dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Menu cleanup for Lab stages. Shortened menu names for most lessons. Changed category naming to be more meaningful.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@214 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2008-01-02 13:48:19 +00:00
parent ee0bc82bec
commit c1f55215a8
48 changed files with 788 additions and 806 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -499,7 +499,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
}
public String getHtml(WebSession s)
public String getHtml_DELETE_ME(WebSession s)
{
String html = null;
@ -561,7 +561,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
public String getSolution(WebSession s)
{
String source = null;
String src = null;
try
@ -587,8 +586,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
html.addElement(head);
html.addElement(body);
source = html.toString();
return src;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
View File

@ -126,7 +126,7 @@ public class AccessControlMatrix extends LessonAdapter
protected Category getDefaultCategory()
{
return Category.A2;
return Category.ACCESS_CONTROL;
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
View File

@ -268,7 +268,7 @@ public class BackDoors extends SequentialLessonAdapter
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
protected Integer getDefaultRanking()
@ -278,6 +278,6 @@ public class BackDoors extends SequentialLessonAdapter
public String getTitle()
{
return ("How to Use Database Backdoors ");
return ("Database Backdoors ");
}
}

9
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
View File

@ -205,12 +205,11 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, BASIC).store(s, this, BASIC);
}
s
.setMessage("Congratulations, you have figured out the mechanics of basic authentication.");
s
.setMessage("  - Now you must try to make WebGoat reauthenticate you as: ");
s.setMessage("Congratulations, you have figured out the mechanics of basic authentication.");
s.setMessage("  - Now you must try to make WebGoat reauthenticate you as: ");
s.setMessage("    - username: basic");
s.setMessage("    - password: basic");
s.setMessage("Use the Basic Authentication Menu to start at login page.");
// If the auth header is different but still the original user - tell the user
// that the original cookie was posted bak and basic auth uses the cookie before the
@ -261,7 +260,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
protected Category getDefaultCategory()
{
return Category.A3;
return Category.AUTHENTICATION;
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
View File

@ -145,7 +145,7 @@ public class BlindSqlInjection extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
/**
@ -298,7 +298,7 @@ public class BlindSqlInjection extends LessonAdapter
*/
public String getTitle()
{
return ("How to Perform Blind SQL Injection");
return ("Blind SQL Injection");
}
/**

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java
View File

@ -64,7 +64,7 @@ public class BufferOverflow extends LessonAdapter
protected Category getDefaultCategory()
{
return Category.A5;
return Category.BUFFER_OVERFLOW;
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -278,7 +278,7 @@ public class CSRF extends LessonAdapter {
@Override
protected Category getDefaultCategory() {
return Category.A2;
return Category.ACCESS_CONTROL;
}
private final static Integer DEFAULT_RANKING = new Integer(120);
@ -308,7 +308,7 @@ public class CSRF extends LessonAdapter {
*/
public String getTitle()
{
return ( "How to Perform Cross Site Request Forgery (CSRF)" );
return ( "Cross Site Request Forgery (CSRF)" );
}
private static String getNameroot( String name )

183
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java
View File

@ -33,144 +33,129 @@ import java.util.List;
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Category implements Comparable
{
public final static Category A1 = new Category("Unvalidated Parameters",
new Integer(110));
public final static Category UNVALIDATED_PARAMETERS = new Category("Unvalidated Parameters", new Integer(110));
public final static Category A2 = new Category("Broken Access Control",
new Integer(210));
public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(210));
public final static Category A3 = new Category(
"Broken Authentication and Session Management", new Integer(310));
public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(310));
public final static Category A4 = new Category(
"Cross-Site Scripting (XSS)", new Integer(410));
public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(320));
public final static Category A5 = new Category("Buffer Overflows",
new Integer(510));
public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(410));
public final static Category A6 = new Category("Injection Flaws",
new Integer(610));
public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(510));
public final static Category A7 = new Category("Improper Error Handling",
new Integer(710));
public final static Category INJECTION = new Category("Injection Flaws", new Integer(610));
public final static Category A8 = new Category("Insecure Storage",
new Integer(810));
public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(710));
public final static Category A9 = new Category("Denial of Service",
new Integer(910));
public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(810));
public final static Category A10 = new Category(
"Insecure Configuration Management", new Integer(1010));
public final static Category DOS = new Category("Denial of Service", new Integer(910));
public final static Category WEB_SERVICES = new Category("Web Services",
new Integer(1110));
public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1010));
public final static Category AJAX_SECURITY = new Category("AJAX Security",
new Integer(1150));
public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1110));
public final static Category ADMIN_FUNCTIONS = new Category(
"Admin Functions", new Integer(10));
public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(1150));
public final static Category GENERAL = new Category("General", new Integer(
50));
public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(10));
public final static Category CODE_QUALITY = new Category("Code Quality",
new Integer(70));
public final static Category GENERAL = new Category("General", new Integer(50));
public final static Category CHALLENGE = new Category("Challenge",
new Integer(2000));
public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(70));
private static final List<Category> categories = new ArrayList<Category>();
public final static Category CHALLENGE = new Category("Challenge", new Integer(2000));
private String category;
private static final List<Category> categories = new ArrayList<Category>();
private Integer ranking;
private String category;
static {
categories.add(A1);
categories.add(A2);
categories.add(A3);
categories.add(A4);
categories.add(A5);
categories.add(A6);
categories.add(A7);
categories.add(A8);
categories.add(A9);
categories.add(A10);
private Integer ranking;
static
{
categories.add(UNVALIDATED_PARAMETERS);
categories.add(ACCESS_CONTROL);
categories.add(AUTHENTICATION);
categories.add(SESSION_MANAGEMENT);
categories.add(XSS);
categories.add(BUFFER_OVERFLOW);
categories.add(INJECTION);
categories.add(ERROR_HANDLING);
categories.add(INSECURE_STORAGE);
categories.add(DOS);
categories.add(INSECURE_CONFIGURATION);
categories.add(WEB_SERVICES);
categories.add(AJAX_SECURITY);
categories.add(ADMIN_FUNCTIONS);
categories.add(GENERAL);
categories.add(CODE_QUALITY);
categories.add(CHALLENGE);
}
public static synchronized void addCategory(Category c) {
categories.add(c);
}
public static synchronized Category getCategory(String name) {
Iterator<Category> it = categories.iterator();
while (it.hasNext()) {
Category c = it.next();
if (c.getName().equals(name))
return c;
}
return null;
}
public Category(String category, Integer ranking)
{
this.category = category;
this.ranking = ranking;
}
public int compareTo(Object obj)
{
int value = 1;
if (obj instanceof Category)
{
value = this.getRanking().compareTo(((Category) obj).getRanking());
}
return value;
}
public static synchronized void addCategory(Category c)
{
categories.add(c);
}
public static synchronized Category getCategory(String name)
{
Iterator<Category> it = categories.iterator();
while (it.hasNext())
{
Category c = it.next();
if (c.getName().equals(name)) return c;
}
return null;
}
public Integer getRanking()
{
return ranking;
}
public Category(String category, Integer ranking)
{
this.category = category;
this.ranking = ranking;
}
public int compareTo(Object obj)
{
int value = 1;
public Integer setRanking(Integer ranking)
{
return this.ranking = ranking;
}
if (obj instanceof Category)
{
value = this.getRanking().compareTo(((Category) obj).getRanking());
}
return value;
}
public String getName()
{
return category;
}
public Integer getRanking()
{
return ranking;
}
public Integer setRanking(Integer ranking)
{
return this.ranking = ranking;
}
public boolean equals(Object obj)
{
return (obj instanceof Category) && getName().equals(((Category) obj).getName());
}
public String getName()
{
return category;
}
public boolean equals(Object obj)
{
return (obj instanceof Category) && getName().equals(((Category) obj).getName());
}
public String toString()
{
return getName();
}
public String toString()
{
return getName();
}
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -294,7 +294,7 @@ public class CommandInjection extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
@ -348,6 +348,6 @@ public class CommandInjection extends LessonAdapter
*/
public String getTitle()
{
return "How to Perform Command Injection";
return "Command Injection";
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View File

