign("center");
+		tr = new TR();	
+		tr.addElement(new TD().addElement("UserID"));
+		tr.addElement(new TD().addElement("First Name"));
+		tr.addElement(new TD().addElement("Last Name"));
+		tr.addElement(new TD().addElement("SSN"));
+		tr.addElement(new TD().addElement("Salary"));
+		t2.addElement(tr);
+    }
+    
+
+    
+    tr = new TR();
+    
+    for (int i = 0; i < nodesLength; i++)
+    {
+		Node node = nodes.item(i);
+		
+		if(i%COLUMNS==0){
+			tr = new TR();
+			tr.setID(node.getTextContent());
+			//tr.setStyle("display: none");
+		}
+		
+		tr.addElement(new TD().addElement(node.getTextContent()));
+		
+		if(i%COLUMNS==(COLUMNS-1)){
+			t2.addElement(tr);		
+		}
+    }
+    
+    if(t2 != null){
+   	 	out.println(t2.toString());
+    }
+    else{
+    	out.println("No Results");
+    }
+    
+    
+
+    
+	
+	
+	
+	
+	
+
+
+%>
+    

main/project/WebContent/lessons/Ajax/clientSideValidation.jsp

@@ -0,0 +1,30 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+    
+    
+<% String coupon = request.getParameter("coupon");
+
+if (coupon.equalsIgnoreCase("PLATINUM")){
+	out.print(".25");
+}
+else if (coupon.equalsIgnoreCase("GOLD")){
+	out.print(".5");
+}
+else if (coupon.equalsIgnoreCase("SILVER")){
+	out.print(".75");
+}
+else if (coupon.equalsIgnoreCase("BRONZE")){
+	out.print(".8");
+}
+else if (coupon.equalsIgnoreCase("PRESSONE")){
+	out.print(".9");
+}
+else if (coupon.equalsIgnoreCase("PRESSTWO")){
+	out.print(".95");
+}
+
+
+
+%>    
+    

