dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #20 from dtouzet/WEB-31

Browse Source 
Refactor the way ResourceBundle are used for internationalization
This commit is contained in:
mayhew64 2014-11-25 16:34:09 -05:00
commit cf06e7fdfb
34 changed files with 3829 additions and 3372 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1606
src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View File

File diff suppressed because it is too large Load Diff

45
src/main/java/org/owasp/webgoat/lessons/BasicAuthentication.java
View File

@ -13,7 +13,6 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -102,12 +101,12 @@ public class BasicAuthentication extends SequentialLessonAdapter
{ {
if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION)) if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION))
{ {
s.setMessage(WebGoatI18N.get("BasicAuthHeaderNameIncorrect")); s.setMessage(getLabelManager().get("BasicAuthHeaderNameIncorrect"));
} }
if (headerValue.length() > 0 if (headerValue.length() > 0
&& !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat"))) && !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
{ {
s.setMessage(WebGoatI18N.get("BasicAuthHeaderValueIncorrect")); s.setMessage(getLabelManager().get("BasicAuthHeaderValueIncorrect"));
} }
} }
@ -121,8 +120,8 @@ public class BasicAuthentication extends SequentialLessonAdapter
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsNameOfHeader")))); row1.addElement(new TD(new StringElement(getLabelManager().get("BasicAuthenticationWhatIsNameOfHeader"))));
row2.addElement(new TD(new StringElement(WebGoatI18N.get("BasicAuthenticationWhatIsDecodedValueOfHeader")))); row2.addElement(new TD(new StringElement(getLabelManager().get("BasicAuthenticationWhatIsDecodedValueOfHeader"))));
row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString()))); row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString())));
row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString()))); row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString())));
@ -133,7 +132,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
ec.addElement(t); ec.addElement(t);
ec.addElement(new P()); ec.addElement(new P());
Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit")); Element b = ECSFactory.makeButton(getLabelManager().get("Submit"));
ec.addElement(b); ec.addElement(b);
} catch (Exception e) } catch (Exception e)
@ -159,7 +158,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, originalUser).setStage(1); getLessonTracker(s, originalUser).setStage(1);
getLessonTracker(s, originalUser).store(s, this); getLessonTracker(s, originalUser).store(s, this);
makeSuccess(s); makeSuccess(s);
s.setMessage(WebGoatI18N.get("BasicAuthenticiationGreenStars1")+ originalUser + WebGoatI18N.get("BasicAuthenticationGreenStars2")); s.setMessage(getLabelManager().get("BasicAuthenticiationGreenStars1")+ originalUser + getLabelManager().get("BasicAuthenticationGreenStars2"));
return ec; return ec;
} }
else else
@ -185,7 +184,7 @@ public class BasicAuthentication extends SequentialLessonAdapter
getLessonTracker(s, BASIC).store(s, this, BASIC); getLessonTracker(s, BASIC).store(s, this, BASIC);
} }
s.setMessage(WebGoatI18N.get("BasicAuthenticationStage1Completed")); s.setMessage(getLabelManager().get("BasicAuthenticationStage1Completed"));
// If the auth header is different but still the original user - tell the user // If the auth header is different but still the original user - tell the user
// that the original cookie was posted bak and basic auth uses the cookie before the // that the original cookie was posted bak and basic auth uses the cookie before the
@ -193,28 +192,28 @@ public class BasicAuthentication extends SequentialLessonAdapter
if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION))) if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION)))
{ {
ec ec
.addElement(WebGoatI18N.get("BasicAuthenticationAlmostThere1") .addElement(getLabelManager().get("BasicAuthenticationAlmostThere1")
+ AUTHORIZATION + AUTHORIZATION
+ WebGoatI18N.get("BasicAuthenticationAlmostThere2") + getLabelManager().get("BasicAuthenticationAlmostThere2")
+ s.getUserName() + s.getUserName()
+ WebGoatI18N.get("BasicAuthenticationAlmostThere3")); + getLabelManager().get("BasicAuthenticationAlmostThere3"));
} }
else if (!originalSessionId.equals(s.getCookie(JSESSIONID))) else if (!originalSessionId.equals(s.getCookie(JSESSIONID)))
{ {
ec ec
.addElement(WebGoatI18N.get("BasicAuthenticationReallyClose")); .addElement(getLabelManager().get("BasicAuthenticationReallyClose"));
} }
else else
{ {
ec.addElement(WebGoatI18N.get("BasicAuthenticationUseTheHints")); ec.addElement(getLabelManager().get("BasicAuthenticationUseTheHints"));
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -245,18 +244,18 @@ public class BasicAuthentication extends SequentialLessonAdapter
// switch ( stage ) // switch ( stage )
// { // {
// case 1: // case 1:
hints.add(WebGoatI18N.get("BasicAuthenticationHint1")); hints.add(getLabelManager().get("BasicAuthenticationHint1"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint2")); hints.add(getLabelManager().get("BasicAuthenticationHint2"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint3")); hints.add(getLabelManager().get("BasicAuthenticationHint3"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint4")); hints.add(getLabelManager().get("BasicAuthenticationHint4"));
// break; // break;
// case 2: // case 2:
hints.add(WebGoatI18N.get("BasicAuthenticationHint5")); hints.add(getLabelManager().get("BasicAuthenticationHint5"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint6")); hints.add(getLabelManager().get("BasicAuthenticationHint6"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint7")); hints.add(getLabelManager().get("BasicAuthenticationHint7"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint8")); hints.add(getLabelManager().get("BasicAuthenticationHint8"));
hints.add(WebGoatI18N.get("BasicAuthenticationHint9")); hints.add(getLabelManager().get("BasicAuthenticationHint9"));
// break; // break;
// } // }

14
src/main/java/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java
View File

@ -1,11 +1,6 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.ecs.Element; import org.apache.ecs.Element;
@ -17,12 +12,9 @@ import org.apache.ecs.html.Div;
import org.apache.ecs.html.IMG; import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.apache.ecs.html.P; import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -197,9 +189,9 @@ public class BypassHtmlFieldRestrictions extends SequentialLessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint1")); hints.add(getLabelManager().get("BypassHtmlFieldRestrictionsHint1"));
hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint2")); hints.add(getLabelManager().get("BypassHtmlFieldRestrictionsHint2"));
hints.add(WebGoatI18N.get("BypassHtmlFieldRestrictionsHint3")); hints.add(getLabelManager().get("BypassHtmlFieldRestrictionsHint3"));
return hints; return hints;
} }

23
src/main/java/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -16,7 +16,6 @@ import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.Exec; import org.owasp.webgoat.util.Exec;
import org.owasp.webgoat.util.ExecResults; import org.owasp.webgoat.util.ExecResults;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -79,7 +78,7 @@ public class CommandInjection extends LessonAdapter
} }
index = index + 1; index = index + 1;
int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote
System.out.println(WebGoatI18N.get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); System.out.println(getLabelManager().get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase() if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase()
.equals("netstat -a") .equals("netstat -a")
|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir") || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir")
@ -97,7 +96,7 @@ public class CommandInjection extends LessonAdapter
} }
else else
{ {
s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack1")); s.setMessage(getLabelManager().get("CommandInjectionRightTrack1"));
} }
} }
@ -114,7 +113,7 @@ public class CommandInjection extends LessonAdapter
} }
else else
{ {
s.setMessage(WebGoatI18N.get("CommandInjectionRightTrack2")); s.setMessage(getLabelManager().get("CommandInjectionRightTrack2"));
} }
} }
else else
@ -125,8 +124,8 @@ public class CommandInjection extends LessonAdapter
} }
File safeDir = new File(s.getContext().getRealPath("/lesson_plans/en")); File safeDir = new File(s.getContext().getRealPath("/lesson_plans/en"));
ec.addElement(new StringElement(WebGoatI18N.get("YouAreCurrentlyViewing")+"<b>" ec.addElement(new StringElement(getLabelManager().get("YouAreCurrentlyViewing")+"<b>"
+ (helpFile.toString().length() == 0 ? "&lt;"+WebGoatI18N.get("SelectFileFromListBelow")+"&gt;" : helpFile.toString()) + (helpFile.toString().length() == 0 ? "&lt;"+getLabelManager().get("SelectFileFromListBelow")+"&gt;" : helpFile.toString())
+ "</b>")); + "</b>"));
if (!illegalCommand) if (!illegalCommand)
@ -151,11 +150,11 @@ public class CommandInjection extends LessonAdapter
fileData = exec(s, cmd2); fileData = exec(s, cmd2);
} }
ec.addElement(new P().addElement(WebGoatI18N.get("SelectLessonPlanToView"))); ec.addElement(new P().addElement(getLabelManager().get("SelectLessonPlanToView")));
ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html", ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html",
"\\.help")))); "\\.help"))));
// ec.addElement( results ); // ec.addElement( results );
Element b = ECSFactory.makeButton(WebGoatI18N.get("View")); Element b = ECSFactory.makeButton(getLabelManager().get("View"));
ec.addElement(b); ec.addElement(b);
// Strip out some of the extra html from the "help" file // Strip out some of the extra html from the "help" file
ec.addElement(new BR()); ec.addElement(new BR());
@ -271,10 +270,10 @@ public class CommandInjection extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("CommandInjectionHint1")); hints.add(getLabelManager().get("CommandInjectionHint1"));
hints.add(WebGoatI18N.get("CommandInjectionHint2")); hints.add(getLabelManager().get("CommandInjectionHint2"));
hints.add(WebGoatI18N.get("CommandInjectionHint3")); hints.add(getLabelManager().get("CommandInjectionHint3"));
hints.add(WebGoatI18N.get("CommandInjectionHint4")); hints.add(getLabelManager().get("CommandInjectionHint4"));
return hints; return hints;
} }

29
src/main/java/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -22,7 +22,6 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -107,7 +106,7 @@ public class HiddenFieldTampering extends LessonAdapter
total = quantity * Float.parseFloat(price); total = quantity * Float.parseFloat(price);
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("Invaild data") + this.getClass().getName()); s.setMessage(getLabelManager().get("Invaild data") + this.getClass().getName());
price = PRICE_TV; price = PRICE_TV;
quantity = 1.0f; quantity = 1.0f;
total = quantity * Float.parseFloat(PRICE_TV); total = quantity * Float.parseFloat(PRICE_TV);
@ -116,7 +115,7 @@ public class HiddenFieldTampering extends LessonAdapter
if (price.equals(PRICE_TV)) if (price.equals(PRICE_TV))
{ {
ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart")))); ec.addElement(new Center().addElement(new H1().addElement(getLabelManager().get("ShoppingCart"))));
ec.addElement(new BR()); ec.addElement(new BR());
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
@ -126,10 +125,10 @@ public class HiddenFieldTampering extends LessonAdapter
} }
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%")); tr.addElement(new TH().addElement(getLabelManager().get("ShoppingCartItems")).setWidth("80%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%")); tr.addElement(new TH().addElement(getLabelManager().get("Price")).setWidth("10%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%")); tr.addElement(new TH().addElement(getLabelManager().get("Quantity")).setWidth("3%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%")); tr.addElement(new TH().addElement(getLabelManager().get("Total")).setWidth("7%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -150,10 +149,10 @@ public class HiddenFieldTampering extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":")); tr.addElement(new TD().addElement(getLabelManager().get("TotalChargedCreditCard")+":"));
tr.addElement(new TD().addElement(money.format(total))); tr.addElement(new TD().addElement(money.format(total)));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart")))); tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("UpdateCart"))));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("Purchase"), "validate()"))); tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("Purchase"), "validate()")));
t.addElement(tr); t.addElement(tr);
ec.addElement(t); ec.addElement(t);
@ -170,10 +169,10 @@ public class HiddenFieldTampering extends LessonAdapter
makeSuccess(s); makeSuccess(s);
} }
ec.addElement(new P().addElement(WebGoatI18N.get("TotalPriceIs")+":")); ec.addElement(new P().addElement(getLabelManager().get("TotalPriceIs")+":"));
ec.addElement(new B("$" + total)); ec.addElement(new B("$" + total));
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new P().addElement(WebGoatI18N.get("ThisAmountCharged"))); ec.addElement(new P().addElement(getLabelManager().get("ThisAmountCharged")));
} }
return (ec); return (ec);
@ -198,9 +197,9 @@ public class HiddenFieldTampering extends LessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("HiddenFieldTamperingHint1")); hints.add(getLabelManager().get("HiddenFieldTamperingHint1"));
hints.add(WebGoatI18N.get("HiddenFieldTamperingHint2")); hints.add(getLabelManager().get("HiddenFieldTamperingHint2"));
hints.add(WebGoatI18N.get("HiddenFieldTamperingHint3")+ PRICE_TV +WebGoatI18N.get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED ); hints.add(getLabelManager().get("HiddenFieldTamperingHint3")+ PRICE_TV +getLabelManager().get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED );
return hints; return hints;
} }