@ -94,7 +94,7 @@ public class CrossSiteScripting extends GoatHillsFinancial
*/
public Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}
/**

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java
View File

@ -88,7 +88,7 @@ public class DBCrossSiteScripting extends GoatHillsFinancial
*/
public Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}
/**

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java
View File

@ -89,7 +89,7 @@ public class DBSQLInjection extends GoatHillsFinancial
*/
public Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
/**

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
View File

@ -190,7 +190,7 @@ public class DOS_Login extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A9;
return Category.DOS;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
View File

@ -405,7 +405,7 @@ public class Encoding extends LessonAdapter
protected Category getDefaultCategory()
{
return Category.A8;
return Category.INSECURE_STORAGE;
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java
View File

@ -133,7 +133,7 @@ public class FailOpenAuthentication extends WeakAuthenticationCookie
*/
public Category getDefaultCategory()
{
return Category.A7;
return Category.ERROR_HANDLING;
}
@ -183,7 +183,7 @@ public class FailOpenAuthentication extends WeakAuthenticationCookie
*/
public String getTitle()
{
return ("How to Bypass a Fail Open Authentication Scheme");
return ("Fail Open Authentication Scheme");
}
public Element getCredits()

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
View File

@ -107,7 +107,7 @@ public class ForcedBrowsing extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A10;
return Category.INSECURE_CONFIGURATION;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForgotPassword.java
View File

@ -290,7 +290,7 @@ public class ForgotPassword extends LessonAdapter
protected Category getDefaultCategory()
{
return Category.A3;
return Category.AUTHENTICATION;
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -176,7 +176,7 @@ public class HiddenFieldTampering extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A1;
return Category.UNVALIDATED_PARAMETERS;
}
@ -228,7 +228,7 @@ public class HiddenFieldTampering extends LessonAdapter
*/
public String getTitle()
{
return ("How to Exploit Hidden Fields");
return ("Exploit Hidden Fields");
}
public Element getCredits()

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
View File

@ -250,7 +250,7 @@ public class HtmlClues extends LessonAdapter
*/
public String getTitle()
{
return ("How to Discover Clues in the HTML");
return ("Discover Clues in the HTML");
}
public Element getCredits()

1
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -99,6 +99,7 @@ public class HttpBasics extends LessonAdapter
hints.add("Type in your name and press 'go'");
hints.add("Turn on Show Parameters or other features");
hints.add("Press the Show Lesson Plan button to view a lesson summary");
hints.add("Press the Show Solution button to view a lesson solution");
return hints;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java
View File

@ -149,7 +149,7 @@ public class HttpOnly extends LessonAdapter {
*/
protected Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}

21
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
View File

@ -100,7 +100,7 @@ public class JSONInjection extends LessonAdapter
Form form = new Form(getFormAction(), Form.POST).setName("form")
.setEncType("");
form.setOnSubmit("check();");
form.setOnSubmit("return check();");
form.addElement(createContent(s));
@ -127,13 +127,13 @@ public class JSONInjection extends LessonAdapter
+ TRAVEL_FROM
+ "');"
+ lineSep
+ "if (fromField.value.length < 3 ) { return; }"
+ "if (fromField.value.length < 3 || fromField.value!='BOS') { return; }"
+ lineSep
+ "var toField = document.getElementById('"
+ TRAVEL_TO
+ "');"
+ lineSep
+ "if (toField.value.length < 3 ) { return; }"
+ "if (toField.value.length < 3 || toField.value!='SEA') { return; }"
+ lineSep
+ "var url = '" + getLink()
+ "&from=ajax&"
@ -183,7 +183,7 @@ public class JSONInjection extends LessonAdapter
+ lineSep
+ " var node = card.flights[i];"
+ lineSep
+ " strHTML = strHTML + '<tr><td><input name=\"radio' + i +'\" type=\"radio\"></td><td>';"
+ " strHTML = strHTML + '<tr><td><input name=\"radio'+i+'\" type=\"radio\" id=\"radio'+i+'\"></td><td>';"
+ lineSep
+ " strHTML = strHTML + card.flights[i].stops + '</td><td>';"
+ lineSep
@ -205,13 +205,13 @@ public class JSONInjection extends LessonAdapter
+ lineSep
+ " if ( document.getElementById('radio0').checked )"
+ lineSep
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerText; }"
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
+ lineSep
+ " else if ( document.getElementById('radio1').checked )"
+ lineSep
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerText; }"
+ " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
+ lineSep + " else " + lineSep
+ " { alert('Please choose one flight'); }" + lineSep + "}"
+ " { alert('Please choose one flight'); return false;}" + lineSep + "}"
+ lineSep + "</script>" + lineSep;
ec.addElement(new StringElement(script));
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0)
@ -222,6 +222,7 @@ public class JSONInjection extends LessonAdapter
tr.addElement(new TD("From: "));
Input in = new Input(Input.TEXT, TRAVEL_FROM, "");
in.addAttribute("onkeyup", "getFlights();");
in.addAttribute("id", TRAVEL_FROM);
tr.addElement(new TD(in));
t1.addElement(tr);
@ -230,6 +231,7 @@ public class JSONInjection extends LessonAdapter
tr.addElement(new TD("To: "));
in = new Input(Input.TEXT, TRAVEL_TO, "");
in.addAttribute("onkeyup", "getFlights();");
in.addAttribute("id", TRAVEL_TO);
tr.addElement(new TD(in));
t1.addElement(tr);
@ -251,12 +253,13 @@ public class JSONInjection extends LessonAdapter
Input price2Submit = new Input();
price2Submit.setType(Input.HIDDEN);
price2Submit.setName("price2Submit");
price2Submit.setValue("");
price2Submit.addAttribute("id", "price2Submit");
ec.addElement(price2Submit);
if (s.getParser().getRawParameter("radio0", "").equals("on"))
{
String price = s.getParser().getRawParameter("price2Submit", "");
price = price.replace("$", "");
if (Integer.parseInt(price) < 600)
{
makeSuccess(s);
@ -272,7 +275,7 @@ public class JSONInjection extends LessonAdapter
public Element getCredits()
{
return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
return super.getCustomCredits("Created by Sherif Koussa", MAC_LOGO);
}
protected Category getDefaultCategory()

