dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session Fixation

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@306 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
wirth.marcel 2008-04-09 11:51:04 +00:00
parent ee6d8ad2d5
commit c4092d2669
1 changed files with 561 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

825
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SessionFixation.java
View File

@ -1,31 +1,76 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Random;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.B; import org.apache.ecs.html.B;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea; import org.apache.ecs.html.TextArea;
import org.apache.ecs.xhtml.style;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository for free software
* projects.
*
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Reto Lippuner, Marcel Wirth
* @created April 8, 2008
*/
public class SessionFixation extends SequentialLessonAdapter public class SessionFixation extends SequentialLessonAdapter
{ {
private String LoggedInUser = "";
private final String mailTo = "jane.plane@owasp.org"; private final String mailTo = "jane.plane@owasp.org";
private final String mailFrom = "admin@webgoatfinancial.com"; private final String mailFrom = "admin@webgoatfinancial.com";
private final String mailTitel = "Check your account"; private final String mailTitel = "Check your account";
private final String MAILCONTENTNAME = "mailname"; private final String MAILCONTENTNAME = "mailContent";
private final static String USER = "user"; private final static String USER = "user";
private final static String PASSWORD = "pass"; private final static String PASSWORD = "pass";
private final static String LOGGEDIN = "loggedin";
private final static String LOGGEDINUSER = "loggedInUser";
private final static Random random = new Random(System.currentTimeMillis());
private String sid = "";
/** /**
* Creates Staged WebContent * Creates Staged WebContent
@ -34,6 +79,76 @@ public class SessionFixation extends SequentialLessonAdapter
*/ */
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
String sid = s.getParser().getStringParameter("SID","");
if (!sid.equals(""))
{
this.sid = sid;
}
if(!s.getParser().getStringParameter("Restart", "").equals(""))
{
s.add(LOGGEDIN, "false");
s.add("SID","");
this.sid = "";
}
if (getLessonTracker(s).getStage() == 3)
{
s.add("SID", sid);
if (!sid.equals(""))
{
s.add("SID", sid);
}
else
{
String randomSid = randomSIDGenerator();
s.add("SID", randomSid);
this.sid = randomSid;
System.out.println("RANDOMSID " + randomSid);
}
String name = s.getParser().getStringParameter(USER, "");
String password = s.getParser().getStringParameter(PASSWORD, "");
if(correctLogin(name, password, s))
{
getLessonTracker(s).setStage(4);
s.setMessage("You completed stage 3!");
}
}
if(getLessonTracker(s).getStage() == 4)
{
if (sid.equals(""))
{
String randomSid = randomSIDGenerator();
this.sid = randomSid;
}
}
if (getLessonTracker(s).getStage() == 2)
{
if (!sid.equals(""))
{
System.out.println("MySid: " + sid);
s.add("SID", sid);
getLessonTracker(s).setStage(3);
s.setMessage("You completed stage 2!");
}
else
{
createStage2Content(s);
}
}
String mailContent = s.getParser().getRawParameter(MAILCONTENTNAME, "");
if (!mailContent.equals(""))
{
s.add(MAILCONTENTNAME, mailContent);
}
if (mailContent.contains(getLink()+"&SID=") && getLessonTracker(s).getStage() == 1)
{
getLessonTracker(s).setStage(2);
s.setMessage("You completed stage 1!");
}
return super.createStagedContent(s); return super.createStagedContent(s);
} }
@ -44,30 +159,79 @@ public class SessionFixation extends SequentialLessonAdapter
*/ */
protected ElementContainer doStage1(WebSession s) protected ElementContainer doStage1(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
String mailContent = s.getParser().getStringParameter(MAILCONTENTNAME, "");
if (mailContent.contains("SSID"))
{
// ec.addElement(mailContent);