23
src/main/java/org/owasp/webgoat/lessons/HtmlClues.java
View File

@ -19,7 +19,6 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -108,7 +107,7 @@ public class HtmlClues extends LessonAdapter
{ {
makeSuccess(s); makeSuccess(s);
s.setMessage(WebGoatI18N.get("HtmlCluesBINGO")); s.setMessage(getLabelManager().get("HtmlCluesBINGO"));
ec.addElement(makeUser(s, "admin", "CREDENTIALS")); ec.addElement(makeUser(s, "admin", "CREDENTIALS"));
} }
else else
@ -139,8 +138,8 @@ public class HtmlClues extends LessonAdapter
protected Element makeUser(WebSession s, String user, String method) throws Exception protected Element makeUser(WebSession s, String user, String method) throws Exception
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser")+ user)); ec.addElement(new P().addElement(getLabelManager().get("WelcomeUser")+ user));
ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method)); ec.addElement(new P().addElement(getLabelManager().get("YouHaveBeenAuthenticatedWith") + method));
return (ec); return (ec);
} }
@ -159,12 +158,12 @@ public class HtmlClues extends LessonAdapter
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH() tr.addElement(new TH()
.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn")) .addElement(getLabelManager().get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left")); .setColSpan(2).setAlign("left"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%")); tr.addElement(new TD().addElement("*"+getLabelManager().get("RequiredFields")).setWidth("30%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -173,8 +172,8 @@ public class HtmlClues extends LessonAdapter
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName")+": ")))); row1.addElement(new TD(new B(new StringElement("*"+getLabelManager().get("UserName")+": "))));
row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password")+": ")))); row2.addElement(new TD(new B(new StringElement("*"+getLabelManager().get("Password")+": "))));
Input input1 = new Input(Input.TEXT, USERNAME, ""); Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
@ -183,7 +182,7 @@ public class HtmlClues extends LessonAdapter
t.addElement(row1); t.addElement(row1);
t.addElement(row2); t.addElement(row2);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); Element b = ECSFactory.makeButton(getLabelManager().get("Login"));
t.addElement(new TR(new TD(b))); t.addElement(new TR(new TD(b)));
ec.addElement(t); ec.addElement(t);
@ -198,9 +197,9 @@ public class HtmlClues extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("HtmlCluesHint1")); hints.add(getLabelManager().get("HtmlCluesHint1"));
hints.add(WebGoatI18N.get("HtmlCluesHint2")); hints.add(getLabelManager().get("HtmlCluesHint2"));
hints.add(WebGoatI18N.get("HtmlCluesHint3")); hints.add(getLabelManager().get("HtmlCluesHint3"));
return hints; return hints;
} }

6
src/main/java/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -2,7 +2,6 @@ package org.owasp.webgoat.lessons;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
@ -10,7 +9,6 @@ import org.apache.ecs.html.BR;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/** /**
* ************************************************************************************************* * *************************************************************************************************
@ -61,7 +59,7 @@ public class HttpBasics extends LessonAdapter {
StringBuffer person = null; StringBuffer person = null;
try { try {
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName") + ": ")); ec.addElement(new StringElement(getLabelManager().get("EnterYourName") + ": "));
person = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
person.reverse(); person.reverse();
@ -69,7 +67,7 @@ public class HttpBasics extends LessonAdapter {
Input input = new Input(Input.TEXT, PERSON, person.toString()); Input input = new Input(Input.TEXT, PERSON, person.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
ec.addElement(b); ec.addElement(b);
} catch (Exception e) { } catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());

37
src/main/java/org/owasp/webgoat/lessons/JavaScriptValidation.java
View File

@ -14,7 +14,6 @@ import org.apache.ecs.html.Input;
import org.apache.ecs.html.P; import org.apache.ecs.html.P;
import org.apache.ecs.html.TextArea; import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -125,28 +124,28 @@ public class JavaScriptValidation extends LessonAdapter
b.setType(Input.BUTTON); b.setType(Input.BUTTON);
b.setValue("Submit"); b.setValue("Submit");
b.addAttribute("onclick", "validate();"); b.addAttribute("onclick", "validate();");
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("3LowerCase")+"(" ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("3LowerCase")+"("
+ regex1 + ")"))); + regex1 + ")")));
ec.addElement(new Div().addElement(input1)); ec.addElement(new Div().addElement(input1));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("Exactly3Digits")+"(" + regex2 + ")"))); ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("Exactly3Digits")+"(" + regex2 + ")")));
ec.addElement(new Div().addElement(input2)); ec.addElement(new Div().addElement(input2));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("LettersNumbersSpaceOnly")+"(" + regex3 ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("LettersNumbersSpaceOnly")+"(" + regex3
+ ")"))); + ")")));
ec.addElement(new Div().addElement(input3)); ec.addElement(new Div().addElement(input3));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("EnumerationOfNumbers")+" (" + regex4 + ")"))); ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("EnumerationOfNumbers")+" (" + regex4 + ")")));
ec.addElement(new Div().addElement(input4)); ec.addElement(new Div().addElement(input4));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("SimpleZipCode")+ " (" + regex5 + ")"))); ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("SimpleZipCode")+ " (" + regex5 + ")")));
ec.addElement(new Div().addElement(input5)); ec.addElement(new Div().addElement(input5));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div() ec.addElement(new Div()
.addElement(new StringElement(WebGoatI18N.get("ZIPDashFour")+" (" + regex6 + ")"))); .addElement(new StringElement(getLabelManager().get("ZIPDashFour")+" (" + regex6 + ")")));
ec.addElement(new Div().addElement(input6)); ec.addElement(new Div().addElement(input6));
ec.addElement(new P()); ec.addElement(new P());
ec.addElement(new Div().addElement(new StringElement(WebGoatI18N.get("USPhoneNumber")+ " (" ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("USPhoneNumber")+ " ("
+ regex7 + ")"))); + regex7 + ")")));
ec.addElement(new Div().addElement(input7)); ec.addElement(new Div().addElement(input7));
ec.addElement(new P()); ec.addElement(new P());
@ -161,43 +160,43 @@ public class JavaScriptValidation extends LessonAdapter
if (!pattern1.matcher(param1).matches()) if (!pattern1.matcher(param1).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field1."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+" Field1.";
} }
if (!pattern2.matcher(param2).matches()) if (!pattern2.matcher(param2).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+" Field2."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+" Field2.";
} }
if (!pattern3.matcher(param3).matches()) if (!pattern3.matcher(param3).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field3."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field3.";
} }
if (!pattern4.matcher(param4).matches()) if (!pattern4.matcher(param4).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field4."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field4.";
} }
if (!pattern5.matcher(param5).matches()) if (!pattern5.matcher(param5).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field5."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field5.";
} }
if (!pattern6.matcher(param6).matches()) if (!pattern6.matcher(param6).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field6."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field6.";
} }
if (!pattern7.matcher(param7).matches()) if (!pattern7.matcher(param7).matches())
{ {
err++; err++;
msg += "<BR>"+WebGoatI18N.get("ServerSideValidationViolation")+"Field7."; msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field7.";
} }
if (err > 0) if (err > 0)
@ -213,7 +212,7 @@ public class JavaScriptValidation extends LessonAdapter
catch (Exception e) catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -238,9 +237,9 @@ public class JavaScriptValidation extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("JavaScriptValidationHint1")); hints.add(getLabelManager().get("JavaScriptValidationHint1"));
hints.add(WebGoatI18N.get("JavaScriptValidationHint2")); hints.add(getLabelManager().get("JavaScriptValidationHint2"));
hints.add(WebGoatI18N.get("JavaScriptValidationHint3")); hints.add(getLabelManager().get("JavaScriptValidationHint3"));
return hints; return hints;

3
src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -15,7 +15,6 @@ import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/** /**
* ************************************************************************************************* * *************************************************************************************************
@ -220,7 +219,7 @@ public abstract class LessonAdapter extends AbstractLesson {
protected Element makeSuccess(WebSession s) { protected Element makeSuccess(WebSession s) {
getLessonTracker(s).setCompleted(true); getLessonTracker(s).setCompleted(true);
s.setMessage(WebGoatI18N.get("LessonCompleted")); s.setMessage(getLabelManager().get("LessonCompleted"));
return (null); return (null);
} }

17
src/main/java/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -18,7 +18,6 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -75,15 +74,15 @@ public class LogSpoofing extends LessonAdapter
TR row2 = new TR(); TR row2 = new TR();
TR row3 = new TR(); TR row3 = new TR();
row1.addElement(new TD(new StringElement(WebGoatI18N.get("UserName")+":"))); row1.addElement(new TD(new StringElement(getLabelManager().get("UserName")+":")));
Input username = new Input(Input.TEXT, USERNAME, ""); Input username = new Input(Input.TEXT, USERNAME, "");
row1.addElement(new TD(username)); row1.addElement(new TD(username));
row2.addElement(new TD(new StringElement(WebGoatI18N.get("Password")+": "))); row2.addElement(new TD(new StringElement(getLabelManager().get("Password")+": ")));
Input password = new Input(Input.PASSWORD, PASSWORD, ""); Input password = new Input(Input.PASSWORD, PASSWORD, "");
row2.addElement(new TD(password)); row2.addElement(new TD(password));
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); Element b = ECSFactory.makeButton(getLabelManager().get("Login"));
row3.addElement(new TD(new StringElement("&nbsp; "))); row3.addElement(new TD(new StringElement("&nbsp; ")));
row3.addElement(new TD(b)).setAlign("right"); row3.addElement(new TD(b)).setAlign("right");
@ -105,7 +104,7 @@ public class LogSpoofing extends LessonAdapter
Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row4 = new TR(); TR row4 = new TR();
row4.addElement(new TD(new PRE(WebGoatI18N.get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY); row4.addElement(new TD(new PRE(getLabelManager().get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY);
t2.addElement(row4); t2.addElement(row4);
@ -134,10 +133,10 @@ public class LogSpoofing extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("LogSpoofingHint1")); hints.add(getLabelManager().get("LogSpoofingHint1"));
hints.add(WebGoatI18N.get("LogSpoofingHint2")); hints.add(getLabelManager().get("LogSpoofingHint2"));
hints.add(WebGoatI18N.get("LogSpoofingHint3")); hints.add(getLabelManager().get("LogSpoofingHint3"));
hints.add(WebGoatI18N.get("LogSpoofingHint4")); hints.add(getLabelManager().get("LogSpoofingHint4"));
return hints; return hints;
} }

51
src/main/java/org/owasp/webgoat/lessons/PathBasedAccessControl.java
View File

@ -16,7 +16,6 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -78,8 +77,8 @@ public class PathBasedAccessControl extends LessonAdapter
} }
String[] list = d.list(); String[] list = d.list();
String listing = " <p><B>"+WebGoatI18N.get("CurrentDirectory")+"</B> " + Encoding.urlDecode(dir) String listing = " <p><B>"+getLabelManager().get("CurrentDirectory")+"</B> " + Encoding.urlDecode(dir)
+ "<br><br>"+WebGoatI18N.get("ChooseFileToView")+"</p>"; + "<br><br>"+getLabelManager().get("ChooseFileToView")+"</p>";
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing))); tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
@ -87,7 +86,7 @@ public class PathBasedAccessControl extends LessonAdapter
tr = new TR(); tr = new TR();
tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15))); tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("ViewFile")))); tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("ViewFile"))));
t.addElement(tr); t.addElement(tr);
ec.addElement(t); ec.addElement(t);
@ -106,13 +105,13 @@ public class PathBasedAccessControl extends LessonAdapter
// file // file
if (upDirCount(file) == 3 && !file.endsWith("LICENSE")) if (upDirCount(file) == 3 && !file.endsWith("LICENSE"))
{ {
s.setMessage(WebGoatI18N.get("AccessDenied")); s.setMessage(getLabelManager().get("AccessDenied"));
s.setMessage(WebGoatI18N.get("ItAppears1")); s.setMessage(getLabelManager().get("ItAppears1"));
} }
else if (upDirCount(file) > 3) else if (upDirCount(file) > 3)
{ {
s.setMessage(WebGoatI18N.get("AccessDenied")); s.setMessage(getLabelManager().get("AccessDenied"));
s.setMessage(WebGoatI18N.get("ItAppears2")); s.setMessage(getLabelManager().get("ItAppears2"));
} }
else else
{ {
@ -131,13 +130,13 @@ public class PathBasedAccessControl extends LessonAdapter
if (s.isDebug()) if (s.isDebug())
{ {
s.setMessage(WebGoatI18N.get("File") + file); s.setMessage(getLabelManager().get("File") + file);
s.setMessage(WebGoatI18N.get("Dir")+ dir); s.setMessage(getLabelManager().get("Dir")+ dir);
// s.setMessage("File URI: " + "file:///" + // s.setMessage("File URI: " + "file:///" +
// (Encoding.urlEncode(dir) + "\\" + // (Encoding.urlEncode(dir) + "\\" +
// Encoding.urlEncode(file)).replaceAll("\\\\","/")); // Encoding.urlEncode(file)).replaceAll("\\\\","/"));
s.setMessage(WebGoatI18N.get("IsFile")+ f.isFile()); s.setMessage(getLabelManager().get("IsFile")+ f.isFile());
s.setMessage(WebGoatI18N.get("Exists") + f.exists()); s.setMessage(getLabelManager().get("Exists") + f.exists());
} }
if (!illegalCommand) if (!illegalCommand)
{ {
@ -147,21 +146,21 @@ public class PathBasedAccessControl extends LessonAdapter
// directory listing we gave them. // directory listing we gave them.
if (upDirCount(file) >= 1) if (upDirCount(file) >= 1)
{ {
s.setMessage(WebGoatI18N.get("CongratsAccessToFileAllowed")); s.setMessage(getLabelManager().get("CongratsAccessToFileAllowed"));
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
makeSuccess(s); makeSuccess(s);
} }
else else
{ {
s.setMessage(WebGoatI18N.get("FileInAllowedDirectory")); s.setMessage(getLabelManager().get("FileInAllowedDirectory"));
s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath())); s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
} }
} }
else if (file != null && file.length() != 0) else if (file != null && file.length() != 0)
{ {
s s
.setMessage(WebGoatI18N.get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath()) .setMessage(getLabelManager().get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath())
+ WebGoatI18N.get("AccessToFileDenied2")); + getLabelManager().get("AccessToFileDenied2"));
} }
else else
{ {
@ -175,11 +174,11 @@ public class PathBasedAccessControl extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new HR().setWidth("100%")); ec.addElement(new HR().setWidth("100%"));
ec.addElement(WebGoatI18N.get("ViewingFile")+ f.getCanonicalPath()); ec.addElement(getLabelManager().get("ViewingFile")+ f.getCanonicalPath());
ec.addElement(new HR().setWidth("100%")); ec.addElement(new HR().setWidth("100%"));
if (f.length() > 80000) { throw new Exception(WebGoatI18N.get("FileTooLarge")); } if (f.length() > 80000) { throw new Exception(getLabelManager().get("FileTooLarge")); }
String fileData = getFileText(new BufferedReader(new FileReader(f)), false); String fileData = getFileText(new BufferedReader(new FileReader(f)), false);
if (fileData.indexOf(0x00) != -1) { throw new Exception(WebGoatI18N.get("FileBinary")); } if (fileData.indexOf(0x00) != -1) { throw new Exception(getLabelManager().get("FileBinary")); }
ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>") ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>") .replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)", .replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)",
@ -187,13 +186,13 @@ public class PathBasedAccessControl extends LessonAdapter
} catch (Exception e) } catch (Exception e)
{ {
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(WebGoatI18N.get("TheFollowingError")); ec.addElement(getLabelManager().get("TheFollowingError"));
ec.addElement(e.getMessage()); ec.addElement(e.getMessage());
} }
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating")+ this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating")+ this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -230,10 +229,10 @@ public class PathBasedAccessControl extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("PathBasedAccessControlHint1")); hints.add(getLabelManager().get("PathBasedAccessControlHint1"));
hints.add(WebGoatI18N.get("PathBasedAccessControlHint2")); hints.add(getLabelManager().get("PathBasedAccessControlHint2"));
hints.add(WebGoatI18N.get("PathBasedAccessControlHint3")); hints.add(getLabelManager().get("PathBasedAccessControlHint3"));
hints.add(WebGoatI18N.get("PathBasedAccessControlHint4")); hints.add(getLabelManager().get("PathBasedAccessControlHint4"));
return hints; return hints;
} }
@ -245,7 +244,7 @@ public class PathBasedAccessControl extends LessonAdapter
*/ */
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
String instructions = WebGoatI18N.get("PathBasedAccessControlInstr1")+ s.getUserName() + WebGoatI18N.get("PathBasedAccessControlInstr2"); String instructions = getLabelManager().get("PathBasedAccessControlInstr1")+ s.getUserName() + getLabelManager().get("PathBasedAccessControlInstr2");
return (instructions); return (instructions);
} }