main/project/WebContent/lessons/Ajax/employees.xml

@@ -0,0 +1,251 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Employees>
+    <Employee >
+        <UserID>101</UserID>
+        <FirstName>Larry</FirstName>
+        <LastName>Stooge</LastName>
+        <Street>9175 Guilford Rd</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-689-0192</Phone>
+        <StartDate>1012000</StartDate>
+        <SSN>386-09-5451</SSN>
+        <Salary>55000</Salary>
+        <CreditCard>2578546969853547</CreditCard>
+        <Limit>5000</Limit>
+        <Comments>Does not work well with others</Comments>
+        <DisciplinaryExplanation>Constantly harassing coworkers</DisciplinaryExplanation>
+        <DisciplinaryDate>10106</DisciplinaryDate>
+        <Managers>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>102</UserID>
+        <FirstName>Moe</FirstName>
+        <LastName>Stooge</LastName>
+        <Street>3013 AMD Ave</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-938-5301</Phone>
+        <StartDate>3082003</StartDate>
+        <SSN>936-18-4524</SSN>
+        <Salary>140000</Salary>
+        <CreditCard>NA</CreditCard>
+        <Limit>0</Limit>
+        <Comments>Very dominating over Larry and Curly</Comments>
+        <DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
+        <DisciplinaryDate>101013</DisciplinaryDate>
+        <Managers>
+			<Manager>112</Manager>
+		</Managers> 
+    </Employee>
+    <Employee>
+        <UserID>103</UserID>
+        <FirstName>Curly</FirstName>
+        <LastName>Stooge</LastName>
+        <Street>1112 Crusoe Lane</Street>
+        <CS>New York, NY</CS>
+        <Phone>410-667-6654</Phone>
+        <StartDate>2122001</StartDate>
+        <SSN>961-08-0047</SSN>
+        <Salary>50000</Salary>
+        <CreditCard>NA</CreditCard>
+        <Limit>0</Limit>
+        <Comments>Owes three-thousand to company for fradulent purchases</Comments>
+        <DisciplinaryExplanation>Hit Moe back</DisciplinaryExplanation>
+        <DisciplinaryDate>101014</DisciplinaryDate>
+        <Managers>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers>  
+    </Employee>
+    <Employee>
+        <UserID>104</UserID>
+        <FirstName>Eric</FirstName>
+        <LastName>Walker</LastName>
+        <Street>1160 Prescott Rd</Street>
+        <CS>New York, NY</CS>
+        <Phone>410-887-1193</Phone>
+        <StartDate>12152005</StartDate>
+        <SSN>445-66-5565</SSN>
+        <Salary>13000</Salary>
+        <CreditCard>NA</CreditCard>
+        <Limit>0</Limit>
+        <Comments>Late. Always needs help. Too intern-ish.</Comments>
+        <DisciplinaryExplanation>Bothering Larry about webgoat problems</DisciplinaryExplanation>
+        <DisciplinaryDate>101013</DisciplinaryDate>
+        <Managers>
+            <Manager>107</Manager>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>105</UserID>
+        <FirstName>Tom</FirstName>
+        <LastName>Cat</LastName>
+        <Street>2211 HyperThread Rd.</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-599-0762</Phone>
+        <StartDate>1011999</StartDate>
+        <SSN>792-14-6364</SSN>
+        <Salary>80000</Salary>
+        <CreditCard>5481360857968521</CreditCard>
+        <Limit>30000</Limit>
+        <Comments>Co-Owner.</Comments>
+        <DisciplinaryExplanation>NA</DisciplinaryExplanation>
+        <DisciplinaryDate>0</DisciplinaryDate>
+        <Managers>
+            <Manager>106</Manager>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>106</UserID>
+        <FirstName>Jerry</FirstName>
+        <LastName>Mouse</LastName>
+        <Street>3011 Unix Drive</Street>
+        <CS>New York, NY</CS>
+        <Phone>443-699-3366</Phone>
+        <StartDate>1011999</StartDate>
+        <SSN>858-55-4452</SSN>
+        <Salary>70000</Salary>
+        <CreditCard>6981754825013564</CreditCard>
+        <Limit>20000</Limit>
+        <Comments>Co-Owner.</Comments>
+        <DisciplinaryExplanation>NA</DisciplinaryExplanation>
+        <DisciplinaryDate>0</DisciplinaryDate>
+        <Managers>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers>  
+    </Employee>
+    <Employee>
+        <UserID>107</UserID>
+        <FirstName>David</FirstName>
+        <LastName>Giambi</LastName>
+        <Street>5132 DIMM Avenue</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-521-8413</Phone>