return ec;
}
ec.addElement(createStage1Content(s)); ec.addElement(createStage1Content(s));
return ec; return ec;
} }
@Override
public String getHint(WebSession s, int hintNumber)
{
// TODO Auto-generated method stub
return super.getHint(s, hintNumber);
}
@Override
protected Element doStage2(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement(createStage2Content(s));
return ec;
}
private Element createStage2Content(WebSession s)
{
ElementContainer ec = new ElementContainer();
String mailContent = (String) s.get(MAILCONTENTNAME);
ec.addElement(mailContent);
return ec;
}
@Override
protected Element doStage3(WebSession s) throws Exception
{
return createStage3Content(s);
}
@Override
protected Element doStage4(WebSession s) throws Exception
{
return createStage4Content(s);
}
private Element createStage3Content(WebSession s)
{
return createMainLoginContent(s);
}
private Element createStage4Content(WebSession s)
{
ElementContainer ec = new ElementContainer();
ec.addElement("Hello Hacker");
return ec;
//return createMainLoginContent(s);
}
private Element createStage1Content(WebSession s) private Element createStage1Content(WebSession s)
{ {
String link = getLink(); String link = getLink();
String mailText = "Dear MS. Plane <br><br>" + "During the last week we had a few problems with our servers. " String mailText = "<b>Dear MS. Plane</b> <br><br>"
+ "During the last week we had a few problems with our database. "
+ "A lot of people complained that there account details are wrong. " + "A lot of people complained that there account details are wrong. "
+ "That is why we kindly ask you to use following link to verify your " + "That is why we kindly ask you to use following link to verify your "
+ "data:<br><br><center><a href=" + link + "&XXXX=YYYYYYYY> WebGoat Financial</a></center><br><br>" + "data:<br><br><center><a href="
+ link
+ "> Goat Hills Financial</a></center><br><br>"
+ "We are sorry for the caused inconvenience and thank you for your colaboration.<br><br>" + "We are sorry for the caused inconvenience and thank you for your colaboration.<br><br>"
+ "Your WebGoat Financial Team"; + "<b>Your Goat Hills Financial Team</b><center> <br><br><img src='images/WebGoatFinancial/banklogo.jpg'></center>";
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
Table table = new Table(); Table table = new Table();
@ -128,8 +292,8 @@ public class SessionFixation extends SequentialLessonAdapter
td6.addElement(titleField); td6.addElement(titleField);
TextArea mailContent = new TextArea(); TextArea mailContent = new TextArea();
mailContent.addAttribute("cols", 50); mailContent.addAttribute("cols", 60);
mailContent.addAttribute("rows", 10); mailContent.addAttribute("rows", 9);
mailContent.addElement(mailText); mailContent.addElement(mailText);
mailContent.setName(MAILCONTENTNAME); mailContent.setName(MAILCONTENTNAME);
td7.addElement(mailContent); td7.addElement(mailContent);
@ -145,262 +309,332 @@ public class SessionFixation extends SequentialLessonAdapter
* @param s * @param s
* @return Element * @return Element
*/ */
protected Element createMainContent(WebSession s) protected Element createMainLoginContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try
{
style sty = new style();
// try sty
// { .addElement("#lesson_wrapper {height: 435px;width: "
// + "500px;}#lesson_header {background-image: "
// + "url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:"
// style sty = new style(); + " 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace "
// + "{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: "
// sty.addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header + "325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} "
// {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: + ".lesson_text {height: 240px;width: 460px;padding-top: 5px;} "
// 490px;padding-right: 10px;padding-top: 60px;background-repeat: + "#lesson_buttons_bottom {height: 20px;width: 460px;} "