35
src/main/java/org/owasp/webgoat/lessons/ReflectedXSS.java
View File

@ -19,7 +19,6 @@ import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder; import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -88,13 +87,13 @@ public class ReflectedXSS extends LessonAdapter
makeSuccess(s); makeSuccess(s);
} }
s.setMessage(WebGoatI18N.get("ReflectedXSSWhoops1")+ param1 + WebGoatI18N.get("ReflectedXSSWhoops2")); s.setMessage(getLabelManager().get("ReflectedXSSWhoops1")+ param1 + getLabelManager().get("ReflectedXSSWhoops2"));
} }
// FIXME: encode output of field2, then s.setMessage( field2 ); // FIXME: encode output of field2, then s.setMessage( field2 );
ec.addElement(new HR().setWidth("90%")); ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1().addElement(WebGoatI18N.get("ShoppingCart")))); ec.addElement(new Center().addElement(new H1().addElement(getLabelManager().get("ShoppingCart"))));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
if (s.isColor()) if (s.isColor())
@ -103,10 +102,10 @@ public class ReflectedXSS extends LessonAdapter
} }
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH().addElement(WebGoatI18N.get("ShoppingCartItems")).setWidth("80%")); tr.addElement(new TH().addElement(getLabelManager().get("ShoppingCartItems")).setWidth("80%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Price")).setWidth("10%")); tr.addElement(new TH().addElement(getLabelManager().get("Price")).setWidth("10%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Quantity")).setWidth("3%")); tr.addElement(new TH().addElement(getLabelManager().get("Quantity")).setWidth("3%"));
tr.addElement(new TH().addElement(WebGoatI18N.get("Total")).setWidth("7%")); tr.addElement(new TH().addElement(getLabelManager().get("Total")).setWidth("7%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -171,24 +170,24 @@ public class ReflectedXSS extends LessonAdapter
ec.addElement(new BR()); ec.addElement(new BR());
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement(WebGoatI18N.get("TotalChargedCreditCard")+":")); tr.addElement(new TD().addElement(getLabelManager().get("TotalChargedCreditCard")+":"));
tr.addElement(new TD().addElement(money.format(runningTotal))); tr.addElement(new TD().addElement(money.format(runningTotal)));
tr.addElement(new TD().addElement(ECSFactory.makeButton(WebGoatI18N.get("UpdateCart")))); tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("UpdateCart"))));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(2)); tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement(WebGoatI18N.get("EnterCreditCard")+":")); tr.addElement(new TD().addElement(getLabelManager().get("EnterCreditCard")+":"));
tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2))); tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement(WebGoatI18N.get("Enter3DigitCode")+":")); tr.addElement(new TD().addElement(getLabelManager().get("Enter3DigitCode")+":"));
tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>")); tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1))); // tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
t.addElement(tr); t.addElement(tr);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Purchase")); Element b = ECSFactory.makeButton(getLabelManager().get("Purchase"));
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center")); tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
t.addElement(tr); t.addElement(tr);
@ -198,7 +197,7 @@ public class ReflectedXSS extends LessonAdapter
ec.addElement(new HR().setWidth("90%")); ec.addElement(new HR().setWidth("90%"));
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
return (ec); return (ec);
@ -222,11 +221,11 @@ public class ReflectedXSS extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("ReflectedXSSHint1")); hints.add(getLabelManager().get("ReflectedXSSHint1"));
hints.add(WebGoatI18N.get("ReflectedXSSHint2")); hints.add(getLabelManager().get("ReflectedXSSHint2"));
hints.add(WebGoatI18N.get("ReflectedXSSHint3")); hints.add(getLabelManager().get("ReflectedXSSHint3"));
hints.add(WebGoatI18N.get("ReflectedXSSHint4")); hints.add(getLabelManager().get("ReflectedXSSHint4"));
hints.add(WebGoatI18N.get("ReflectedXSSHint5")); hints.add(getLabelManager().get("ReflectedXSSHint5"));
return hints; return hints;
} }

11
src/main/java/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
View File

@ -6,7 +6,6 @@ import java.util.List;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -79,11 +78,11 @@ public class RemoteAdminFlaw extends LessonAdapter
public List<String> getHints(WebSession s) public List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("RemoteAdminFlawHint1")); hints.add(getLabelManager().get("RemoteAdminFlawHint1"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint2")); hints.add(getLabelManager().get("RemoteAdminFlawHint2"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint3")); hints.add(getLabelManager().get("RemoteAdminFlawHint3"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint4")); hints.add(getLabelManager().get("RemoteAdminFlawHint4"));
hints.add(WebGoatI18N.get("RemoteAdminFlawHint5")); hints.add(getLabelManager().get("RemoteAdminFlawHint5"));
return hints; return hints;
} }

19
src/main/java/org/owasp/webgoat/lessons/SqlAddData.java
View File

@ -19,7 +19,6 @@ import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -109,7 +108,7 @@ public class SqlAddData extends SequentialLessonAdapter
} }
else else
{ {
ec.addElement(WebGoatI18N.get("NoResultsMatched")); ec.addElement(getLabelManager().get("NoResultsMatched"));
} }
// see if the number of rows in the table has changed // see if the number of rows in the table has changed
@ -131,7 +130,7 @@ public class SqlAddData extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -143,13 +142,13 @@ public class SqlAddData extends SequentialLessonAdapter
protected Element makeAccountLine(WebSession s) protected Element makeAccountLine(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid"))); ec.addElement(new P().addElement(getLabelManager().get("EnterUserid")));
userid = s.getParser().getRawParameter(USERID, "jsmith"); userid = s.getParser().getRawParameter(USERID, "jsmith");
Input input = new Input(Input.TEXT, USERID, userid.toString()); Input input = new Input(Input.TEXT, USERID, userid.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
ec.addElement(b); ec.addElement(b);
return ec; return ec;
@ -185,11 +184,11 @@ public class SqlAddData extends SequentialLessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("SqlAddDataHint1")); hints.add(getLabelManager().get("SqlAddDataHint1"));
hints.add(WebGoatI18N.get("SqlAddDataHint2")); hints.add(getLabelManager().get("SqlAddDataHint2"));
hints.add(WebGoatI18N.get("SqlAddDataHint3")); hints.add(getLabelManager().get("SqlAddDataHint3"));
hints.add(WebGoatI18N.get("SqlAddDataHint4")); hints.add(getLabelManager().get("SqlAddDataHint4"));
hints.add(WebGoatI18N.get("SqlAddDataHint5")); hints.add(getLabelManager().get("SqlAddDataHint5"));
return hints; return hints;
} }

19
src/main/java/org/owasp/webgoat/lessons/SqlModifyData.java
View File

@ -19,7 +19,6 @@ import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -117,7 +116,7 @@ public class SqlModifyData extends SequentialLessonAdapter
} }
else else
{ {
ec.addElement(WebGoatI18N.get("NoResultsMatched")); ec.addElement(getLabelManager().get("NoResultsMatched"));
} }
// see if target data was modified // see if target data was modified
@ -149,7 +148,7 @@ public class SqlModifyData extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -161,13 +160,13 @@ public class SqlModifyData extends SequentialLessonAdapter
protected Element makeAccountLine(WebSession s) protected Element makeAccountLine(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("EnterUserid"))); ec.addElement(new P().addElement(getLabelManager().get("EnterUserid")));
userid = s.getParser().getRawParameter(USERID, "jsmith"); userid = s.getParser().getRawParameter(USERID, "jsmith");
Input input = new Input(Input.TEXT, USERID, userid.toString()); Input input = new Input(Input.TEXT, USERID, userid.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
ec.addElement(b); ec.addElement(b);
return ec; return ec;
@ -203,11 +202,11 @@ public class SqlModifyData extends SequentialLessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("SqlModifyDataHint1")); hints.add(getLabelManager().get("SqlModifyDataHint1"));
hints.add(WebGoatI18N.get("SqlModifyDataHint2")); hints.add(getLabelManager().get("SqlModifyDataHint2"));
hints.add(WebGoatI18N.get("SqlModifyDataHint3")); hints.add(getLabelManager().get("SqlModifyDataHint3"));
hints.add(WebGoatI18N.get("SqlModifyDataHint4")); hints.add(getLabelManager().get("SqlModifyDataHint4"));
hints.add(WebGoatI18N.get("SqlModifyDataHint5")); hints.add(getLabelManager().get("SqlModifyDataHint5"));
return hints; return hints;
} }

25
src/main/java/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -22,7 +22,6 @@ import org.apache.ecs.html.Select;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -131,14 +130,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
getLessonTracker(s).setStage(2); getLessonTracker(s).setStage(2);
StringBuffer msg = new StringBuffer(); StringBuffer msg = new StringBuffer();
msg.append(WebGoatI18N.get("NumericSqlInjectionSecondStage")); msg.append(getLabelManager().get("NumericSqlInjectionSecondStage"));
s.setMessage(msg.toString()); s.setMessage(msg.toString());
} }
} }
else else
{ {
ec.addElement(WebGoatI18N.get("NoResultsMatched")); ec.addElement(getLabelManager().get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
@ -147,7 +146,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -158,7 +157,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(WebGoatI18N.get("NumericSqlInjectionSecondStage2")); ec.addElement(getLabelManager().get("NumericSqlInjectionSecondStage2"));
// if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart")) // if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart"))
// { // {
// getLessonTracker(s).setStage(1); // getLessonTracker(s).setStage(1);
@ -202,14 +201,14 @@ public class SqlNumericInjection extends SequentialLessonAdapter
} }
else else
{ {
ec.addElement(WebGoatI18N.get("NoResultsMatched")); ec.addElement(getLabelManager().get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
{ {
ec.addElement(new P().addElement(sqle.getMessage())); ec.addElement(new P().addElement(sqle.getMessage()));
} catch (NumberFormatException npe) } catch (NumberFormatException npe)
{ {
ec.addElement(new P().addElement(WebGoatI18N.get("ErrorParsingAsNumber") + npe.getMessage())); ec.addElement(new P().addElement(getLabelManager().get("ErrorParsingAsNumber") + npe.getMessage()));
} }
} catch (Exception e) } catch (Exception e)
{ {
@ -224,7 +223,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("SelectYourStation"))); ec.addElement(new P().addElement(getLabelManager().get("SelectYourStation")));
Map<String, String> stations = getStations(s); Map<String, String> stations = getStations(s);
Select select = new Select(STATION_ID); Select select = new Select(STATION_ID);
@ -237,7 +236,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ec.addElement(select); ec.addElement(select);
ec.addElement(new P()); ec.addElement(new P());
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
ec.addElement(b); ec.addElement(b);
return ec; return ec;
@ -307,10 +306,10 @@ public class SqlNumericInjection extends SequentialLessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("SqlNumericInjectionHint1")); hints.add(getLabelManager().get("SqlNumericInjectionHint1"));
hints.add(WebGoatI18N.get("SqlNumericInjectionHint2")); hints.add(getLabelManager().get("SqlNumericInjectionHint2"));
hints.add(WebGoatI18N.get("SqlNumericInjectionHint3")); hints.add(getLabelManager().get("SqlNumericInjectionHint3"));
hints.add(WebGoatI18N.get("SqlNumericInjectionHint4")); hints.add(getLabelManager().get("SqlNumericInjectionHint4"));

25
src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -18,7 +18,6 @@ import org.apache.ecs.html.PRE;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -114,14 +113,14 @@ public class SqlStringInjection extends SequentialLessonAdapter
StringBuffer msg = new StringBuffer(); StringBuffer msg = new StringBuffer();
msg.append(WebGoatI18N.get("StringSqlInjectionSecondStage")); msg.append(getLabelManager().get("StringSqlInjectionSecondStage"));
s.setMessage(msg.toString()); s.setMessage(msg.toString());
} }
} }
else else
{ {
ec.addElement(WebGoatI18N.get("NoResultsMatched")); ec.addElement(getLabelManager().get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
{ {
@ -130,7 +129,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -141,7 +140,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(WebGoatI18N.get("StringSqlInjectionSecondStage")); ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart")) if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
{ {
getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1"); getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
@ -180,7 +179,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
} }
else else
{ {
ec.addElement(WebGoatI18N.get("NoResultsMatched")); ec.addElement(getLabelManager().get("NoResultsMatched"));
} }
} catch (SQLException sqle) } catch (SQLException sqle)
{ {
@ -188,7 +187,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
} }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -198,13 +197,13 @@ public class SqlStringInjection extends SequentialLessonAdapter
protected Element makeAccountLine(WebSession s) protected Element makeAccountLine(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("EnterLastName"))); ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name"); accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString()); Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
ec.addElement(input); ec.addElement(input);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Go!")); Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
ec.addElement(b); ec.addElement(b);
return ec; return ec;
@ -230,10 +229,10 @@ public class SqlStringInjection extends SequentialLessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("SqlStringInjectionHint1")); hints.add(getLabelManager().get("SqlStringInjectionHint1"));
hints.add(WebGoatI18N.get("SqlStringInjectionHint2")); hints.add(getLabelManager().get("SqlStringInjectionHint2"));
hints.add(WebGoatI18N.get("SqlStringInjectionHint3")); hints.add(getLabelManager().get("SqlStringInjectionHint3"));
hints.add(WebGoatI18N.get("SqlStringInjectionHint4")); hints.add(getLabelManager().get("SqlStringInjectionHint4"));
return hints; return hints;
} }