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java
View File

@ -270,7 +270,7 @@ public class JavaScriptValidation extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A1;
return Category.UNVALIDATED_PARAMETERS;
}
@ -323,7 +323,7 @@ public class JavaScriptValidation extends LessonAdapter
*/
public String getTitle()
{
return ("How to Bypass Client Side JavaScript Validation");
return ("Bypass Client Side JavaScript Validation");
}
public Element getCredits()

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -156,14 +156,14 @@ public class LogSpoofing extends LessonAdapter
@Override
public String getTitle()
{
return "How to Perform Log Spoofing";
return "Log Spoofing";
}
@Override
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
View File

@ -79,7 +79,7 @@ public class NewLesson extends LessonAdapter
*/
public String getTitle()
{
return ("How to add a new WebGoat lesson");
return ("Create a WebGoat Lesson");
}
public Element getCredits()

432
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
View File

@ -47,257 +47,235 @@ import org.owasp.webgoat.session.WebSession;
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class PathBasedAccessControl extends LessonAdapter
{
private final static String FILE = "File";
private final static String FILE = "File";
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
String dir = s.getContext().getRealPath("/lesson_plans");
File d = new File(dir);
Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth(
"90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
String[] list = d.list();
String listing = " <p><B>Current Directory is:</B> "
+ Encoding.urlDecode(dir)
+ "<br><br> Choose the file to view:</p>";
TR tr = new TR();
tr.addElement(new TD().setColSpan(2).addElement(
new StringElement(listing)));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("35%").addElement(
ECSFactory.makePulldown(FILE, list, "", 15)));
tr.addElement(new TD().addElement(ECSFactory
.makeButton("View File")));
t.addElement(tr);
ec.addElement(t);
// FIXME: would be cool to allow encodings here -- hex, percent, url, etc...
String file = s.getParser().getRawParameter(FILE, "");
// defuse file searching
boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
if (getWebgoatContext().isDefuseOSCommands())
{
// allow them to look at any file in the webgoat hierachy. Don't allow them
// to look about the webgoat root, except to see the LICENSE file
if (upDirCount(file) == 3 && !file.endsWith("LICENSE"))
{
s.setMessage("Access denied");
s
.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see one file in this directory. ");;
}
else if (upDirCount(file) > 3)
{
s.setMessage("Access denied");
s
.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see files in the webgoat directory. ");
}
else
{
illegalCommand = false;
}
}
// Using the URI supports encoding of the data.
// We could force the user to use encoded '/'s == %2f to make the lesson more difficult.
// We url Encode our dir name to avoid problems with special characters in our own path.
//File f = new File( new URI("file:///" + Encoding.urlEncode(dir).replaceAll("\\\\","/") + "/" + file.replaceAll("\\\\","/")) );
File f = new File((dir + "\\" + file).replaceAll("\\\\", "/"));
if (s.isDebug())
{
s.setMessage("File: " + file);
s.setMessage("Dir: " + dir);
//s.setMessage("File URI: " + "file:///" + (Encoding.urlEncode(dir) + "\\" + Encoding.urlEncode(file)).replaceAll("\\\\","/"));
s.setMessage(" - isFile(): " + f.isFile());
s.setMessage(" - exists(): " + f.exists());
}
if (!illegalCommand)
{
if (f.isFile() && f.exists())
{
// Don't set completion if they are listing files in the
// directory listing we gave them.
if (upDirCount(file) >= 1)
{
s.setMessage("Congratulations! Access to file allowed");
s.setMessage(" ==> "
+ Encoding.urlDecode(f.getCanonicalPath()));
makeSuccess(s);
}
else
{
s
.setMessage("File is already in allowed directory - try again!");
s.setMessage(" ==> "
+ Encoding.urlDecode(f.getCanonicalPath()));
}
}
else if (file != null && file.length() != 0)
{
s.setMessage("Access to file/directory \""
+ Encoding.urlDecode(f.getCanonicalPath())
+ "\" denied");
}
else
{
// do nothing, probably entry screen
}
ElementContainer ec = new ElementContainer();
try
{
// Show them the file
// Strip out some of the extra html from the "help" file
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new HR().setWidth("100%"));
ec.addElement("Viewing file: " + f.getCanonicalPath());
ec.addElement(new HR().setWidth("100%"));
if (f.length() > 80000)
{
throw new Exception("File is too large");
}
String fileData = getFileText(new BufferedReader(
new FileReader(f)), false);
if (fileData.indexOf(0x00) != -1)
{
throw new Exception("File is binary");
}
ec.addElement(new StringElement(fileData.replaceAll(
System.getProperty("line.separator"), "<br>")
.replaceAll("(?s)<!DOCTYPE.*/head>", "")
.replaceAll("<br><br>", "<br>").replaceAll(
"<br>\\s<br>", "<br>").replaceAll("<\\?",
"&lt;").replaceAll("<(r|u|t)", "&lt;$1")));
String dir = s.getContext().getRealPath("/lesson_plans");
File d = new File(dir);
Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
String[] list = d.list();
String listing = " <p><B>Current Directory is:</B> " + Encoding.urlDecode(dir)
+ "<br><br> Choose the file to view:</p>";
TR tr = new TR();
tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
tr.addElement(new TD().addElement(ECSFactory.makeButton("View File")));
t.addElement(tr);
ec.addElement(t);
// FIXME: would be cool to allow encodings here -- hex, percent,
// url, etc...
String file = s.getParser().getRawParameter(FILE, "");
// defuse file searching
boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
if (getWebgoatContext().isDefuseOSCommands())
{
// allow them to look at any file in the webgoat hierachy. Don't
// allow them
// to look about the webgoat root, except to see the LICENSE
// file
if (upDirCount(file) == 3 && !file.endsWith("LICENSE"))
{
s.setMessage("Access denied");
s.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see one file in this directory. ");
} else if (upDirCount(file) > 3)
{
s.setMessage("Access denied");
s.setMessage("It appears that you are on the right track. "
+ "Commands that may compromise the operating system have been disabled. "