// no-repeat;}.lesson_workspace {background-image: + "#lesson_b_b_left {width: 300px;float: left;} "
// url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: + "#lesson_b_b_right input {width: 100px;float: right;} "
// 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} .lesson_text + ".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} "
// {height: 240px;width: 460px;padding-top: 5px;} #lesson_buttons_bottom {height: + ".lesson_workspace { } "
// 20px;width: 460px;} #lesson_b_b_left {width: 300px;float: left;} #lesson_b_b_right input + ".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} "
// {width: 100px;float: right;} .lesson_title_box {height: 20px;width: 420px;padding-left: + ".lesson_text_db {color: #0066FF} "
// 30px;} .lesson_workspace { } .lesson_txt_10 {font-family: Arial, Helvetica, + "#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: "
// sans-serif;font-size: 10px;} .lesson_text_db {color: #0066FF} #lesson_login + "124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:"
// {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: + " 50px;text-align: center;} #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: "
// 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: + "12px;text-align: center;} #lesson_search {background-image: "
// 80px;margin-top: 50px;text-align: center;} #lesson_login_txt {font-family: Arial, + "url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: "
// Helvetica, sans-serif;font-size: 12px;text-align: center;} #lesson_search + "no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
// {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: ec.addElement(sty);
// 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left:
// 80px;margin-top: 50px;text-align: center;}"); Div wrapperDiv = new Div();
// ec.addElement(sty); wrapperDiv.setID("lesson_wrapper");
//
// Div wrapperDiv = new Div(); Div headerDiv = new Div();
// wrapperDiv.setID("lesson_wrapper"); headerDiv.setID("lesson_header");
//
// Div headerDiv = new Div(); Div workspaceDiv = new Div();
// headerDiv.setID("lesson_header"); workspaceDiv.setClass("lesson_workspace");
//
// Div workspaceDiv = new Div(); wrapperDiv.addElement(headerDiv);
// workspaceDiv.setClass("lesson_workspace"); wrapperDiv.addElement(workspaceDiv);
//
// wrapperDiv.addElement(headerDiv); ec.addElement(wrapperDiv);
// wrapperDiv.addElement(workspaceDiv);
// workspaceDiv.addElement(createWorkspaceContent(s));
// ec.addElement(wrapperDiv);
// } catch (Exception e)
// workspaceDiv.addElement(createWorkspaceContent(s)); {
// s.setMessage("Error generating " + this.getClass().getName());
// } catch (Exception e) e.printStackTrace();
// { }
// s.setMessage("Error generating " + this.getClass().getName());
// e.printStackTrace();
// }
return (ec); return (ec);
} }
// /** /**
// * Creation of the content of the workspace * Creation of the content of the workspace
// * @param s *
// * @return Element * @param s
// */ * @return Element
// private Element createWorkspaceContent(WebSession s) */
// { private Element createWorkspaceContent(WebSession s)
// {
// ElementContainer ec = new ElementContainer();
// ElementContainer ec = new ElementContainer(); String name = s.getParser().getStringParameter(USER, "");
// String password = s.getParser().getStringParameter(PASSWORD, "");
// return ec;
// } try
{
// Logout Button is pressed
if (s.getParser().getRawParameter("logout", "").equals("true"))
{
s.add(LOGGEDIN, "false");
s.add("SID","");
this.sid = "";
// /** }
// * Create content for logging in if (correctLogin(name, password, s))
// * @param ec {
// */ s.add(LOGGEDINUSER, name);
// private void createLogInContent(ElementContainer ec, String errorMessage) { s.add(LOGGEDIN, "true");
// Div loginDiv = new Div(); createSuccessfulLoginContent(s, ec);
// loginDiv.setID("lesson_login"); }
// else if (sid.equals(s.get("SID")) && s.get(LOGGEDIN).equals("true"))