33
src/main/java/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -21,7 +21,6 @@ import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea; import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.HtmlEncoder; import org.owasp.webgoat.util.HtmlEncoder;
import org.owasp.webgoat.util.WebGoatI18N;
/** /**
* ************************************************************************************************* * *************************************************************************************************
@ -110,7 +109,7 @@ public class StoredXss extends LessonAdapter {
// that could be trapped here but we will let them try. One error would be something // that could be trapped here but we will let them try. One error would be something
// like "Characters found after end of SQL statement." // like "Characters found after end of SQL statement."
if (e.getMessage().indexOf("No ResultSet was produced") == -1) { if (e.getMessage().indexOf("No ResultSet was produced") == -1) {
s.setMessage(WebGoatI18N.get("CouldNotAddMessage")); s.setMessage(getLabelManager().get("CouldNotAddMessage"));
} }
e.printStackTrace(); e.printStackTrace();
} }
@ -151,10 +150,10 @@ public class StoredXss extends LessonAdapter {
*/ */
protected List<String> getHints(WebSession s) { protected List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("StoredXssHint1")); hints.add(getLabelManager().get("StoredXssHint1"));
hints.add(WebGoatI18N.get("StoredXssHint2")); hints.add(getLabelManager().get("StoredXssHint2"));
hints.add(WebGoatI18N.get("StoredXssHint3")); hints.add(getLabelManager().get("StoredXssHint3"));
hints.add(WebGoatI18N.get("StoredXssHint4")); hints.add(getLabelManager().get("StoredXssHint4"));
return hints; return hints;
} }
@ -201,14 +200,14 @@ public class StoredXss extends LessonAdapter {
ResultSet results = statement.executeQuery(); ResultSet results = statement.executeQuery();
if ((results != null) && results.first()) { if ((results != null) && results.first()) {
ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL))); ec.addElement(new H1(getLabelManager().get("MessageContentsFor") + ": " + results.getString(TITLE_COL)));
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":")))); TR row1 = new TR(new TD(new B(new StringElement(getLabelManager().get("Title") + ":"))));
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL)))); row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
t.addElement(row1); t.addElement(row1);
String messageData = results.getString(MESSAGE_COL); String messageData = results.getString(MESSAGE_COL);
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":")))); TR row2 = new TR(new TD(new B(new StringElement(getLabelManager().get("Message") + ":"))));
row2.addElement(new TD(new StringElement(messageData))); row2.addElement(new TD(new StringElement(messageData)));
t.addElement(row2); t.addElement(row2);
@ -217,7 +216,7 @@ public class StoredXss extends LessonAdapter {
// if users use a cross site request forgery or XSS to make another user post a // if users use a cross site request forgery or XSS to make another user post a
// message, // message,
// they can see that the message is attributed to that user // they can see that the message is attributed to that user
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":"))); TR row3 = new TR(new TD(new StringElement(getLabelManager().get("PostedBy") + ":")));
row3.addElement(new TD(new StringElement(results.getString(USER_COL)))); row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
t.addElement(row3); t.addElement(row3);
@ -232,11 +231,11 @@ public class StoredXss extends LessonAdapter {
} else { } else {
if (messageNum != 0) { if (messageNum != 0) {
ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum)); ec.addElement(new P().addElement(getLabelManager().get("CouldNotFindMessage") + messageNum));
} }
} }
} catch (Exception e) { } catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -253,14 +252,14 @@ public class StoredXss extends LessonAdapter {
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title") + ": "))); row1.addElement(new TD(new StringElement(getLabelManager().get("Title") + ": ")));
Input inputTitle = new Input(Input.TEXT, TITLE, ""); Input inputTitle = new Input(Input.TEXT, TITLE, "");
row1.addElement(new TD(inputTitle)); row1.addElement(new TD(inputTitle));
TD item1 = new TD(); TD item1 = new TD();
item1.setVAlign("TOP"); item1.setVAlign("TOP");
item1.addElement(new StringElement(WebGoatI18N.get("Message") + ": ")); item1.addElement(new StringElement(getLabelManager().get("Message") + ": "));
row2.addElement(item1); row2.addElement(item1);
TD item2 = new TD(); TD item2 = new TD();
@ -270,7 +269,7 @@ public class StoredXss extends LessonAdapter {
t.addElement(row1); t.addElement(row1);
t.addElement(row2); t.addElement(row2);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit")); Element b = ECSFactory.makeButton(getLabelManager().get("Submit"));
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(t); ec.addElement(t);
ec.addElement(new P().addElement(b)); ec.addElement(new P().addElement(b));
@ -312,11 +311,11 @@ public class StoredXss extends LessonAdapter {
} }
} }
} catch (Exception e) { } catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList")); s.setMessage(getLabelManager().get("ErrorGeneratingMessageList"));
} }
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new H1(WebGoatI18N.get("MessageList"))); ec.addElement(new H1(getLabelManager().get("MessageList")));
ec.addElement(t); ec.addElement(t);
return (ec); return (ec);

39
src/main/java/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
View File

@ -18,7 +18,6 @@ import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.*; import org.owasp.webgoat.session.*;
import org.owasp.webgoat.util.WebGoatI18N;
/*************************************************************************************************** /***************************************************************************************************
@ -104,7 +103,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
} }
else else
{ {
s.setMessage(WebGoatI18N.get("InvalidCookie")); s.setMessage(getLabelManager().get("InvalidCookie"));
s.eatCookies(); s.eatCookies();
} }
} }
@ -142,14 +141,14 @@ public class WeakAuthenticationCookie extends LessonAdapter
if (loginID != "") if (loginID != "")
{ {
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID); Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage(WebGoatI18N.get("IdentityRemembered")); s.setMessage(getLabelManager().get("IdentityRemembered"));
s.getResponse().addCookie(newCookie); s.getResponse().addCookie(newCookie);
return (username); return (username);
} }
else else
{ {
s.setMessage(WebGoatI18N.get("InvalidUsernameAndPassword")); s.setMessage(getLabelManager().get("InvalidUsernameAndPassword"));
} }
} }
@ -169,7 +168,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
if (logout) if (logout)
{ {
s.setMessage(WebGoatI18N.get("PasswordForgotten")); s.setMessage(getLabelManager().get("PasswordForgotten"));
s.eatCookies(); s.eatCookies();
return (makeLogin(s)); return (makeLogin(s));
@ -186,7 +185,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); } if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); }
} catch (Exception e) } catch (Exception e)
{ {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace(); e.printStackTrace();
} }
@ -251,10 +250,10 @@ public class WeakAuthenticationCookie extends LessonAdapter
protected List<String> getHints(WebSession s) protected List<String> getHints(WebSession s)
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints1")); hints.add(getLabelManager().get("WeakAuthenticationCookieHints1"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints2")); hints.add(getLabelManager().get("WeakAuthenticationCookieHints2"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints3")); hints.add(getLabelManager().get("WeakAuthenticationCookieHints3"));
hints.add(WebGoatI18N.get("WeakAuthenticationCookieHints4")); hints.add(getLabelManager().get("WeakAuthenticationCookieHints4"));
return hints; return hints;
@ -290,7 +289,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement(WebGoatI18N.get("SignIn"))); ec.addElement(new H1().addElement(getLabelManager().get("SignIn")));
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center"); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor()) if (s.isColor())
@ -300,12 +299,12 @@ public class WeakAuthenticationCookie extends LessonAdapter
TR tr = new TR(); TR tr = new TR();
tr.addElement(new TH() tr.addElement(new TH()
.addElement(WebGoatI18N.get("WeakAuthenticationCookiePleaseSignIn")) .addElement(getLabelManager().get("WeakAuthenticationCookiePleaseSignIn"))
.setColSpan(2).setAlign("left")); .setColSpan(2).setAlign("left"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
tr.addElement(new TD().addElement("*"+WebGoatI18N.get("RequiredFields")).setWidth("30%")); tr.addElement(new TD().addElement("*"+getLabelManager().get("RequiredFields")).setWidth("30%"));
t.addElement(tr); t.addElement(tr);
tr = new TR(); tr = new TR();
@ -314,8 +313,8 @@ public class WeakAuthenticationCookie extends LessonAdapter
TR row1 = new TR(); TR row1 = new TR();
TR row2 = new TR(); TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("UserName"))))); row1.addElement(new TD(new B(new StringElement("*"+getLabelManager().get("UserName")))));
row2.addElement(new TD(new B(new StringElement("*"+WebGoatI18N.get("Password"))))); row2.addElement(new TD(new B(new StringElement("*"+getLabelManager().get("Password")))));
Input input1 = new Input(Input.TEXT, USERNAME, ""); Input input1 = new Input(Input.TEXT, USERNAME, "");
Input input2 = new Input(Input.PASSWORD, PASSWORD, ""); Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
@ -324,7 +323,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
t.addElement(row1); t.addElement(row1);
t.addElement(row2); t.addElement(row2);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Login")); Element b = ECSFactory.makeButton(getLabelManager().get("Login"));
t.addElement(new TR(new TD(b))); t.addElement(new TR(new TD(b)));
ec.addElement(t); ec.addElement(t);
@ -347,10 +346,10 @@ public class WeakAuthenticationCookie extends LessonAdapter
protected Element makeUser(WebSession s, String user, String method) throws Exception protected Element makeUser(WebSession s, String user, String method) throws Exception
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
ec.addElement(new P().addElement(WebGoatI18N.get("WelcomeUser") + user)); ec.addElement(new P().addElement(getLabelManager().get("WelcomeUser") + user));
ec.addElement(new P().addElement(WebGoatI18N.get("YouHaveBeenAuthenticatedWith") + method)); ec.addElement(new P().addElement(getLabelManager().get("YouHaveBeenAuthenticatedWith") + method));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Logout"), LOGOUT, true))); ec.addElement(new P().addElement(ECSFactory.makeLink(getLabelManager().get("Logout"), LOGOUT, true)));
ec.addElement(new P().addElement(ECSFactory.makeLink(WebGoatI18N.get("Refresh"), "", ""))); ec.addElement(new P().addElement(ECSFactory.makeLink(getLabelManager().get("Refresh"), "", "")));
return (ec); return (ec);
} }