+ "You are only allowed to see files in the webgoat directory. ");
} else
{
illegalCommand = false;
}
}
// Using the URI supports encoding of the data.
// We could force the user to use encoded '/'s == %2f to make the lesson more difficult.
// We url Encode our dir name to avoid problems with special characters in our own path.
// File f = new File( new URI("file:///" +
// Encoding.urlEncode(dir).replaceAll("\\\\","/") + "/" +
// file.replaceAll("\\\\","/")) );
File f = new File((dir + "\\" + file).replaceAll("\\\\", "/"));
if (s.isDebug())
{
s.setMessage("File: " + file);
s.setMessage("Dir: " + dir);
// s.setMessage("File URI: " + "file:///" +
// (Encoding.urlEncode(dir) + "\\" +
// Encoding.urlEncode(file)).replaceAll("\\\\","/"));
s.setMessage(" - isFile(): " + f.isFile());
s.setMessage(" - exists(): " + f.exists());
}
if (!illegalCommand)
{
if (f.isFile() && f.exists())
{
// Don't set completion if they are listing files in the
// directory listing we gave them.
if (upDirCount(file) >= 1)
{
s.setMessage("Congratulations! Access to file allowed");
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
makeSuccess(s);
} else
{
s.setMessage("File is already in allowed directory - try again!");
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
}
} else if (file != null && file.length() != 0)
{
s.setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath())
+ "\" denied");
} else
{
// do nothing, probably entry screen
}
try
{
// Show them the file
// Strip out some of the extra html from the "help" file
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new HR().setWidth("100%"));
ec.addElement("Viewing file: " + f.getCanonicalPath());
ec.addElement(new HR().setWidth("100%"));
if (f.length() > 80000)
{
throw new Exception("File is too large");
}
String fileData = getFileText(new BufferedReader(new FileReader(f)), false);
if (fileData.indexOf(0x00) != -1)
{
throw new Exception("File is binary");
}
ec
.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"),
"<br>").replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll(
"<(r|u|t)", "&lt;$1")));
}
catch (Exception e)
{
ec.addElement(new BR());
ec.addElement("The following error occurred while accessing the file: <");
ec.addElement(e.getMessage());
}
}
}
catch (Exception e)
{
ec.addElement(new BR());
ec
.addElement("The following error occurred while accessing the file: <");
ec.addElement(e.getMessage());
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
}
return (ec);
}
catch (Exception e)
private int upDirCount(String fileName)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
int count = 0;
int startIndex = fileName.indexOf("..");
while (startIndex != -1)
{
count++;
startIndex = fileName.indexOf("..", startIndex + 1);
}
return count;
}
return (ec);
}
private int upDirCount(String fileName)
{
int count = 0;
int startIndex = fileName.indexOf("..");
while (startIndex != -1)
/**
* DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Category getDefaultCategory()
{
count++;
startIndex = fileName.indexOf("..", startIndex + 1);
return Category.ACCESS_CONTROL;
}
return count;
}
/**
* Gets the hints attribute of the AccessControlScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Most operating systems allow special characters in the path.");
hints.add("Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory");
hints.add("Try .. in the path");
hints.add("Try ..\\..\\..\\LICENSE");
/**
* DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Category getDefaultCategory()
{
return Category.A2;
}
return hints;
}
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "The '" + s.getUserName() + "' user has access to all the files in the "
+ "lesson_plans directory. Try to break the access control mechanism and access a "
+ "resource that is not in the listed directory. After selecting a file to view, WebGoat "
+ "will report if access to the file was granted. An interesting file to try and obtain might "
+ "be a file like tomcat/conf/tomcat-users.xml";
/**
* Gets the hints attribute of the AccessControlScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("Most operating systems allow special characters in the path.");
hints
.add("Use a file explorer to find the tomcat\\webapps\\WebGoat\\lesson_plans directory");
hints.add("Try .. in the path");
hints.add("Try ..\\..\\..\\LICENSE");
return (instructions);
}
return hints;
}
private final static Integer DEFAULT_RANKING = new Integer(115);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the instructions attribute of the WeakAccessControl object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "The '"
+ s.getUserName()
+ "' user has access to all the files in the "
+ "lesson_plans directory. Try to break the access control mechanism and access a "
+ "resource that is not in the listed directory. After selecting a file to view, WebGoat "
+ "will report if access to the file was granted. An interesting file to try and obtain might "
+ "be a file like tomcat/conf/tomcat-users.xml";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(115);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the AccessControlScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("How to Bypass a Path Based Access Control Scheme");
}
/**
* Gets the title attribute of the AccessControlScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Bypass a Path Based Access Control Scheme");
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
View File

@ -265,7 +265,7 @@ public class Phishing extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
View File

@ -231,7 +231,7 @@ public class ReflectedXSS extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}
@ -288,7 +288,7 @@ public class ReflectedXSS extends LessonAdapter
*/
public String getTitle()
{
return "How to Perform Reflected Cross Site Scripting (XSS) Attacks";
return "Reflected XSS Attacks";
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
View File

@ -73,7 +73,7 @@ public class RemoteAdminFlaw extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A2;
return Category.ACCESS_CONTROL;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View File

@ -87,7 +87,7 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
*/
public Category getDefaultCategory()
{
return Category.A2;
return Category.ACCESS_CONTROL;
}
/**