// Table table = new Table(); {
// //table.setStyle(tableStyle); createSuccessfulLoginContent(s, ec);
// table.addAttribute("align='center'", 0); }
// TR tr1 = new TR(); else
// TD td1 = new TD(); {
// TD td2 = new TD(); createLogInContent(ec, "");
// td1.addElement(new StringElement("Enter your name: ")); }
// td2.addElement(new Input(Input.TEXT, USER)); } catch (Exception e)
// tr1.addElement(td1); {
// tr1.addElement(td2); createLogInContent(ec, "");
// }
// TR tr2 = new TR();
// TD td3 = new TD();
// TD td4 = new TD();
// td3.addElement(new StringElement("Enter your password: "));
// td4.addElement(new Input(Input.PASSWORD, PASSWORD));
// tr2.addElement(td3);
// tr2.addElement(td4);
//
//
// TR tr3 = new TR();
// TD td5 = new TD();
// td5.setColSpan(2);
// td5.setAlign("center");
//
// td5.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
// tr3.addElement(td5);
//
// table.addElement(tr1);
// table.addElement(tr2);
// table.addElement(tr3);
// loginDiv.addElement(table);
// ec.addElement(loginDiv);
//
// H2 errorTag = new H2(errorMessage);
// errorTag.addAttribute("align", "center");
// errorTag.addAttribute("class", "info");
// ec.addElement(errorTag);
//
//
// }
// /** return ec;
// * Create content after a successful login }
// * @param s
// * @param ec
// */
// private void createSuccessfulLoginContent(WebSession s,
// ElementContainer ec) {
//
// String userDataStyle = "margin-top:50px;";
//
// Div userDataDiv = new Div();
// userDataDiv.setStyle(userDataStyle);
// userDataDiv.addAttribute("align", "center");
// Table table = new Table();
// table.addAttribute("cellspacing", 10);
// table.addAttribute("cellpadding", 5);
//
// table.addAttribute("align", "center");
// TR tr1 =new TR();
// TR tr2 = new TR();
// TR tr3 = new TR();
// TR tr4 = new TR();
// tr1.addElement(new TD("<b>Firstname:</b>"));
// tr1.addElement(new TD(LoggedInUser));
//
// try
// {
// ResultSet results = getUser(LoggedInUser, s);
// results.first();
//
// tr2.addElement(new TD("<b>Lastname:</b>"));
// tr2.addElement(new TD(results.getString("last_name")));
//
// tr3.addElement(new TD("<b>Credit Card Type:</b>"));
// tr3.addElement(new TD(results.getString("cc_type")));
//
// tr4.addElement(new TD("<b>Credit Card Number:</b>"));
// tr4.addElement(new TD(results.getString("cc_number")));
//
//
// }
//
// catch (Exception e)
// {
// e.printStackTrace();
// }
// table.addElement(tr1);
// table.addElement(tr2);
// table.addElement(tr3);
// table.addElement(tr4);
//
// userDataDiv.addElement(table);
// ec.addElement(userDataDiv);
// ec.addElement(createLogoutLink());
// }
// /** /**
// * Create a link for logging out * See if the user has logged in correctly
// * @return Element *
// */ * @param s
// private Element createLogoutLink() * @return true if loggedIn
// { */
// A logoutLink = new A(); private boolean loggedIn(WebSession s)
// logoutLink.addAttribute("href", getLink() + "&logout=true"); {
// logoutLink.addElement("Logout"); try
// {
// String logoutStyle = "margin-right:50px; mrgin-top:30px"; return s.get(LOGGEDIN).equals("true");
// Div logoutDiv = new Div(); } catch (Exception e)
// logoutDiv.addAttribute("align", "right"); {
// logoutDiv.addElement(logoutLink); return false;
// logoutDiv.setStyle(logoutStyle); }
// }
// return logoutDiv;
// }
// /** /**
// * Get a user by its name * See if the password and corresponding user is valid
// * @param user *
// * @param s * @param userName
// * @return ResultSet containing the user * @param password
// */ * @param s
// private ResultSet getUser(String user, WebSession s) * @return true if the password was correct
// { */
// try { private boolean correctLogin(String userName, String password, WebSession s)
// Connection connection = DatabaseUtilities.getConnection(s); {
// String query = "SELECT * FROM user_data_tan WHERE first_name = ? "; try
// PreparedStatement prepStatement =connection.prepareStatement(query, {