795
src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -1,398 +1,397 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.LinkedList; import java.util.LinkedList;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import org.owasp.webgoat.HammerHead; import org.owasp.webgoat.HammerHead;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.util.WebGoatI18N; import org.owasp.webgoat.util.WebGoatI18N;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
/** /**
* ************************************************************************************************* * *************************************************************************************************
* *
* *
* This file is part of WebGoat, an Open Web Application Security Project * This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/ * utility. For details, please see http://www.owasp.org/
* *
* Copyright (c) 2002 - 20014 Bruce Mayhew * Copyright (c) 2002 - 20014 Bruce Mayhew
* *
* This program is free software; you can redistribute it and/or modify it under * This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software * the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later * Foundation; either version 2 of the License, or (at your option) any later
* version. * version.
* *
* This program is distributed in the hope that it will be useful, but WITHOUT * This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details. * details.
* *
* You should have received a copy of the GNU General Public License along with * You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA. * Place - Suite 330, Boston, MA 02111-1307, USA.
* *
* Getting Source ============== * Getting Source ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects. * for free software projects.
* *
* For details, please see http://webgoat.github.io * For details, please see http://webgoat.github.io
* *
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003 * @created October 28, 2003
*/ */
public class Course { public class Course {
final Logger logger = LoggerFactory.getLogger(Course.class); final Logger logger = LoggerFactory.getLogger(Course.class);
private final List<AbstractLesson> lessons = new LinkedList<AbstractLesson>(); private final List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath; private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private WebgoatProperties properties = null; private WebgoatProperties properties = null;
private final List<String> files = new LinkedList<String>(); private final List<String> files = new LinkedList<String>();
private WebgoatContext webgoatContext; private WebgoatContext webgoatContext;
public Course() { public Course() {
try { try {
properties = new WebgoatProperties(PROPERTIES_FILENAME); properties = new WebgoatProperties(PROPERTIES_FILENAME);
} catch (IOException e) { } catch (IOException e) {
logger.error("Error loading webgoat properties", e); logger.error("Error loading webgoat properties", e);
} }
} }
/** /**
* Take an absolute file and return the filename. * Take an absolute file and return the filename.
* *
* Ex. /etc/password becomes password * Ex. /etc/password becomes password
* *
* @param s * @param s
* @return the file name * @return the file name
*/ */
private static String getFileName(String s) { private static String getFileName(String s) {
String fileName = new File(s).getName(); String fileName = new File(s).getName();
if (fileName.contains("/")) { if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length()); fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
} }
if (fileName.contains(".")) { if (fileName.contains(".")) {
fileName = fileName.substring(0, fileName.indexOf(".")); fileName = fileName.substring(0, fileName.indexOf("."));
} }
return fileName; return fileName;
} }
/** /**
* Take a class name and return the equivalent file name * Take a class name and return the equivalent file name
* *
* Ex. org.owasp.webgoat becomes org/owasp/webgoat.java * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
* *
* @param className * @param className
* @return * @return
*/ */
private static String getSourceFile(String className) { private static String getSourceFile(String className) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
sb.append(className.replace(".", "/")); sb.append(className.replace(".", "/"));
sb.append(".java"); sb.append(".java");
return sb.toString(); return sb.toString();
} }
/** /**
* Takes a file name and builds the class file name * Takes a file name and builds the class file name
* *
* @param fileName Description of the Parameter * @param fileName Description of the Parameter
* @param path Description of the Parameter * @param path Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
private static String getClassFile(String fileName, String path) { private static String getClassFile(String fileName, String path) {
String ext = ".class"; String ext = ".class";
fileName = fileName.trim(); fileName = fileName.trim();
/** /**
* We do not handle directories. We do not handle files with different * We do not handle directories. We do not handle files with different
* extensions * extensions
*/ */
if (fileName.endsWith("/") || !fileName.endsWith(ext)) { if (fileName.endsWith("/") || !fileName.endsWith(ext)) {
return null; return null;
} }
// if the file is in /WEB-INF/classes strip the dir info off // if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/"); int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1) { if (index != -1) {
fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length()); fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
fileName = fileName.replace('/', '.'); fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.'); fileName = fileName.replace('\\', '.');
} else { } else {
// Strip off the leading path info // Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length() - ext.length()); fileName = fileName.substring(path.length(), fileName.length() - ext.length());
} }
return fileName; return fileName;
} }
/** /**
* Gets the categories attribute of the Course object * Gets the categories attribute of the Course object
* *
* @return The categories value * @return The categories value
*/ */
public List getCategories() { public List getCategories() {
List<Category> categories = new ArrayList<Category>(); List<Category> categories = new ArrayList<Category>();
for (AbstractLesson lesson : lessons) { for (AbstractLesson lesson : lessons) {
if (!categories.contains(lesson.getCategory())) { if (!categories.contains(lesson.getCategory())) {
categories.add(lesson.getCategory()); categories.add(lesson.getCategory());
} }
} }
Collections.sort(categories); Collections.sort(categories);
return categories; return categories;
} }
/** /**
* Gets the firstLesson attribute of the Course object * Gets the firstLesson attribute of the Course object
* *
* @return The firstLesson value * @return The firstLesson value
*/ */
public AbstractLesson getFirstLesson() { public AbstractLesson getFirstLesson() {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE); roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category // Category 0 is the admin function. We want the first real category
// to be returned. This is noramally the General category and the Http Basics lesson // to be returned. This is noramally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0)); return ((AbstractLesson) getLessons((Category) getCategories().get(0), roles).get(0));
} }
/** /**
* Gets the lesson attribute of the Course object * Gets the lesson attribute of the Course object
* *
* @param s * @param s
* @param lessonId Description of the Parameter * @param lessonId Description of the Parameter
* @param roles * @param roles
* @return The lesson value * @return The lesson value
*/ */
public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles) { public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles) {
if (s.isHackedAdmin()) { if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE); roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
} }
// System.out.println("getLesson() with roles: " + roles); // System.out.println("getLesson() with roles: " + roles);
Iterator<AbstractLesson> iter = lessons.iterator(); Iterator<AbstractLesson> iter = lessons.iterator();
while (iter.hasNext()) { while (iter.hasNext()) {
AbstractLesson lesson = iter.next(); AbstractLesson lesson = iter.next();
// System.out.println("getLesson() at role: " + lesson.getRole()); // System.out.println("getLesson() at role: " + lesson.getRole());
if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) { if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) {
return lesson; return lesson;
} }
} }
return null; return null;
} }
public AbstractLesson getLesson(WebSession s, int lessonId, String role) { public AbstractLesson getLesson(WebSession s, int lessonId, String role) {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(role); roles.add(role);
return getLesson(s, lessonId, roles); return getLesson(s, lessonId, roles);
} }
public List getLessons(WebSession s, String role) { public List getLessons(WebSession s, String role) {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(role); roles.add(role);
return getLessons(s, roles); return getLessons(s, roles);
} }
/** /**
* Gets the lessons attribute of the Course object * Gets the lessons attribute of the Course object
* *
* @param s * @param s
* @param roles * @param roles
* @return The lessons value * @return The lessons value
*/ */
public List<AbstractLesson> getLessons(WebSession s, List<String> roles) { public List<AbstractLesson> getLessons(WebSession s, List<String> roles) {
if (s.isHackedAdmin()) { if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE); roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
} }
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>(); List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator categoryIter = getCategories().iterator(); Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext()) { while (categoryIter.hasNext()) {
lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles)); lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
} }
return lessonList; return lessonList;
} }
/** /**
* Gets the lessons attribute of the Course object * Gets the lessons attribute of the Course object
* *
* @param category Description of the Parameter * @param category Description of the Parameter
* @param role Description of the Parameter * @param role Description of the Parameter
* @return The lessons value * @return The lessons value
*/ */
private List<AbstractLesson> getLessons(Category category, List roles) { private List<AbstractLesson> getLessons(Category category, List roles) {
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>(); List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
for (AbstractLesson lesson : lessons) { for (AbstractLesson lesson : lessons) {
if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) { if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole())) {
lessonList.add(lesson); lessonList.add(lesson);
} }
} }
Collections.sort(lessonList); Collections.sort(lessonList);
// System.out.println(java.util.Arrays.asList(lessonList)); // System.out.println(java.util.Arrays.asList(lessonList));
return lessonList; return lessonList;
} }
public List getLessons(WebSession s, Category category, String role) { public List getLessons(WebSession s, Category category, String role) {
List<String> roles = new ArrayList<String>(); List<String> roles = new ArrayList<String>();
roles.add(role); roles.add(role);
return getLessons(s, category, roles); return getLessons(s, category, roles);
} }
public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles) { public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles) {
if (s.isHackedAdmin()) { if (s.isHackedAdmin()) {
roles.add(AbstractLesson.HACKED_ADMIN_ROLE); roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
} }
return getLessons(category, roles); return getLessons(category, roles);
} }
public AbstractLesson getLesson(int lessonId) { public AbstractLesson getLesson(int lessonId) {
for (AbstractLesson l : lessons) { for (AbstractLesson l : lessons) {
if (l.getScreenId() == lessonId) { if (l.getScreenId() == lessonId) {
return l; return l;
} }
} }
return null; return null;
} }
/** /**
* Load all of the filenames into a temporary cache * Load all of the filenames into a temporary cache
* *
* @param context * @param context
* @param path * @param path
*/ */
private void loadFiles(ServletContext context, String path) { private void loadFiles(ServletContext context, String path) {
logger.debug("Loading files into cache, path: " + path); logger.debug("Loading files into cache, path: " + path);
Set resourcePaths = context.getResourcePaths(path); Set resourcePaths = context.getResourcePaths(path);
if (resourcePaths == null) { if (resourcePaths == null) {
logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue"); logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue");
return; return;
} }
Iterator itr = resourcePaths.iterator(); Iterator itr = resourcePaths.iterator();
while (itr.hasNext()) { while (itr.hasNext()) {
String file = (String) itr.next(); String file = (String) itr.next();
if (file.length() != 1 && file.endsWith("/")) { if (file.length() != 1 && file.endsWith("/")) {
loadFiles(context, file); loadFiles(context, file);
} else { } else {
files.add(file); files.add(file);
} }
} }
} }
/** /**
* Instantiate all the lesson objects into a cache * Instantiate all the lesson objects into a cache
* *
* @param path * @param path
*/ */
private void loadLessons(String path) { private void loadLessons(String path) {
for (String file : files) { for (String file : files) {
String className = getClassFile(file, path); String className = getClassFile(file, path);
if (className != null && !className.endsWith("_i")) { if (className != null && !className.endsWith("_i")) {
try { try {
Class c = Class.forName(className); Class c = Class.forName(className);
Object o = c.newInstance(); Object o = c.newInstance();
if (o instanceof AbstractLesson) { if (o instanceof AbstractLesson) {
AbstractLesson lesson = (AbstractLesson) o; AbstractLesson lesson = (AbstractLesson) o;
lesson.setWebgoatContext(webgoatContext); lesson.setWebgoatContext(webgoatContext);
lesson.update(properties); lesson.update(properties);
if (lesson.getHidden() == false) { if (lesson.getHidden() == false) {
lessons.add(lesson); lessons.add(lesson);
} }
} }
} catch (Exception e) { } catch (Exception e) {
logger.error("Error in loadLessons: ", e); logger.error("Error in loadLessons: ", e);
} }
} }
} }
} }
private String getLanguageFromFileName(String first, String absoluteFile) { private String getLanguageFromFileName(String first, String absoluteFile) {
int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1); int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1);
int p2 = absoluteFile.indexOf("/", p1 + 1); int p2 = absoluteFile.indexOf("/", p1 + 1);
String langStr = absoluteFile.substring(p1 + 1, p2); String langStr = absoluteFile.substring(p1 + 1, p2);
return langStr; return langStr;
} }
/** /**
* For each lesson, set the source file and lesson file * For each lesson, set the source file and lesson file
*/ */
private void loadResources() { private void loadResources() {
for (AbstractLesson lesson : lessons) { for (AbstractLesson lesson : lessons) {
logger.info("Loading resources for lesson -> " + lesson.getName()); logger.info("Loading resources for lesson -> " + lesson.getName());
String className = lesson.getClass().getName(); String className = lesson.getClass().getName();
String classFile = getSourceFile(className); String classFile = getSourceFile(className);
logger.info("Lesson classname: " + className); logger.info("Lesson classname: " + className);
logger.info("Lesson java file: " + classFile); logger.info("Lesson java file: " + classFile);
for (String absoluteFile : files) { for (String absoluteFile : files) {
String fileName = getFileName(absoluteFile); String fileName = getFileName(absoluteFile);
//logger.debug("Course: looking at file: " + absoluteFile); //logger.debug("Course: looking at file: " + absoluteFile);
if (absoluteFile.endsWith(classFile)) { if (absoluteFile.endsWith(classFile)) {
logger.info("Set source file for " + classFile); logger.info("Set source file for " + classFile);
lesson.setSourceFileName(absoluteFile); lesson.setSourceFileName(absoluteFile);
} }
if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
&& className.endsWith(fileName)) { && className.endsWith(fileName)) {
logger.info("setting lesson plan file " + absoluteFile + " for lesson " logger.info("setting lesson plan file " + absoluteFile + " for lesson "
+ lesson.getClass().getName()); + lesson.getClass().getName());
logger.info("fileName: " + fileName + " == className: " + className); logger.info("fileName: " + fileName + " == className: " + className);
String language = getLanguageFromFileName("/lesson_plans", absoluteFile); String language = getLanguageFromFileName("/lesson_plans", absoluteFile);
lesson.setLessonPlanFileName(language, absoluteFile); lesson.setLessonPlanFileName(language, absoluteFile);
WebGoatI18N.loadLanguage(language); }
} if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName)) {
&& className.endsWith(fileName)) { logger.info("setting lesson solution file " + absoluteFile + " for lesson "
logger.info("setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
+ lesson.getClass().getName()); logger.info("fileName: " + fileName + " == className: " + className);
logger.info("fileName: " + fileName + " == className: " + className); lesson.setLessonSolutionFileName(absoluteFile);
lesson.setLessonSolutionFileName(absoluteFile); }
} }
} }
} }
}
/**
/** * Description of the Method
* Description of the Method *
* * @param webgoatContext
* @param webgoatContext * @param path Description of the Parameter
* @param path Description of the Parameter * @param context Description of the Parameter
* @param context Description of the Parameter */
*/ public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) { logger.info("Loading courses: " + path);
logger.info("Loading courses: " + path); this.webgoatContext = webgoatContext;
this.webgoatContext = webgoatContext; loadFiles(context, path);
loadFiles(context, path); loadLessons(path);
loadLessons(path); loadResources();
loadResources(); }
} }
}