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View File

@ -91,7 +91,7 @@ public class SQLInjection extends GoatHillsFinancial
*/
public Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
/**

7
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
View File

@ -161,7 +161,7 @@ public class SilentTransactions extends LessonAdapter
+ lineSep
+ "}"
+ lineSep
+ " var balanceValue = document.getElementById('balanceID').innerText;"
+ " var balanceValue = document.getElementById('balanceID').innerHTML;"
+ lineSep
+ " balanceValue = balanceValue.replace( new RegExp('$') , '');"
+ lineSep
@ -183,7 +183,7 @@ public class SilentTransactions extends LessonAdapter
+ lineSep
+ "balanceValue = balanceValue.toFixed(2);"
+ lineSep
+ "document.getElementById('balanceID').innerText = balanceValue + '$';"
+ "document.getElementById('balanceID').innerHTML = balanceValue + '$';"
+ lineSep
+ "}"
+ lineSep
@ -225,6 +225,7 @@ public class SilentTransactions extends LessonAdapter
tr = new TR();
tr.addElement(new TD(new StringElement("Transfer to Account:")));
Input newAccount = new Input();
newAccount.addAttribute("id", "newAccount");
newAccount.setType(Input.TEXT);
newAccount.setName("newAccount");
newAccount.setValue("");
@ -234,6 +235,7 @@ public class SilentTransactions extends LessonAdapter
tr = new TR();
tr.addElement(new TD(new StringElement("Transfer Amount:")));
Input amount = new Input();
amount.addAttribute("id", "amount");
amount.setType(Input.TEXT);
amount.setName("amount");
amount.setValue(0);
@ -248,6 +250,7 @@ public class SilentTransactions extends LessonAdapter
Input b = new Input();
b.setType(Input.BUTTON);
b.setName("confirm");
b.addAttribute("id", "confirm");
b.setValue("Confirm");
b.setOnClick("processData();");
ec.addElement(b);

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java
View File

@ -173,7 +173,7 @@ public class SoapRequest extends SequentialLessonAdapter
public String getTitle()
{
return "How to Create a SOAP Request";
return "Create a SOAP Request";
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -333,7 +333,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
@ -374,7 +374,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
*/
public String getTitle()
{
return ("How to Perform Numeric SQL Injection");
return ("Numeric SQL Injection");
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -249,7 +249,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
@ -290,7 +290,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
*/
public String getTitle()
{
return ("How to Perform String SQL Injection");
return ("String SQL Injection");
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -151,7 +151,7 @@ public class StoredXss extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}
@ -190,7 +190,7 @@ public class StoredXss extends LessonAdapter
*/
public String getTitle()
{
return ("How to Perform Stored Cross Site Scripting (XSS)");
return ("Stored XSS Attacks");
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java
View File

@ -191,7 +191,7 @@ public class ThreadSafetyProblem extends LessonAdapter
*/
public String getTitle()
{
return ("How to Exploit Thread Safety Problems");
return ("Thread Safety Problems");
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
View File

@ -233,7 +233,7 @@ public class TraceXSS extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A4;
return Category.XSS;
}
@ -281,6 +281,6 @@ public class TraceXSS extends LessonAdapter
*/
public String getTitle()
{
return ("How to Perform Cross Site Tracing (XST) Attacks");
return ("Cross Site Tracing (XST) Attacks");
}
}

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
View File

@ -204,7 +204,7 @@ public class UncheckedEmail extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A1;
return Category.UNVALIDATED_PARAMETERS;
}
@ -257,7 +257,7 @@ public class UncheckedEmail extends LessonAdapter
*/
public String getTitle()
{
return ("How to Exploit Unchecked Email");
return ("Exploit Unchecked Email");
}
}