// ResultSet.TYPE_SCROLL_INSENSITIVE, Connection connection = DatabaseUtilities.getConnection(s);
// ResultSet.CONCUR_READ_ONLY); String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
// prepStatement.setString(1, user); PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
// ResultSet.CONCUR_READ_ONLY);
// prepStatement.setString(1, userName);
// ResultSet results = prepStatement.executeQuery(); prepStatement.setString(2, password);
//
// return results;
//
// } catch (Exception e) {
// e.printStackTrace();
// }
// return null;
//
// }
// /** ResultSet results = prepStatement.executeQuery();
// * See if the password and corresponding user is valid
// * @param userName if ((results != null) && (results.first() == true)) {
// * @param password
// * @param s return true;
// * @return true if the password was correct
// */ }
// private boolean correctLogin(String userName, String password, WebSession s)
// { } catch (Exception e)
// try { {
// Connection connection = DatabaseUtilities.getConnection(s); e.printStackTrace();
// String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?"; }
// PreparedStatement prepStatement =connection.prepareStatement(query,
// ResultSet.TYPE_SCROLL_INSENSITIVE, return false;
// ResultSet.CONCUR_READ_ONLY);
// prepStatement.setString(1, userName); }
// prepStatement.setString(2, password);
// /**
// ResultSet results = prepStatement.executeQuery(); * Create content for logging in
// *
// if ((results != null) && (results.first() == true)) * @param ec
// { */
// private void createLogInContent(ElementContainer ec, String errorMessage)
// return true; {
// Div loginDiv = new Div();
// } loginDiv.setID("lesson_login");
//
// } catch (Exception e) { Table table = new Table();
// e.printStackTrace(); // table.setStyle(tableStyle);
// } table.addAttribute("align='center'", 0);
// TR tr1 = new TR();
// return false; TD td1 = new TD();
// TD td2 = new TD();
// } td1.addElement(new StringElement("Enter your name: "));
td2.addElement(new Input(Input.TEXT, USER));
tr1.addElement(td1);
tr1.addElement(td2);
TR tr2 = new TR();
TD td3 = new TD();
TD td4 = new TD();
td3.addElement(new StringElement("Enter your password: "));
td4.addElement(new Input(Input.PASSWORD, PASSWORD));
tr2.addElement(td3);
tr2.addElement(td4);
TR tr3 = new TR();
TD td5 = new TD();
td5.setColSpan(2);
td5.setAlign("center");
td5.addElement(new Input(Input.SUBMIT, "Submit", "Login"));
tr3.addElement(td5);
table.addElement(tr1);
table.addElement(tr2);
table.addElement(tr3);
loginDiv.addElement(table);
ec.addElement(loginDiv);
H2 errorTag = new H2(errorMessage);
errorTag.addAttribute("align", "center");
errorTag.addAttribute("class", "info");
ec.addElement(errorTag);
}
/**
* Create content after a successful login
*
* @param s
* @param ec
*/
private void createSuccessfulLoginContent(WebSession s, ElementContainer ec)
{
String userDataStyle = "margin-top:50px;";
Div userDataDiv = new Div();
userDataDiv.setStyle(userDataStyle);
userDataDiv.addAttribute("align", "center");
Table table = new Table();
table.addAttribute("cellspacing", 10);
table.addAttribute("cellpadding", 5);
table.addAttribute("align", "center");
TR tr1 = new TR();
TR tr2 = new TR();
TR tr3 = new TR();
TR tr4 = new TR();
tr1.addElement(new TD("<b>Firstname:</b>"));
tr1.addElement(new TD(getLoggedInUser(s)));
try
{
ResultSet results = getUser(getLoggedInUser(s), s);
results.first();
tr2.addElement(new TD("<b>Lastname:</b>"));
tr2.addElement(new TD(results.getString("last_name")));
tr3.addElement(new TD("<b>Credit Card Type:</b>"));
tr3.addElement(new TD(results.getString("cc_type")));
tr4.addElement(new TD("<b>Credit Card Number:</b>"));
tr4.addElement(new TD(results.getString("cc_number")));
}
catch (Exception e)
{
e.printStackTrace();
}
table.addElement(tr1);
table.addElement(tr2);
table.addElement(tr3);
table.addElement(tr4);
userDataDiv.addElement(table);
ec.addElement(userDataDiv);
ec.addElement(createLogoutLink());
}
/**