2091
src/main/java/org/owasp/webgoat/session/WebSession.java
View File

File diff suppressed because it is too large Load Diff

447
src/main/java/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -1,231 +1,216 @@
package org.owasp.webgoat.session; package org.owasp.webgoat.session;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
import org.slf4j.Logger;
import org.owasp.webgoat.util.WebGoatI18N; import org.slf4j.LoggerFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory; public class WebgoatContext {
public class WebgoatContext { final Logger logger = LoggerFactory.getLogger(WebgoatContext.class);
final Logger logger = LoggerFactory.getLogger(WebgoatContext.class); public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString"; public final static String DATABASE_DRIVER = "DatabaseDriver";
public final static String DATABASE_DRIVER = "DatabaseDriver"; public final static String DATABASE_USER = "DatabaseUser";
public final static String DATABASE_USER = "DatabaseUser"; public final static String DATABASE_PASSWORD = "DatabasePassword";
public final static String DATABASE_PASSWORD = "DatabasePassword"; public final static String ENTERPRISE = "Enterprise";
public final static String ENTERPRISE = "Enterprise"; public final static String CODING_EXERCISES = "CodingExercises";
public final static String CODING_EXERCISES = "CodingExercises"; public final static String SHOWCOOKIES = "ShowCookies";
public final static String SHOWCOOKIES = "ShowCookies"; public final static String SHOWPARAMS = "ShowParams";
public final static String SHOWPARAMS = "ShowParams"; public final static String SHOWREQUEST = "ShowRequest";
public final static String SHOWREQUEST = "ShowRequest"; public final static String SHOWSOURCE = "ShowSource";
public final static String SHOWSOURCE = "ShowSource"; public final static String SHOWSOLUTION = "ShowSolution";
public final static String SHOWSOLUTION = "ShowSolution"; public final static String SHOWHINTS = "ShowHints";
public final static String SHOWHINTS = "ShowHints"; public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands"; public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML";
public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML"; public final static String FEEDBACK_ADDRESS = "email";
public final static String FEEDBACK_ADDRESS = "email"; public final static String DEBUG = "debug";
public final static String DEBUG = "debug"; public final static String DEFAULTLANGUAGE = "DefaultLanguage";
public final static String DEFAULTLANGUAGE = "DefaultLanguage"; private String databaseConnectionString;
private String databaseConnectionString; private String realConnectionString = null;
private String realConnectionString = null; private String databaseDriver;
private String databaseDriver; private String databaseUser;
private String databaseUser; private String databasePassword;
private String databasePassword; private boolean showCookies = false;
private boolean showCookies = false; private boolean showParams = false;
private boolean showParams = false; private boolean showRequest = false;
private boolean showRequest = false; private boolean showSource = false;
private boolean showSource = false; private boolean showSolution = false;
private boolean showSolution = false; private boolean defuseOSCommands = false;
private boolean defuseOSCommands = false; private boolean enterprise = false;
private boolean enterprise = false; private boolean codingExercises = false;
private boolean codingExercises = false; private String feedbackAddress = "webgoat@owasp.org";
private String feedbackAddress = "webgoat@owasp.org"; private String feedbackAddressHTML = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
private String feedbackAddressHTML = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>"; private boolean isDebug = false;
private boolean isDebug = false; private String servletName;
private String servletName; private HttpServlet servlet;
private HttpServlet servlet; private String defaultLanguage;
private String defaultLanguage; public WebgoatContext(HttpServlet servlet) {
this.servlet = servlet;
private WebGoatI18N webgoati18n = null; databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
databaseDriver = getParameter(servlet, DATABASE_DRIVER);
public WebgoatContext(HttpServlet servlet) { databaseUser = getParameter(servlet, DATABASE_USER);
this.servlet = servlet; databasePassword = getParameter(servlet, DATABASE_PASSWORD);
databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
databaseDriver = getParameter(servlet, DATABASE_DRIVER); // initialize from web.xml
databaseUser = getParameter(servlet, DATABASE_USER); showParams = "true".equals(getParameter(servlet, SHOWPARAMS));
databasePassword = getParameter(servlet, DATABASE_PASSWORD); showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
// initialize from web.xml showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
showParams = "true".equals(getParameter(servlet, SHOWPARAMS)); defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES)); enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
showSource = "true".equals(getParameter(servlet, SHOWSOURCE)); codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION)); feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS)); FEEDBACK_ADDRESS_HTML)
enterprise = "true".equals(getParameter(servlet, ENTERPRISE)); : feedbackAddressHTML;
codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES)); feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet, : feedbackAddress;
FEEDBACK_ADDRESS_HTML) showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
: feedbackAddressHTML; isDebug = "true".equals(getParameter(servlet, DEBUG));
feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS) servletName = servlet.getServletName();
: feedbackAddress; defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("en");
showRequest = "true".equals(getParameter(servlet, SHOWREQUEST)); }
isDebug = "true".equals(getParameter(servlet, DEBUG));
servletName = servlet.getServletName(); private String getParameter(HttpServlet servlet, String key) {
defaultLanguage = getParameter(servlet, DEFAULTLANGUAGE) != null ? new String(getParameter(servlet, DEFAULTLANGUAGE)) : new String("en"); String value = System.getenv().get(key);
if (value == null) {
webgoati18n = new WebGoatI18N(this); value = servlet.getInitParameter(key);
}
} return value;
}
private String getParameter(HttpServlet servlet, String key) {
String value = System.getenv().get(key); /**
if (value == null) { * returns the connection string with the real path to the database
value = servlet.getInitParameter(key); * directory inserted at the word PATH
} *
return value; * @return The databaseConnectionString value
} */
public String getDatabaseConnectionString() {
/** if (realConnectionString == null) {
* returns the connection string with the real path to the database try {
* directory inserted at the word PATH String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
* System.out.println("PATH: " + path);
* @return The databaseConnectionString value realConnectionString = databaseConnectionString.replaceAll("PATH", path);
*/ System.out.println("Database Connection String: " + realConnectionString);
public String getDatabaseConnectionString() { } catch (Exception e) {
if (realConnectionString == null) { logger.error("Couldn't open database: check web.xml database parameters", e);
try { }
String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/'); }
System.out.println("PATH: " + path); return realConnectionString;
realConnectionString = databaseConnectionString.replaceAll("PATH", path); }
System.out.println("Database Connection String: " + realConnectionString);
} catch (Exception e) { /**
logger.error("Couldn't open database: check web.xml database parameters", e); * Gets the databaseDriver attribute of the WebSession object
} *
} * @return The databaseDriver value
return realConnectionString; */
} public String getDatabaseDriver() {
return (databaseDriver);
/** }
* Gets the databaseDriver attribute of the WebSession object
* /**
* @return The databaseDriver value * Gets the databaseUser attribute of the WebSession object
*/ *
public String getDatabaseDriver() { * @return The databaseUser value
return (databaseDriver); */
} public String getDatabaseUser() {
return (databaseUser);
/** }
* Gets the databaseUser attribute of the WebSession object
* /**
* @return The databaseUser value * Gets the databasePassword attribute of the WebSession object
*/ *
public String getDatabaseUser() { * @return The databasePassword value
return (databaseUser); */
} public String getDatabasePassword() {
return (databasePassword);
/** }
* Gets the databasePassword attribute of the WebSession object
* public boolean isDefuseOSCommands() {
* @return The databasePassword value return defuseOSCommands;
*/ }
public String getDatabasePassword() {
return (databasePassword); public boolean isEnterprise() {
} return enterprise;
}
public boolean isDefuseOSCommands() {
return defuseOSCommands; public boolean isCodingExercises() {
} return codingExercises;
}
public boolean isEnterprise() {
return enterprise; public String getFeedbackAddress() {
} return feedbackAddress;
}
public boolean isCodingExercises() {
return codingExercises; public String getFeedbackAddressHTML() {
} return feedbackAddressHTML;
}
public String getFeedbackAddress() {
return feedbackAddress; public boolean isDebug() {
} return isDebug;
}
public String getFeedbackAddressHTML() {
return feedbackAddressHTML; public String getServletName() {
} return servletName;
}
public boolean isDebug() {
return isDebug; public boolean isShowCookies() {
} return showCookies;
}
public String getServletName() {
return servletName; public boolean isShowParams() {
} return showParams;
}
public boolean isShowCookies() {
return showCookies; public boolean isShowRequest() {
} return showRequest;
}
public boolean isShowParams() {
return showParams; public boolean isShowSource() {
} return showSource;
}
public boolean isShowRequest() {
return showRequest; public boolean isShowSolution() {
} return showSolution;
}
public boolean isShowSource() {
return showSource; public String getDefaultLanguage() {
} return defaultLanguage;
}
public boolean isShowSolution() {
return showSolution; }
}
public String getDefaultLanguage() {
return defaultLanguage;
}
public void setWebgoatiI18N(WebGoatI18N webgoati18n) {
this.webgoati18n = webgoati18n;
}
public WebGoatI18N getWebgoatI18N() {
return webgoati18n;
}
}

63
src/main/java/org/owasp/webgoat/util/BeanProvider.java Normal file
View File

@ -0,0 +1,63 @@
package org.owasp.webgoat.util;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.stereotype.Component;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* For details, please see http://webgoat.github.io
*/
@Component
public class BeanProvider implements ApplicationContextAware
{
private static ApplicationContext ctx;
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
ctx = applicationContext;
}
/**
* Get access to managed beans from id.
*
* @param beanName
* the id of the searched bean
* @param beanClass
* the type of tye searched bean
* @return
*/
@SuppressWarnings("unchecked")
public static <T> T getBean(final String beanName, final Class<T> beanClass)
{
return (T) ctx.getBean(beanName);
}
}

41
src/main/java/org/owasp/webgoat/util/LabelManager.java Normal file
View File

@ -0,0 +1,41 @@
package org.owasp.webgoat.util;
import java.util.Locale;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* For details, please see http://webgoat.github.io
*/
public interface LabelManager
{
public void setLocale(Locale locale);
public String get(String labelKey);
}

61
src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java Normal file
View File

@ -0,0 +1,61 @@
package org.owasp.webgoat.util;
import java.util.Locale;
import javax.annotation.Resource;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.stereotype.Component;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* For details, please see http://webgoat.github.io
*/
@Component("labelManager")
@Scope(value="session", proxyMode=ScopedProxyMode.INTERFACES)
public class LabelManagerImpl implements LabelManager
{
@Resource
private LabelProvider labelProvider;
/** Locale mapped with current session. */
private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
public void setLocale(Locale locale)
{
if (locale != null)
{
this.locale = locale;
}
}
public String get(String labelKey)
{
return labelProvider.get(locale, labelKey);
}
}

67
src/main/java/org/owasp/webgoat/util/LabelProvider.java Normal file
View File

@ -0,0 +1,67 @@
package org.owasp.webgoat.util;
import java.util.HashMap;
import java.util.Locale;
import java.util.ResourceBundle;
import org.springframework.stereotype.Component;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
* free software projects.
*
* For details, please see http://webgoat.github.io
*/
@Component
public class LabelProvider
{
public final static String DEFAULT_LANGUAGE = "en";
private final HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>();
private final WebGoatResourceBundleController localeController = new WebGoatResourceBundleController();
public String get(Locale locale, String strName)
{
if (!labels.containsKey(locale))
{
ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, localeController);
labels.put(locale, resBundle);
}
return labels.get(locale).getString(strName);
}
private class WebGoatResourceBundleController extends ResourceBundle.Control
{
private final Locale fallbackLocale = new Locale(DEFAULT_LANGUAGE);
@Override
public Locale getFallbackLocale(String baseName, Locale locale)
{
if (!fallbackLocale.equals(locale)) { return fallbackLocale; }
return Locale.ROOT;
}
}
}

67
src/main/java/org/owasp/webgoat/util/WebGoatI18N.java
View File

@ -6,36 +6,61 @@ import java.util.ResourceBundle;
import org.owasp.webgoat.session.WebgoatContext; import org.owasp.webgoat.session.WebgoatContext;
public class WebGoatI18N { @Deprecated
public class WebGoatI18N
{
private static HashMap<String,ResourceBundle> labels= new HashMap<String,ResourceBundle>(); private static HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>();
private static String defaultLanguage ; private static Locale currentLocale;
private static String currentLanguage; private static WebGoatResourceBundleController localeController;
public WebGoatI18N(WebgoatContext context){ public WebGoatI18N(WebgoatContext context)
Locale l = new Locale(context.getDefaultLanguage()); {
WebGoatI18N.defaultLanguage=context.getDefaultLanguage(); currentLocale = new Locale(context.getDefaultLanguage());
labels.put(context.getDefaultLanguage(),ResourceBundle.getBundle("WebGoatLabels_english",l)); localeController = new WebGoatResourceBundleController(currentLocale);
} }
public static void loadLanguage(String language){ @Deprecated
Locale l = new Locale(language); public static void loadLanguage(String language)
labels.put(language, ResourceBundle.getBundle("WebGoatLabels_english",l)); {
// Do nothing
} }
public static void setCurrentLanguage(String language){ public static void setCurrentLocale(Locale locale)
WebGoatI18N.currentLanguage=language; {
} if (!currentLocale.equals(locale))
{
public static String get(String strName) { if (!labels.containsKey(locale))
if(labels.containsKey(WebGoatI18N.currentLanguage)){ {
return labels.get(WebGoatI18N.currentLanguage).getString(strName); ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, localeController);
} labels.put(locale, resBundle);
else { }
return labels.get(WebGoatI18N.defaultLanguage).getString(strName); WebGoatI18N.currentLocale = locale;
} }
} }
public static String get(String strName)
{
return labels.get(WebGoatI18N.currentLocale).getString(strName);
}
private static class WebGoatResourceBundleController extends ResourceBundle.Control
{
private Locale fallbackLocale;
public WebGoatResourceBundleController(Locale l)
{
fallbackLocale = l;
}
@Override
public Locale getFallbackLocale(String baseName, Locale locale)
{
if(! fallbackLocale.equals(locale)) {
return fallbackLocale;
}
return Locale.ROOT;
}
}
} }

0
src/main/resources/WebGoatLabels_english.properties → src/main/resources/WebGoatLabels.properties
View File

0
src/main/resources/WebGoatLabels_german.properties → src/main/resources/WebGoatLabels_de.properties
View File