581
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
View File

@ -47,346 +47,337 @@ import org.owasp.webgoat.session.*;
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class WeakAuthenticationCookie extends LessonAdapter
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
/**
* Description of the Field
*/
protected final static String AUTHCOOKIE = "AuthCookie";
/**
* Description of the Field
*/
protected final static String AUTHCOOKIE = "AuthCookie";
/**
* Description of the Field
*/
protected final static String LOGOUT = "WACLogout";
/**
* Description of the Field
*/
protected final static String LOGOUT = "WACLogout";
/**
* Description of the Field
*/
protected final static String PASSWORD = "Password";
/**
* Description of the Field
*/
protected final static String PASSWORD = "Password";
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* Description of the Field
*/
protected final static String USERNAME = "Username";
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
* @exception Exception Description of the Exception
*/
protected String checkCookie(WebSession s) throws Exception
{
String cookie = getCookie(s);
if (cookie != null)
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected String checkCookie(WebSession s) throws Exception
{
if (cookie.equals(encode("webgoat12345")))
{
return ("webgoat");
}
String cookie = getCookie(s);
if (cookie.equals(encode("aspect12345")))
{
return ("aspect");
}
if (cookie != null)
{
if (cookie.equals(encode("webgoat12345")))
{
return ("webgoat");
}
if (cookie.equals(encode("alice12345")))
{
makeSuccess(s);
return ("alice");
}
else
{
s.setMessage("Invalid cookie");
s.eatCookies();
}
if (cookie.equals(encode("aspect12345")))
{
return ("aspect");
}
if (cookie.equals(encode("alice12345")))
{
makeSuccess(s);
return ("alice");
} else
{
s.setMessage("Invalid cookie");
s.eatCookies();
}
}
return (null);
}
return (null);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
* @exception Exception Description of the Exception
*/
protected String checkParams(WebSession s) throws Exception
{
String username = s.getParser().getStringParameter(USERNAME, "");
String password = s.getParser().getStringParameter(PASSWORD, "");
if ((username.length() > 0) && (password.length() > 0))
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected String checkParams(WebSession s) throws Exception
{
String loginID = "";
String username = s.getParser().getStringParameter(USERNAME, "");
String password = s.getParser().getStringParameter(PASSWORD, "");
if (username.equals("webgoat") && password.equals("webgoat"))
{
loginID = encode("webgoat12345");
}
else if (username.equals("aspect") && password.equals("aspect"))
{
loginID = encode("aspect12345");
}
if ((username.length() > 0) && (password.length() > 0))
{
String loginID = "";
if (loginID != "")
{
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage("Your identity has been remembered");
s.getResponse().addCookie(newCookie);
if (username.equals("webgoat") && password.equals("webgoat"))
{
loginID = encode("webgoat12345");
} else if (username.equals("aspect") && password.equals("aspect"))
{
loginID = encode("aspect12345");
}
return (username);
}
else
{
s.setMessage("Invalid username and password entered.");
}
if (loginID != "")
{
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage("Your identity has been remembered");
s.getResponse().addCookie(newCookie);
return (username);
} else
{
s.setMessage("Invalid username and password entered.");
}
}
return (null);
}
return (null);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
if (logout)
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
s.setMessage("Goodbye! Your password has been forgotten");
s.eatCookies();
boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
return (makeLogin(s));
if (logout)
{
s.setMessage("Goodbye! Your password has been forgotten");
s.eatCookies();
return (makeLogin(s));
}
try
{
String user = checkCookie(s);
if ((user != null) && (user.length() > 0))
{
return (makeUser(s, user, "COOKIE"));
}
user = checkParams(s);
if ((user != null) && (user.length() > 0))
{
return (makeUser(s, user, "PARAMETERS"));
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (makeLogin(s));
}
try
/**
* Description of the Method
*
* @param value
* Description of the Parameter
* @return Description of the Return Value
*/
private String encode(String value)
{
String user = checkCookie(s);
// <START_OMIT_SOURCE>
StringBuffer encoded = new StringBuffer();
if ((user != null) && (user.length() > 0))
{
return (makeUser(s, user, "COOKIE"));
}
for (int i = 0; i < value.length(); i++)
{
encoded.append(String.valueOf((char) (value.charAt(i) + 1)));
}
user = checkParams(s);
if ((user != null) && (user.length() > 0))
{
return (makeUser(s, user, "PARAMETERS"));
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
return encoded.reverse().toString();
// <END_OMIT_SOURCE>
}
return (makeLogin(s));
}
/**
* Description of the Method
*
* @param value Description of the Parameter
* @return Description of the Return Value
*/
private String encode(String value)
{
//<START_OMIT_SOURCE>
StringBuffer encoded = new StringBuffer();
for (int i = 0; i < value.length(); i++)
/**
* Gets the category attribute of the WeakAuthenticationCookie object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
encoded.append(String.valueOf((char) (value.charAt(i) + 1)));
return Category.AUTHENTICATION;
}
return encoded.reverse().toString();
//<END_OMIT_SOURCE>
}
/**
* Gets the category attribute of the WeakAuthenticationCookie object
*
* @return The category value
*/
protected Category getDefaultCategory()
{
return Category.A3;
}
/**
* Gets the cookie attribute of the CookieScreen object
*
* @param s Description of the Parameter
* @return The cookie value
*/
protected String getCookie(WebSession s)
{
Cookie[] cookies = s.getRequest().getCookies();
for (int i = 0; i < cookies.length; i++)
/**
* Gets the cookie attribute of the CookieScreen object
*
* @param s
* Description of the Parameter
* @return The cookie value
*/
protected String getCookie(WebSession s)
{
if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE))
{
return (cookies[i].getValue());
}
Cookie[] cookies = s.getRequest().getCookies();
for (int i = 0; i < cookies.length; i++)
{
if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE))
{
return (cookies[i].getValue());
}
}
return (null);
}
return (null);
}
/**
* Gets the hints attribute of the CookieScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("The server skips authentication if you send the right cookie.");
hints
.add("Is the AuthCookie value guessable knowing the username and password?");
hints
.add("Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.");
return hints;
}
/**
* Gets the instructions attribute of the WeakAuthenticationCookie object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(90);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the CookieScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("How to Spoof an Authentication Cookie");
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeLogin(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("Sign In "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
.setWidth("90%").setAlign("center");
if (s.isColor())
/**
* Gets the hints attribute of the CookieScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
t.setBorder(1);
List<String> hints = new ArrayList<String>();
hints.add("The server authenticates the user using a cookie, if you send the right cookie.");
hints.add("Is the AuthCookie value guessable knowing the username and password?");
hints.add("Add 'AuthCookie=********;' to the Cookie: header using "
+ "<A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.");
hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx<br/>" +
"After logging in as aspect a cookie is added. 65432udfqtb<br/>" +
"Is there anything similar about the cookies and the login names?");
return hints;
}
TR tr = new TR();
tr
.addElement(new TH()
.addElement(
"Please sign in to your account. See the OWASP admin if you do not have an account.")
.setColSpan(2).setAlign("left"));
t.addElement(tr);
/**
* Gets the instructions attribute of the WeakAuthenticationCookie object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.";
tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
t.addElement(tr);
return (instructions);
}
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
private final static Integer DEFAULT_RANKING = new Integer(90);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: "))));
row2.addElement(new TD(new B(new StringElement("*Password: "))));
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
row1.addElement(new TD(input1));
row2.addElement(new TD(input2));
t.addElement(row1);
t.addElement(row2);
/**
* Gets the title attribute of the CookieScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Spoof an Authentication Cookie");
}
Element b = ECSFactory.makeButton("Login");
t.addElement(new TR(new TD(b)));
ec.addElement(t);
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeLogin(WebSession s)
{
ElementContainer ec = new ElementContainer();
return (ec);
}
ec.addElement(new H1().addElement("Sign In "));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @param user Description of the Parameter
* @param method Description of the Parameter
* @return Description of the Return Value
* @exception Exception Description of the Exception
*/
protected Element makeUser(WebSession s, String user, String method)
throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Welcome, " + user));
ec.addElement(new P().addElement("You have been authenticated with "
+ method));
ec.addElement(new P().addElement(ECSFactory.makeLink("Logout", LOGOUT,
true)));
ec.addElement(new P()
.addElement(ECSFactory.makeLink("Refresh", "", "")));
TR tr = new TR();
tr.addElement(new TH().addElement(
"Please sign in to your account. See the OWASP admin if you do not have an account.").setColSpan(2)
.setAlign("left"));
t.addElement(tr);
return (ec);
}
tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
t.addElement(tr);
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: "))));
row2.addElement(new TD(new B(new StringElement("*Password: "))));
Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
row1.addElement(new TD(input1));
row2.addElement(new TD(input2));
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton("Login");
t.addElement(new TR(new TD(b)));
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param user
* Description of the Parameter
* @param method
* Description of the Parameter
* @return Description of the Return Value
* @exception Exception
* Description of the Exception
*/
protected Element makeUser(WebSession s, String user, String method) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement("Welcome, " + user));
ec.addElement(new P().addElement("You have been authenticated with " + method));
ec.addElement(new P().addElement(ECSFactory.makeLink("Logout", LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink("Refresh", "", "")));
return (ec);
}
public Element getCredits()
{
return super.getCustomCredits("", ASPECT_LOGO);
}
}