* Create a link for logging out
*
* @return Element
*/
private Element createLogoutLink()
{
A logoutLink = new A();
logoutLink.addAttribute("href", getLink() + "&logout=true");
logoutLink.addElement("Logout");
String logoutStyle = "margin-right:50px; mrgin-top:30px";
Div logoutDiv = new Div();
logoutDiv.addAttribute("align", "right");
logoutDiv.addElement(logoutLink);
logoutDiv.setStyle(logoutStyle);
return logoutDiv;
}
/**
* Get a user by its name
*
* @param user
* @param s
* @return ResultSet containing the user
*/
private ResultSet getUser(String user, WebSession s)
{
try
{
Connection connection = DatabaseUtilities.getConnection(s);
String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
prepStatement.setString(1, user);
ResultSet results = prepStatement.executeQuery();
return results;
} catch (Exception e)
{
e.printStackTrace();
}
return null;
}
/**
* Get the logged in user
*
* @param s
* @return the logged in user
*/
private String getLoggedInUser(WebSession s)
{
try
{
String user = (String) s.get(LOGGEDINUSER);
return user;
} catch (Exception e)
{
return "";
}
}
/** /**
* Get the category * Get the category
@ -421,9 +655,13 @@ public class SessionFixation extends SequentialLessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("Stage 1: Just do a regular login"); hints.add("Stage 1: Where is the link in the mail?");
hints.add("Stage 2: How does the server know which TAN has to be used"); hints.add("Stage 1: Add a SID to the link");
hints.add("Stage 2: Maybe taking a look at the source code helps"); hints.add("Stage 1: A SID could looke something like this: SID=Whatever");
hints.add("Stage 1: Alter the link in the mail to: href=" + getLink() + "&SID=Whatever");
hints.add("Stage 2: Click on the link!");
hints.add("Stage 3: Log in as Jane with user name jane and password tarzan.");
hints.add("Stage 2: Watch out for hidden fields"); hints.add("Stage 2: Watch out for hidden fields");
hints.add("Stage 2: Manipulate the hidden field 'hidden_tan'"); hints.add("Stage 2: Manipulate the hidden field 'hidden_tan'");
@ -436,7 +674,32 @@ public class SessionFixation extends SequentialLessonAdapter
*/ */
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
String instructions = "Stub"; int stage = getLessonTracker(s).getStage();
String instructions = "STAGE " +stage+": ";
if(stage == 1)
{
instructions += "You are Hacker Joe and " +
"you want to steal the session from Jane. " +
"That is why you have to send a phishing mail " +
"to her. The mail is already prepared. Only " +
"thing missing is a Session ID (SID) in the Link. Alter " +
"the link to include a SID.<br><br><b>You are: Hacker Joe</b>";
}
else if (stage == 2)
{
instructions += "Now you are the victim Jane who received the mail you see. " +
"If you point on the link with your mouse you will see that there is a SID included." +
"Click on it to see what happens.<br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 3)
{
instructions += "As the bank kindly asked to verfy your data you have to log in to see if your details are " +
"correct ;). Your user name is Jane and your password is tarzan. <br><br><b>You are: Victim Jane</b> ";
}
else if (stage == 4)
{
instructions += "It is time to steal the session. <br><br><b>You are: Hacker Joe</b> ";
}
return (instructions); return (instructions);
} }
@ -458,5 +721,39 @@ public class SessionFixation extends SequentialLessonAdapter
{ {
return ("Session Fixation"); return ("Session Fixation");
} }
@Override
public void handleRequest(WebSession s)
{
Form form = new Form();
form.addElement(createContent(s));
form.setAction(getFormAction());
form.setMethod(Form.POST);
form.setName("form");
form.setEncType("");
setContent(form);
}
@Override
public String getLink()
{
if(sid.equals(""))
{
return super.getLink();
}
return super.getLink() + "&SID=" + sid;
}
private String randomSIDGenerator()
{
String sid = "";
sid = String.valueOf(Math.abs(random.nextInt()%100000));
return sid;
}
} }