222
src/main/resources/WebGoatLabels_fr.properties Normal file
View File

@ -0,0 +1,222 @@
#General
LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
RestartLesson=Recommencer cette le\u00e7on
SolutionVideos=Solution vid\u00e9os
ErrorGenerating=Error generating
InvalidData=Donn\u00e9e invalide
#HttpBasics.java
EnterYourName=Entrez votre nom
Go!=Go!
#BasicAuthentication.java
BasicAuthHeaderNameIncorrect=Le nom de l'en-t\u00eate d'authentification Basic est incorrect.
BasicAuthHeaderValueIncorrect=La valeur de l'en-t\u00eate d'authentification Basic est incorrecte.
BasicAuthenticationWhatIsNameOfHeader=Quel est le nom de l'en-t\u00eate d'authentification ?
BasicAuthenticationWhatIsDecodedValueOfHeader=Quelle est la valeur d\u00e9cod\u00e9e de l'en-t\u00eate d'authentification ?
Submit=Envoyer
BasicAuthenticationGreenStars1=Fermer votre navigateur et connectez-vous en tant que
BasicAuthenticationGreenStars2= afin de retrouver vos \u00e9toiles vertes.
BasicAuthenticationStage1Completed=F\u00e9licitations, vous avez compris la m\u00e9canique de l'authentification Basic.&nbsp;&nbsp;- Vous devez maintenant faire en sorte que WebGoat vous r\u00e9authentifie en tant que: &nbsp;&nbsp;&nbsp;&nbsp;- username: basic &nbsp;&nbsp;&nbsp;&nbsp;- password: basic. Utilisez le menu Basic Authentication pour d\u00e9marrer \u00e0 la page de connexion.
BasicAuthenticationAlmostThere1=Vous y \u00eates presque ! Vous avez modifi\u00e9 l'en-t\u00eate
BasicAuthenticationAlmostThere2= mais vous \u00eates toujours connect\u00e9 en tant que
BasicAuthenticationAlmostThere3=. Etudiez la requ\u00eate soumise apr\u00e8s la saisie des identifiants 'basic' d'utilisateur. Souvenez-vous de l'ordre des \u00e9v\u00e9nements intervenant durant l'authentification Basic.
BasicAuthenticationReallyClose=Vous touchez au but ! Changer le cookie de session contraint le serveur \u00e0 vous assigner une nouvelle session. Cela ne contraint pas le serveur \u00e0 vous r\u00e9authentifier. Quand vous aurez d\u00e9termin\u00e9 comment forcer le serveur \u00e0 op\u00e9rer une requ\u00eate d'authentification, vous devrez vous authentifier en tant que:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> &nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>
BasicAuthenticationUseTheHints=Utiliez les indices ! Un \u00e0 la fois...
BasicAuthenticationHint1=L'authentification Basic utilise un cookie pour transmettre les donn\u00e9es d'identification. Utilisez un proxy pour intercepter la requ\u00eate. Etudiez les cookies.
BasicAuthenticationHint2=L'authentification Basic utilise l'encodage Base64 pour 'brouiller' the " + "user's login credentials.
BasicAuthenticationHint3=L'authentification Basic utilise 'Authorization' comme nom de cookie pour " + "store the user's credentials.
BasicAuthenticationHint4=Utiliez WebScarab -> Tools -> Transcoder to Base64 decode the value in the Authorization cookie.
BasicAuthenticationHint5=L'authentification Basic utilise un cookie pour transmettre les donn\u00e9es d'identification. Utilisez un proxy pour intercepter la requ\u00eate. Etudiez les cookies.
BasicAuthenticationHint6=Avant que le serveur web ne requiert une identification du client, la validit\u00e9 de la session courante est contr\u00f4l\u00e9e.
BasicAuthenticationHint7=Si la session est invalide, le serveur web utilisera les identifiants d'authentification Basic
BasicAuthenticationHint8=Si la session est invalide et que les identifiants d'authentification Basic sont \u00e9galement invalides, de nouveaux identifiants seront r\u00e9clam\u00e9s au client.
BasicAuthenticationHint9=Interceptez la requ\u00eate et falsifiez le JSESSIONID et l'en-t\u00eate d'Authorization.
#WeakAuthenticationCookie.java
InvalidCookie=Cookie invalide
IdentityRemembered=Votre identit\u00e9 a \u00e9t\u00e9 m\u00e9moris\u00e9e
InvalidUsernameAndPassword=Nom d'utilisateur et mot de passe saisis invalides.
UserName=Nom d'utilisateur
Password=Mot de passe
Login=Login
RequiredFields=Champs obligatoires
WeakAuthenticationCookiePleaseSignIn=Veuillez vous connecter \u00e0 votre compte. Contactez l'admin OWASP si vous n'avez pas de compte.
SignIn=Connexion
PasswordForgotten=Au revoir ! Votre mot de passe a \u00e9t\u00e9 oubli\u00e9
WelcomeUser=Bienvenue,
YouHaveBeenAuthenticatedWith=Vous avez \u00e9t\u00e9 authentifi\u00e9 par
Logout=D\u00e9connexion
Refresh=Rafraichir
WeakAuthenticationCookieHints1=Le serveur authentifie l'utilisateur au moyen d'un cookie, si vous envoyez le bon cookie.
WeakAuthenticationCookieHints2=La valeur AuthCookie peut-elle \u00eatre d\u00e9duite du nom d'utilisateur et du mot de passe ?
WeakAuthenticationCookieHints3=Ajoutez 'AuthCookie=********;' \u00e0 l'en-t\u00eate Cookie: header en utilisant <A href=\"https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project \">ZAP</A>.
WeakAuthenticationCookieHints4=Apr\u00e8s s'\u00eatre connect\u00e9 \u00e0 en tant que webgoat, un cookie est ajout\u00e9. 65432ubphcfx<br/>Apr\u00e8s s'\u00eatre connect\u00e9 en tant que aspect, un cookie est ajout\u00e9. 65432udfqtb<br/>Existe-t-il des similarit\u00e9s entre le cookie et les noms de login ?
#RemoteAdminFlaw.java
RemoteAdminFlawHint1=WebGoat a 2 interfaces d'admin.
RemoteAdminFlawHint2=WebGoat a une interface d'admin qui est contr\u00f4l\u00e9e via un param\u00e8tre d'URL et est 'attaquable'
RemoteAdminFlawHint3=WebGoat a une interface d'admin qui est contr\u00f4l\u00e9e par des contraintes de s\u00e9curit\u00e9 c\u00f4t\u00e9 serveur, et ne devrait pas \u00eatre 'attaquable'
RemoteAdminFlawHint4=Follow the Source!
RemoteAdminFlawHint5=En cas de succ\u00e8s, vous verrez appara\u00eetre de nouveaux sous-menus sous l'entr\u00e9e 'Admin Functions'
#PathBasedAccessControl.java
CurrentDirectory=R\u00e9pertoire courant :
ChooseFileToView=Choisissez le fichier \u00e0 visualiser :
ViewFile=Voir le fichier
AccessDenied=Acc\u00e8s refus\u00e9
ItAppears1=Vous \u00eates sur la bonne voie. Les commandes pouvant compromettre le syst\u00e8me d'exploitation ont \u00e9t\u00e9 d\u00e9sactiv\u00e9es. Vous \u00eates seulement autoris\u00e9 \u00e0 visualiser un fichier dans ce r\u00e9pertoire.
ItAppears2=Vous \u00eates sur la bonne voie. Les commandes pouvant compromettre le syst\u00e8me d'exploitation ont \u00e9t\u00e9 d\u00e9sactiv\u00e9es. Vous \u00eates seulement autoris\u00e9 \u00e0 visualiser les fichiers dans le r\u00e9pertoire webgoat.
CongratsAccessToFileAllowed=F\u00e9licitations ! Acc\u00e8s au fichier autoris\u00e9
FileInAllowedDirectory=Le fichier est d\u00e9j\u00e0 dans un r\u00e9pertoire autoris\u00e9 - essayez \u00e0 nouveau !
AccessToFileDenied1=Acc\u00e8s au fichier/r\u00e9pertoire "
AccessToFileDenied2=" refus\u00e9
FileTooLarge=Le fichier est trop volumineux
FileBinary=Le fichier est binaire
TheFollowingError=L'erreur suivante est intervenue lors de l'acc\u00e8s au fichier : <
PathBasedAccessControlInstr1=L'utilisateur '
PathBasedAccessControlInstr2=' a acc\u00e8s \u00e0 tous les fichiers du r\u00e9pertoire lesson_plans/English directory. Essayez de tromper le m\u00e9canisme de contr\u00f4le d'acc\u00e8s et d'acc\u00e9der \u00e0 une ressource ext\u00e9rieure au r\u00e9pertoire list\u00e9. Un ressource int\u00e9ressante \u00e0 obtenir peut \u00eatre un fichier tel que tomcat/conf/tomcat-users.xml. Souvenez-vous que les chemins d'acc\u00e8s seront diff\u00e9rents si vous utilisez les sources WebGoat.
ErrorGenerating=Error generating
ViewingFile=Fichier visualis\u00e9:
File=Fichier:
Dir=R\u00e9pertoire :
IsFile= - isFile() :
Exists= - exists() :
PathBasedAccessControlHint1=La plupart des syst\u00e8mes d'exploitation autorise les caract\u00e8res sp\u00e9ciaux dans un chemin.
PathBasedAccessControlHint2=Utilisez un explorateur de fichiers pour trouver the tomcat\\webapps\\WebGoat\\lesson_plans directory");
PathBasedAccessControlHint3=Essayez .. dans le chemin
PathBasedAccessControlHint4=Essayez ..\\..\\..\\LICENSE
#CommandInjection.java
Command=Commande
CommandInjectionRightTrack1=Vous \u00eates sur la bonne voie. Les commandes pouvant compromettre le syst\u00e8me d'exploitation ont \u00e9t\u00e9 d\u00e9sactiv\u00e9es. Les commandes suivantes sont autoris\u00e9es : netstat -a, dir, ls, ifconfig, and ipconfig.
CommandInjectionRightTrack2=Vous \u00eates sur la bonne voie. Les commandes pouvant compromettre le syst\u00e8me d'exploitation ont \u00e9t\u00e9 d\u00e9sactiv\u00e9es. Cette le\u00e7on est une le\u00e7on sur l'injection de commande, pas sur le contr\u00f4le d'acc\u00e8s.
YouAreCurrentlyViewing=Vous \u00eates en train de visualiser :
SelectFileFromListBelow=S\u00e9lectionnez un fichier depuis la liste ci-dessous
SelectLessonPlanToView=S\u00e9lectionnez le plan de le\u00e7on \u00e0 visualiser :
View=Voir
CommandInjectionHint1=L'application utilise une commande syst\u00e8me pour retourner le contenu d'un fichier.
CommandInjectionHint2=L'esperluette(&) s\u00e9pare les commandes dans le shell de commandes de Windows 2000. Sous Unix, le s\u00e9parateur est g\u00e9n\u00e9ralement un point-virgule(;)
CommandInjectionHint3=Utilisez un proxy pour ins\u00e9rer & netstat -a sous Windows or ;netstat -a sous Unix.
CommandInjectionHint4=Notez que le serveur peut encadrer le fichier soumis par des guillements
#NumericSqlInjection.java
NumericSqlInjectionSecondStage=Pas capable de r\u00e9ussir \u00e0 nouveau ! La le\u00e7on a d\u00e9tect\u00e9 votre attaque r\u00e9ussie et a maintenant bascul\u00e9 en mode d\u00e9fensif. Essayez \u00e0 nouveau d'attaquer une requ\u00eate param\u00e9tr\u00e9e.
NoResultsMatched=Aucun r\u00e9sultat retourn\u00e9. Essayez \u00e0 nouveau.
NumericSqlInjectionSecondStage2=Maintenant que vous avez r\u00e9alis\u00e9 une injection SQL avec succ\u00e8s, essayer le m\u00eame type d'attaque sur une requ\u00eate param\u00e9tr\u00e9e.
ErrorParsingAsNumber=Erreur lors de l'interpr\u00e9tation de station comme valeur num\u00e9rique :
SelectYourStation=S\u00e9lectionnez votre station m\u00e9t\u00e9o locale :
SqlNumericInjectionHint1=L'application r\u00e9cup\u00e8re la valeur sp\u00e9cifi\u00e9e depuis la liste d\u00e9roulante et l'ins\u00e8re \u00e0 la fin d'une commande SQL pr\u00e9-form\u00e9e.
SqlNumericInjectionHint2=Voici le code de la requ\u00eate assembl\u00e9e et ex\u00e9cut\u00e9e par WebGoat :<br><br>"SELECT * FROM weather_data WHERE station = " + station
SqlNumericInjectionHint3=Les commandes SQL compos\u00e9es peuvent \u00eatre assembl\u00e9es en associant de multiples conditions au moyen de mots-cl\u00e9 tels que AND et OR. Essayez d'assembler une commande qui sera toujours r\u00e9solue \u00e0 vrai.
SqlNumericInjectionHint4=Essayez d'intercepter la requ\u00eate post avec ZAP, et remplacez la valeur du param\u00e8tre station par [ 101 OR 1 = 1 ].
#StringSqlInjection.java
StringSqlInjectionSecondStage=Maintenant que vous avez r\u00e9alis\u00e9 une injection SQL avec succ\u00e8s, essayer le m\u00eame type d'attaque sur une requ\u00eate param\u00e9tr\u00e9e. Red\u00e9marrez la le\u00e7on si vous souhaitez revenir \u00e0 la requ\u00eate injectable.
EnterLastName=Entrez votre nom :
NoResultsMatched=Aucun r\u00e9sultat correspondant. Essayez encore.
SqlStringInjectionHint1=L'application r\u00e9cup\u00e8re votre saisie et l'ins\u00e8re \u00e0 la fin d'une commande SQL pr\u00e9-form\u00e9e.
SqlStringInjectionHint2=Voici le code de la requ\u00eate assembl\u00e9e et ex\u00e9cut\u00e9e par WebGoat :<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
SqlStringInjectionHint3=Les commandes SQL compos\u00e9es peuvent \u00eatre assembl\u00e9es en associant de multiples conditions au moyen de mots-cl\u00e9 tels que AND et OR. Essayez d'assembler une condition qui sera toujours r\u00e9solue \u00e0 vrai.
SqlStringInjectionHint4=Essayez de saisir [ smith' OR '1' = '1 ].
#LogSpoofing.java
LoginFailedForUserName=Login failed for username
LoginSucceededForUserName=LOGIN SUCCEEDED FOR USERNAME
LogSpoofingHint1=Essayez de tromper l'\u0153il humain en utilisant de nouvelles lignes.
LogSpoofingHint2=Utilisez CR (%0d) et LF (%0a) pour une nouvelle ligne.
LogSpoofingHint3=Essayez : Smith%0d%0aLogin Succeeded for username: admin
LogSpoofingHint4=Essayez : Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;
#StoredXss.java
StoredXssHint1=Vous pouvez utiliser des tags HTML dans votre message.
StoredXssHint1=Dissimulez un tag SCRIPT dns le message afin d'attaquer quiconque le lira.
StoredXssHint1=Entrez : &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; dans le champ message.
StoredXssHint1=Entrez : &lt;script&gt;alert(document.cookie);&lt;/script&gt; dans le champ message.
MessageContentsFor=Contenu du message pour
Title=Titre
PostedBy=Post\u00e9 par
CouldNotFindMessage=Impossible de trouver ce message
Message=Message
MessageList=Liste de Messages
CouldNotAddMessage=Impossible d'ajouter un message \u00e0 la base de donn\u00e9es
ErroGeneratingMessageList=Erreur lors de la r\u00e9cup\u00e9ration de la liste de messages.
#ReflectedXSS.java
ReflectedXSSWhoops1=Whoops! Vous avez saisi
ReflectedXSSWhoops2= au lieu de votre code de trois digits. Veuillez essayez \u00e0 nouveau.
ShoppingCart=Panier
ShoppingCartItems=Articles du panier -- To Buy Now
Price=Prix
Quantity=Quantit\u00e9
Total=Total
TotalChargedCreditCard=Le montant pr\u00e9lev\u00e9 sur votre carte de cr\u00e9dit
UpdateCart=UpdateCart
EnterCreditCard=Entrez votre num\u00e9ro de carte de cr\u00e9dit
Enter3DigitCode=Entrez votre code d'acc\u00e8s de trois digits
Purchase=Acheter
ReflectedXSSHint1=Un script simple est &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.
ReflectedXSSHint2=Pouvez-vous r\u00e9v\u00e9ler le cookie JSESSIONID au moyen du script ?
ReflectedXSSHint3=Vous pouvez utiliser &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; pour acc\u00e9der au session id du cookie
ReflectedXSSHint4=Pouvez-vous acc\u00e9der au champ carte de cr\u00e9dit du formulaire depuis le script ?
ReflectedXSSHint5=Essayez une commande de cross site trace (XST) :<br>&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1){var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); document.write(str1);}&lt;/script&gt;");
#HtmlClues.java
HtmlCluesBINGO=BINGO -- admin authentifi\u00e9
HtmlCluesHint1=Vous pouvez visualiser les sources HTML en s\u00e9lectionnant 'Afficher le code source' depuis les menus du navigateur.
HtmlCluesHint2=De nombreux indices sont pr\u00e9sents dans le code HTML
HtmlCluesHint3=Recherchez le mot HIDDEN, \u00e9tudiez les URL, recherchez les commentaires.
#JavaScriptValidation.java
3LowerCase=Champ1 : exactement trois caract\u00e8res miniscules
Exactly3Digits=Champ2 : exactement trois digits
LettersNumbersSpaceOnly=Champ3 : lettres, nombres et espace seulement
EnumerationOfNumbers=Champ4 : \u00e9numeration de nombres
SimpleZipCode=Champ5 : code postal simple
ZIPDashFour=Champ6 : zip with optional dash four
USPhoneNumber=Champ7 : num\u00e9ro de t\u00e9l\u00e9phone US avec ou sans tiret(s)
ServerSideValidationViolation=Violation de la validation c\u00f4t\u00e9 serveur : You succeeded for
JavaScriptValidationHint1=La validation s'op\u00e8re dans votre navigateur.
JavaScriptValidationHint2=Essayez de modifier les valeurs au moyen d'un proxy apr\u00e8s soumission depuis le navigateur
JavaScriptValidationHint3=Une autre approche est de supprimer le JavaScript avant de visualiser la page.
#HiddenFieldTampering.java
TotalPriceIs=Votre montant total est de
ThisAmountCharged=Ce montant sera d\u00e9bit\u00e9 sur votre carte de cr\u00e9dit imm\u00e9diatement.
HiddenFieldTamperingHint1=Cette application utilise des champs cach\u00e9s pour transmettre des informations de tarification au serveur.
HiddenFieldTamperingHint2=Utilisez un programme pour intercepter et modifier la valeur du champ cach\u00e9.
HiddenFieldTamperingHint3=Utilisez <A href=\"https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project \">ZAP</A> pour modifier le prix de la TV de "
HiddenFieldTamperingHint32= \u00e0
# Modify data with SQL Injection
EnterUserid=Entrez votre userid :
SqlModifyDataHint1=Vous pouvez utiliser l'injection SQL pour ex\u00e9cuter plus d'une instruction SQL.
SqlModifyDataHint2=Utilisez le point-virgule (;) pour s\u00e9parer les instructions SQL.
SqlModifyDataHint3=Modifiez les donn\u00e9es en utilisant une instruction SQL UPDATE.
SqlModifyDataHint4=Pour des d\u00e9tails et des exemples d'utilisation d'instructions SQL UPDATE, consultez <A href=\"http://www.w3schools.com/SQl/sql_update.asp\">http://www.w3schools.com/SQl/sql_update.asp</A>
SqlModifyDataHint5=SOLUTION :<br/>foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith
# Modify data with SQL Injection
SqlAddDataHint1=Vous pouvez utiliser l'injection SQL pour ex\u00e9cuter plus d'une instruction SQL.
SqlAddDataHint2=Utilisez le point-virgule (;) pour s\u00e9parer les instructions SQL. Vous aurez \u00e9galement besoin de commenter certains caract\u00e8res pr\u00e9sents apr\u00e8s l'injection avec un double tiret (--).
SqlAddDataHint3=Modifiez les donn\u00e9es en utilisant une instruction SQL INSERT.
SqlAddDataHint4=Pour des d\u00e9tails et des exemples d'utilisation d'instructions SQL INSERT, consultez <A href=\"http://www.w3schools.com/SQl/sql_insert.asp\">http://www.w3schools.com/SQl/sql_insert.asp</A>
SqlAddDataHint5=SOLUTION :<br/>bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --
# Bypass Html Field Restrictions
BypassHtmlFieldRestrictionsHint1=Vous devez r\u00e9activer le champ de formulaire d\u00e9sactiv\u00e9 ou ajouter manuellement le param\u00e8tre correspondant \u00e0 votre requ\u00eate.
BypassHtmlFieldRestrictionsHint2=Vous pouvez utiliser <A href=\"https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project \">ZAP</A> pour intercepter et modifier les requ\u00eates.
BypassHtmlFieldRestrictionsHint3=Plut\u00f4t que d'utiliser <A href=\"https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project \">ZAP</A>, vous pouvez utiliser <A href=\"http://chrispederick.com/work/web-developer/\">Web Developer</a> et/ou l'extension Firefox <A href=\"https://addons.mozilla.org/en-US/firefox/addon/hackbar/\">Hackbar</a> pour mener \u00e0 bien cette le\u00e7on.