18
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakSessionID.java
View File

@ -90,7 +90,7 @@ public class WeakSessionID extends LessonAdapter
}
protected String newCookie()
protected String newCookie(WebSession s)
{
long now = System.currentTimeMillis();
seq++;
@ -98,6 +98,7 @@ public class WeakSessionID extends LessonAdapter
{
String target = encode(seq++, lastTime + (now - lastTime) / 2);
sessionList.add(target);
s.setMessage(target);
if (sessionList.size() > 100)
sessionList.remove(0);
}
@ -149,7 +150,7 @@ public class WeakSessionID extends LessonAdapter
*/
protected Category getDefaultCategory()
{
return Category.A3;
return Category.SESSION_MANAGEMENT;
}
@ -161,12 +162,11 @@ public class WeakSessionID extends LessonAdapter
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints
.add("The server skips authentication if you send the right cookie.");
hints
.add("Is the cookie value predictable? Can you see gaps where someone else has acquired a cookie?");
hints.add("The server skips authentication if you send the right cookie.");
hints.add("Is the cookie value predictable? Can you see gaps where someone else has acquired a cookie?");
hints.add("Try harder, you brute!");
hints.add("The first part of the cookie is a sequential number, the second part is milliseconds.");
hints.add("After the 29th try, the skipped identifier is printed to your screen. Use that to login.");
return hints;
}
@ -186,7 +186,7 @@ public class WeakSessionID extends LessonAdapter
*/
public String getTitle()
{
return ("How to Hijack a Session");
return ("Hijack a Session");
}
@ -204,7 +204,7 @@ public class WeakSessionID extends LessonAdapter
if (weakid == null)
{
weakid = newCookie();
weakid = newCookie(s);
Cookie cookie = new Cookie(SESSIONID, weakid);
s.getResponse().addCookie(cookie);
}

18
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
View File

@ -107,10 +107,10 @@ public class XMLInjection extends LessonAdapter
{
String lineSep = System.getProperty("line.separator");
String xmlStr = "<root>" + lineSep
+ "<reward>WebGoat t-shirt 20 Pts</reward>"
+ "<reward>WebGoat Mug 20 Pts</reward>"
+ lineSep
+ "<reward>WebGoat Secure Kettle 50 Pts</reward>"
+ lineSep + "<reward>WebGoat Mug 30 Pts</reward>"
+ "<reward>WebGoat t-shirt 50 Pts</reward>"
+ lineSep + "<reward>WebGoat Secure Kettle 30 Pts</reward>"
+ lineSep + "</root>";
s.getResponse().setContentType("text/xml");
s.getResponse().setHeader("Cache-Control", "no-cache");
@ -188,7 +188,7 @@ public class XMLInjection extends LessonAdapter
+ lineSep
+ " if (req.status == 200) { "
+ lineSep
+ " var rewards = req.responseXML.getElementsByTagName('root')[0];"
+ " var rewards = req.responseXML.getElementsByTagName('reward');"
+ lineSep
+ " var rewardsDiv = document.getElementById('rewardsDiv');"
+ lineSep
@ -198,13 +198,13 @@ public class XMLInjection extends LessonAdapter
+ lineSep
+ " strHTML = '<tr><td>&nbsp;</td><td><b>Rewards</b></td></tr>';"
+ lineSep
+ " for(var i=0; i< rewards.childNodes.length; i++){"
+ lineSep
+ " var node = rewards.childNodes[i];"
+ " for(var i=0; i< rewards.length; i++){"
//+ lineSep
//+ " var node = rewards.childNodes[i+1];"
+ lineSep
+ " strHTML = strHTML + '<tr><td><input name=\"check' + (i+1001) +'\" type=\"checkbox\"></td><td>';"
+ lineSep
+ " strHTML = strHTML + node.childNodes[0].nodeValue + '</td></tr>';"
+ " strHTML = strHTML + rewards[i].firstChild.nodeValue + '</td></tr>';"
+ lineSep
+ " }"
+ lineSep
@ -254,7 +254,7 @@ public class XMLInjection extends LessonAdapter
Input input1 = new Input(Input.TEXT, ACCOUNTID, "");
input1.addAttribute("onkeyup", "getRewards();");
input1.addAttribute("id", ACCOUNTID);
tr.addElement(new TD(input1));
t1.addElement(tr);

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
View File

@ -224,7 +224,7 @@ public class XPATHInjection extends LessonAdapter
protected Category getDefaultCategory()
{
return Category.A6;
return Category.INJECTION;
}
@ -259,7 +259,7 @@ public class XPATHInjection extends LessonAdapter
public String getTitle()
{
return "How to Perform XPATH Injection";
return "XPATH Injection";
}
}

4
webgoat/main/project/WebContent/css/menu.css
View File

@ -5,3 +5,7 @@
.pviimenudiv a:visited {color: #0066FF; text-decoration: underline}
.pviimenudiv a:hover {color: red; text-decoration: underline}
.pviimenudiv a:active {color: #0066FF; text-decoration: underline}
.pviimenudivstage a:link {color: #333333; font-size: 9px; display: block; margin-left: 2em; }
.pviimenudivstage a:visited {color: #0066FF; font-size: 9px; display: block; margin-left: 2em; }
.pviimenudivstage a:hover {color: red; font-size: 9px; display: block; margin-left: 2em; }
.pviimenudivstage a:active {color: #0066FF; font-size: 9px; display: block; margin-left: 2em; }

BIN
webgoat/main/project/WebContent/images/header/header.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 21 KiB

2
webgoat/main/project/WebContent/main.jsp
View File

@ -100,7 +100,7 @@ StringBuffer buildList = new StringBuffer();
String[] stages = rla.getStages();
for (int i=0; i<stages.length; i++) {
%>
<tr><td><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
</td></tr>
<%
}