+        <StartDate>5011999</StartDate>
+        <SSN>439-20-9405</SSN>
+        <Salary>100000</Salary>
+        <CreditCard>6981754825018101</CreditCard>
+        <Limit>10000</Limit>
+        <Comments>Strong work habbit. Questionable ethics.</Comments>
+        <DisciplinaryExplanation>Hacked into accounting server. Modified personal pay.</DisciplinaryExplanation>
+        <DisciplinaryDate>61402</DisciplinaryDate>
+        <Managers>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers>         
+    </Employee>
+    <Employee>
+        <UserID>108</UserID>
+        <FirstName>Bruce</FirstName>
+        <LastName>McGuirre</LastName>
+        <Street>8899 FreeBSD Drive&lt;script&gt;alert(document.cookie)&lt;/script&gt; </Street>
+        <CS>New York, NY</CS>
+        <Phone>610-282-1103</Phone>
+        <StartDate>3012000</StartDate>
+        <SSN>707-95-9482</SSN>
+        <Salary>110000</Salary>
+        <CreditCard>6981754825854136</CreditCard>
+        <Limit>30000</Limit>
+        <Comments>Enjoys watching others struggle in exercises.</Comments>
+        <DisciplinaryExplanation>Tortuous Boot Camp workout at 5am. Employees felt sick.</DisciplinaryExplanation>
+        <DisciplinaryDate>61502</DisciplinaryDate>
+        <Managers>
+            <Manager>107</Manager>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers>        
+    </Employee>
+    <Employee>
+        <UserID>109</UserID>
+        <FirstName>Sean</FirstName>
+        <LastName>Livingston</LastName>
+        <Street>6422 dFlyBSD Road</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-878-9549</Phone>
+        <StartDate>6012003</StartDate>
+        <SSN>136-55-1046</SSN>
+        <Salary>130000</Salary>
+        <CreditCard>6981754825014510</CreditCard>
+        <Limit>5000</Limit>
+        <Comments>Has some fascination with Steelers. Go Ravens.</Comments>
+        <DisciplinaryExplanation>Late to work 30 days in row due to excessive Halo 2</DisciplinaryExplanation>
+        <DisciplinaryDate>72804</DisciplinaryDate>
+        <Managers>
+            <Manager>107</Manager>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers>        
+    </Employee>
+    <Employee>
+        <UserID>110</UserID>
+        <FirstName>Joanne</FirstName>
+        <LastName>McDougal</LastName>
+        <Street>5567 Broadband Lane</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-213-6341</Phone>
+        <StartDate>1012001</StartDate>
+        <SSN>789-54-2413</SSN>
+        <Salary>90000</Salary>
+        <CreditCard>6981754825081054</CreditCard>
+        <Limit>300</Limit>
+        <Comments>Finds it necessary to leave early every day.</Comments>
+        <DisciplinaryExplanation>Used company cc to purchase new car. Limit adjusted.</DisciplinaryExplanation>
+        <DisciplinaryDate>112005</DisciplinaryDate>
+        <Managers>
+            <Manager>106</Manager>
+            <Manager>102</Manager>
+            <Manager>111</Manager>
+            <Manager>112</Manager>
+        </Managers> 
+    </Employee>
+    <Employee>
+        <UserID>111</UserID>
+        <FirstName>John</FirstName>
+        <LastName>Wayne</LastName>
+        <Street>129 Third St</Street>
+        <CS>New York, NY</CS>
+        <Phone>610-213-1134</Phone>
+        <StartDate>1012001</StartDate>
+        <SSN>129-69-4572</SSN>
+        <Salary>200000</Salary>
+        <CreditCard>4437334565679921</CreditCard>
+        <Limit>300</Limit>
+        <Comments></Comments>
+        <DisciplinaryExplanation></DisciplinaryExplanation>
+        <DisciplinaryDate>112005</DisciplinaryDate>
+        <Managers>
+            <Manager>112</Manager>
+        </Managers>   
+    </Employee>
+    <Employee>
+        <UserID>112</UserID>
+        <FirstName>Neville</FirstName>
+        <LastName>Bartholomew</LastName>
+        <Street>1 Corporate Headquarters</Street>
+        <CS>San Jose, CA</CS>
+        <Phone>408-587-0024</Phone>
+        <StartDate>3012000</StartDate>
+        <SSN>111-111-1111</SSN>
+        <Salary>450000</Salary>
+        <CreditCard>4803389267684109</CreditCard>
+        <Limit>300</Limit>
+        <Comments></Comments>
+        <DisciplinaryExplanation></DisciplinaryExplanation>
+        <DisciplinaryDate>112005</DisciplinaryDate>        
+    </Employee>
+</Employees>