197
webgoat/main/project/WebContent/webgoat.jsp
View File

@ -1,103 +1,124 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage="" %>
errorPage=""%>
<%@page import="org.owasp.webgoat.session.WebSession"%>
<% WebSession webSession = ((WebSession)session.getAttribute("websession")); %>
<%
WebSession webSession = ((WebSession) session.getAttribute("websession"));
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5</title>
<title>WebGoat V5.1RC2</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
<body>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat!</p>
<p>This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with application
penetration testing techniques. The WebGoat project is lead by Bruce Mayhew. Please send all
comments to Bruce at <%= webSession.getWebgoatContext().getFeedbackAddress() %>.</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%"><div align="center"><a href="http://www.owasp.org"><img border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation" longdesc="http://www.owasp.org" /></a></div></td>
<td width="50%"><div align="center"><a href="http://www.aspectsecurity.com"><img border="0" src="images/logos/aspect.jpg" alt="Aspect Security" longdesc="http://www.aspectsecurity.com" /></a></div></td>
</tr>
<tr>
<td width="50%"><div align="center"><span class="style1"><br />WebGoat Design Team </span></div></td>
<td width="50%"><div align="center"><span class="style1"><br />Lesson Contributers </span></div></td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">Bruce Mayhew</div>
<div align="center" class="style2">Laurence Casey</div>
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Eric Sheridan</div>
<div align="center" class="style2">Rogan Dawes</div>
</td>
<td valign="top">
<div align="center" class="style2">Aspect Security</div>
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Alex Smolen</div>
<div align="center" class="style2">Chuck Willis</div>
<div id="wrap">
<div id="top"></div>
<div id="start">
<p>Thank you for using WebGoat!</p>
<p>This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with
application penetration testing techniques. </p><p>The WebGoat project is lead
by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatContext().getFeedbackAddress()%>.</p>
<div id="team">
<table border="0" align="center" class="lessonText">
<tr>
<td width="50%">
<div align="center"><a href="http://www.owasp.org"><img
border="0" src="images/logos/owasp.jpg" alt="OWASP Foundation"
longdesc="http://www.owasp.org" /></a></div>
</td>
<td width="50%">
<div align="center"><a href="http://www.aspectsecurity.com"><img
border="0" src="images/logos/aspect.jpg" alt="Aspect Security"
longdesc="http://www.aspectsecurity.com" /></a></div>
</td>
</tr>
<tr>
<td width="50%">
<div align="center"><span class="style1"><br />
WebGoat Design Team </span></div>
</td>
<td width="50%">
<div align="center"><span class="style1"><br />
Lesson Contributers </span></div>
</td>
</tr>
<tr>
<td valign="top">
<div align="center" class="style2">Bruce Mayhew</div>
<div align="center" class="style2">David Anderson</div>
<div align="center" class="style2">Rogan Dawes</div>
<div align="center" class="style2">Laurence Casey (Graphics)</div>
</td>
<td valign="top">
<div align="center" class="style2">Aspect Security</div>
<div align="center" class="style2">Sherif Koussa</div>
<div align="center" class="style2">Romain Brechet</div>
<div align="center" class="style2"></div>
</td>
</tr>
<tr>
<td height="25" valign="bottom"><div align="center"><span class="style1">Special Thanks for V5</span></div></td>
<td height="25" valign="bottom"><div align="center"><span class="style1">Documentation Contributers</span></div></td>
</tr>
<tr>
<td>
<div align="center" class="style2">OWASP Autumn of Code<br />
(http://www.owasp.org/) </div>
<div align="center" class="style2">Sherif Koussa<br />(http://www.macadamian.com)<br /></div>
<div align="center" class="style2">OWASP Spring of Code<br />
(http://www.owasp.org/) </div>
<div align="center" class="style2">Erwin Geirnaert<br />(http://www.zionsecurity.com)<br /></div>
</td>
<td><div align="center" class="style2">Sherif Koussa<br />
(http://www.macadamian.com)<br /> </div>
<div align="center" class="style2">Robert Sullivan<br />
(http://www.unitedhealthgroup.com/) </div>
<div align="center" class="style2">Erwin Geirnaert<br />
(http://www.zionsecurity.com/) </div>
</td>
</tr>
<tr>
<td><div align="center" class="style2">To all who have sent comments</div></td>
</tr>
<tr>
<td colspan = "2">
<div align="center" class="style2">
<form id="form" name="form" method="post" action="attack">
<input type="submit" name="start" value="Start WebGoat" />
</form>
</div>
</td>
</tr>
<tr>
<td><div align="center" class="style2">&nbsp;</div></td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning"> WARNING<br />
While running this program, your machine is extremely vulnerable to attack.
You should disconnect from the network while using this program.
<br/>
<br/>
This program is for educational purposes only.
Use of these techniques without permission could lead to
job termination, financial liability, and/or criminal penalties.
</div>
</div>
</td>
</tr>
<tr>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Special Thanks
for V5.1</span></div>
</td>
<td height="25" valign="bottom">
<div align="center"><span class="style1">Documentation
Contributers</span></div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">OWASP Spring of Code</div>
<div align="center" class="style2">Erwin Geirnaert<br />
(http://www.zionsecurity.com)<br />
</div>
</td>
<td>
<div align="center" class="style2">Sherif Koussa<br />
(http://www.macadamian.com)<br />
</div>
<div align="center" class="style2">Erwin Geirnaert<br />
(http://www.zionsecurity.com/)</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">To all who have sent comments</div>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="style2">
<form id="form" name="form" method="post" action="attack"><input
type="submit" name="start" value="Start WebGoat" /></form>
</div>
</td>
</tr>
<tr>
<td>
<div align="center" class="style2">&nbsp;</div>
</td>
</tr>
</table>
</div>
</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div align="center" class="style2">&nbsp;</div>
<div id="warning">WARNING<br />
While running this program, your machine is extremely vulnerable to
attack. You should disconnect from the network while using this program.
<br />
<br />
This program is for educational purposes only. Use of these techniques
without permission could lead to job termination, financial liability,
and/or criminal penalties.</div>
</div>
</body>
</html>

4
webgoat/main/project/WebContent/webgoat_challenge.jsp
View File

@ -7,7 +7,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>WebGoat V5</title>
<title>WebGoat V5.1RC2</title>
<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
</head>
@ -19,7 +19,7 @@
<p>Thank you for using WebGoat!</p>
<p>This program is a demonstration of common web application flaws.
The exercises are intended to provide hands on experience with application
penetration testing techniques. The WebGoat project is lead by Bruce Mayhew. Please send all
penetration testing techniques. </p><p>The WebGoat project is lead by Bruce Mayhew. Please send all
comments to Bruce at <%= webSession.getWebgoatContext().getFeedbackAddress() %>.</p>
<div id="team">
<table border="0" align="center" class="lessonText">