main/project/WebContent/lessons/Ajax/eval.jsp

@@ -0,0 +1,37 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1" import="java.util.regex.*" import="org.owasp.webgoat.lessons.DangerousEval"
+    pageEncoding="ISO-8859-1"%>
+<%
+String action = request.getParameter("action");
+String field1 = request.getParameter("field1");
+String field2 = request.getParameter("field2");
+String regex1 = "^[0-9]{3}$";// any three digits
+Pattern pattern1 = Pattern.compile(regex1);
+
+if(action == null) action = "Purchase";
+if(field1 == null) field1 = "123";
+if(field2 == null) field2 = "-1";
+
+/** For security reasons, we remove all '<' and '>' characters to prevent XSS **/
+field1.replaceAll("<", "");
+field1.replaceAll(">", "");
+field2.replaceAll("<", "");
+field2.replaceAll(">", "");
+
+if("Purchase".equals(action))
+{
+	if(!pattern1.matcher(field1).matches())
+	{
+		/** If they supplied the right attack, pass them **/
+		if(field1.indexOf("');") != -1 && field1.indexOf("alert") != -1 && field1.indexOf("document.cookie") != -1)
+		{
+			session.setAttribute(DangerousEval.PASSED, "true");
+		}
+		
+		out.write("alert('Whoops: You entered an incorrect access code of \"" + field1 + "\"');");
+	}
+	else
+	{
+		out.write("alert('Purchase completed successfully with credit card \"" + field2 + "\" and access code \"" + field1 + "\"');");
+	}
+}
+%>

main/project/WebContent/lessons/Ajax/instructor/clientSideFiltering_i.jsp

@@ -0,0 +1,111 @@
+
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+    
+<%@ page import="java.io.*, javax.xml.xpath.*, org.xml.sax.InputSource,org.w3c.dom.*,org.apache.ecs.html.* " %>  
+    
+<% 
+
+String userId = request.getParameter("userId");
+
+
+	NodeList nodes = null;
+	
+	
+
+	File d = new File(this.getServletContext().getRealPath("lessons/Ajax/employees.xml"));
+	
+	if(d.exists()){
+		System.out.print("File does exist");
+	}
+	else{
+		System.out.print("File DOES NOT exist");
+	}
+	
+	System.out.println(d.getAbsolutePath());
+	XPathFactory factory = XPathFactory.newInstance();
+	XPath xPath = factory.newXPath();
+	InputSource inputSource = new InputSource(new FileInputStream(d));
+
+
+	StringBuffer sb = new StringBuffer();
+	
+	sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/UserID | ");
+	sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/FirstName | ");
+	sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/LastName | ");
+	sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/SSN | ");
+	sb.append("/Employees/Employee [Managers/Manager/text()='" + userId + "']/Salary ");
+	
+	String expression = sb.toString();
+	
+	System.out.print("expression:" + expression);
+
+
+
+
+
+	nodes = (NodeList) xPath.evaluate(expression, inputSource,
+	XPathConstants.NODESET);
+	int nodesLength = nodes.getLength();
+
+	
+	System.out.println("nodesLength:" + nodesLength);
+
+	TR tr;
+	
+	int COLUMNS = 5;
+	
+	Table t2 = null;
+    if (nodesLength > 0)
+    {
+		t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
+			1).setWidth("90%").setAlign("center");
+		tr = new TR();	
+		tr.addElement(new TD().addElement("UserID"));
+		tr.addElement(new TD().addElement("First Name"));
+		tr.addElement(new TD().addElement("Last Name"));
+		tr.addElement(new TD().addElement("SSN"));
+		tr.addElement(new TD().addElement("Salary"));
+		t2.addElement(tr);
+    }
+    
+
+    
+    tr = new TR();
+    
+    for (int i = 0; i < nodesLength; i++)
+    {
+		Node node = nodes.item(i);
+		
+		if(i%COLUMNS==0){
+			tr = new TR();
+			tr.setID(node.getTextContent());
+			//tr.setStyle("display: none");
+		}
+		
+		tr.addElement(new TD().addElement(node.getTextContent()));
+		
+		if(i%COLUMNS==(COLUMNS-1)){
+			t2.addElement(tr);		
+		}
+    }
+    
+    if(t2 != null){
+   	 	out.println(t2.toString());
+    }
+    else{
+    	out.println("No Results");
+    }
+    
+    
+
+    
+	
+	
+	
+	
+	
+
+
+%>
+    

main/project/WebContent/lessons/Ajax/sameOrigin.jsp

@@ -0,0 +1 @@
+Good Response