0
src/main/resources/WebGoatLabels_russian.properties → src/main/resources/WebGoatLabels_ru.properties
View File

116
src/main/webapp/WEB-INF/mvc-dispatcher-servlet.xml
View File

@ -1,59 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd"> http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" /> <context:component-scan base-package="org.owasp.webgoat" />
<!-- <!--
put custom validators here. E.g.: put custom validators here. E.g.:
<bean class="org.owasp.webgoat.validators.MyCustomValidator" /> <bean class="org.owasp.webgoat.validators.MyCustomValidator" />
--> -->
<!-- Activates various annotations to be detected in bean classes --> <!-- Activates various annotations to be detected in bean classes -->
<context:annotation-config /> <context:annotation-config />
<!-- Configures the annotation-driven Spring MVC Controller programming model. --> <!-- Configures the annotation-driven Spring MVC Controller programming model. -->
<mvc:annotation-driven /> <mvc:annotation-driven />
<!-- Import Tiles-related configuration --> <!-- Import Tiles-related configuration -->
<!--import resource="tiles-context.xml" /--> <!--import resource="tiles-context.xml" /-->
<!-- Declare a view resolver --> <!-- Declare a view resolver -->
<!-- Take note of the order. Since we're using TilesViewResolver as well <!-- Take note of the order. Since we're using TilesViewResolver as well
We need to define which ViewResolver is called first. We need to define which ViewResolver is called first.
We chose this InternalResourceViewResolver to be at the bottom order --> We chose this InternalResourceViewResolver to be at the bottom order -->
<bean <bean
id="viewResolver" id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/pages/" p:prefix="/WEB-INF/pages/"
p:suffix=".jsp" p:suffix=".jsp"
p:order="1"/> p:order="1"/>
<mvc:interceptors> <mvc:interceptors>
<bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor"> <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0" /> <property name="cacheSeconds" value="0" />
<property name="useExpiresHeader" value="true" /> <property name="useExpiresHeader" value="true" />
<property name="useCacheControlHeader" value="true" /> <property name="useCacheControlHeader" value="true" />
<property name="useCacheControlNoStore" value="true" /> <property name="useCacheControlNoStore" value="true" />
</bean> </bean>
</mvc:interceptors> </mvc:interceptors>
<!-- Register the Customer.properties <!-- Register the Customer.properties
<bean id="messageSource" <bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource"> class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="org/owasp/webgoat/properties/Customer" /> <property name="basename" value="org/owasp/webgoat/properties/Customer" />
</bean> </bean>
--> -->
</beans> </beans>

582
src/main/webapp/WEB-INF/web.xml
View File

@ -1,288 +1,294 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- General description of your web application --> <!-- General description of your web application -->
<display-name>WebGoat</display-name> <display-name>WebGoat</display-name>
<description> <description>
This web application is designed to demonstrate web This web application is designed to demonstrate web
application security flaws for the purpose of educating application security flaws for the purpose of educating
developers and security professionals about web developers and security professionals about web
application security problems. Please contact Bruce Mayhew application security problems. Please contact Bruce Mayhew
(webgoat@owasp.org) if you have any questions. (webgoat@owasp.org) if you have any questions.
</description> </description>
<!-- Context initialization parameters that define shared <!-- Context initialization parameters that define shared
String constants used within your application, which String constants used within your application, which
can be customized by the system administrator who is can be customized by the system administrator who is
installing your application. The values actually installing your application. The values actually
assigned to these parameters can be retrieved in a assigned to these parameters can be retrieved in a
servlet or JSP page by calling: servlet or JSP page by calling:
String value = String value =
getServletContext().getInitParameter("name"); getServletContext().getInitParameter("name");
where "name" matches the <param-name> element of where "name" matches the <param-name> element of
one of these initialization parameters. one of these initialization parameters.
You can define any number of context initialization You can define any number of context initialization
parameters, including zero. parameters, including zero.
--> -->
<context-param> <context-param>
<param-name>email</param-name> <param-name>email</param-name>
<param-value>webgoat@owasp.org</param-value> <param-value>webgoat@owasp.org</param-value>
<description> <description>
The EMAIL address of the administrator to whom questions The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</context-param> </context-param>
<context-param> <context-param>
<param-name>emaillist</param-name> <param-name>emaillist</param-name>
<param-value>owasp-webgoat@lists.owasp.org</param-value> <param-value>owasp-webgoat@lists.owasp.org</param-value>
<description> <description>
The EMAIL address of the webgoat email list The EMAIL address of the webgoat email list
</description> </description>
</context-param> </context-param>
<!-- spring MVC --> <!-- spring MVC -->
<context-param> <context-param>
<param-name>contextConfigLocation</param-name> <param-name>contextConfigLocation</param-name>
<param-value> <param-value>
/WEB-INF/mvc-dispatcher-servlet.xml, /WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml /WEB-INF/spring-security.xml
</param-value> </param-value>
</context-param> </context-param>
<!-- Servlet definitions for the servlets that make up <!-- Servlet definitions for the servlets that make up
your web application, including initialization your web application, including initialization
parameters. With Tomcat, you can also send requests parameters. With Tomcat, you can also send requests
to servlets not listed here with a request like this: to servlets not listed here with a request like this:
http://localhost:8080/{context-path}/servlet/{classname} http://localhost:8080/{context-path}/servlet/{classname}
but this usage is not guaranteed to be portable. It also but this usage is not guaranteed to be portable. It also
makes relative references to images and other resources makes relative references to images and other resources
required by your servlet more complicated, so defining required by your servlet more complicated, so defining
all of your servlets (and defining a mapping to them with all of your servlets (and defining a mapping to them with
a servlet-mapping element) is recommended. a servlet-mapping element) is recommended.
Servlet initialization parameters can be retrieved in a Servlet initialization parameters can be retrieved in a
servlet or JSP page by calling: servlet or JSP page by calling:
String value = String value =
getServletConfig().getInitParameter("name"); getServletConfig().getInitParameter("name");
where "name" matches the <param-name> element of where "name" matches the <param-name> element of
one of these initialization parameters. one of these initialization parameters.
You can define any number of servlets, including zero. You can define any number of servlets, including zero.
--> -->
<servlet> <servlet>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<display-name>Apache-Axis Servlet</display-name> <display-name>Apache-Axis Servlet</display-name>
<servlet-class> <servlet-class>
org.apache.axis.transport.http.AxisServlet org.apache.axis.transport.http.AxisServlet
</servlet-class> </servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>AdminServlet</servlet-name> <servlet-name>AdminServlet</servlet-name>
<display-name>Axis Admin Servlet</display-name> <display-name>Axis Admin Servlet</display-name>
<servlet-class> <servlet-class>
org.apache.axis.transport.http.AdminServlet org.apache.axis.transport.http.AdminServlet
</servlet-class> </servlet-class>
<load-on-startup>100</load-on-startup> <load-on-startup>100</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>SOAPMonitorService</servlet-name> <servlet-name>SOAPMonitorService</servlet-name>
<display-name>SOAPMonitorService</display-name> <display-name>SOAPMonitorService</display-name>
<servlet-class> <servlet-class>
org.apache.axis.monitor.SOAPMonitorService org.apache.axis.monitor.SOAPMonitorService
</servlet-class> </servlet-class>
<init-param> <init-param>
<param-name>SOAPMonitorPort</param-name> <param-name>SOAPMonitorPort</param-name>
<param-value>5001</param-value> <param-value>5001</param-value>
</init-param> </init-param>
<load-on-startup>100</load-on-startup> <load-on-startup>100</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>WebGoat</servlet-name> <servlet-name>WebGoat</servlet-name>
<description> <description>
This servlet plays the "controller" role in the MVC architecture This servlet plays the "controller" role in the MVC architecture
used in this application. used in this application.
The initialization parameter namess for this servlet are the The initialization parameter namess for this servlet are the
"servlet path" that will be received by this servlet (after the "servlet path" that will be received by this servlet (after the
filename extension is removed). The corresponding value is the filename extension is removed). The corresponding value is the
name of the action class that will be used to process this request. name of the action class that will be used to process this request.
</description> </description>
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class> <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<init-param> <init-param>
<param-name>email</param-name> <param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value> <param-value>WebGoat@owasp.org</param-value>
<description>The EMAIL address of the administrator to whom questions <description>The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</init-param> </init-param>
<init-param> <init-param>
<param-name>debug</param-name> <param-name>debug</param-name>
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>CookieDebug</param-name> <param-name>CookieDebug</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>DefuseOSCommands</param-name> <param-name>DefuseOSCommands</param-name>
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>Enterprise</param-name> <param-name>Enterprise</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>CodingExercises</param-name> <param-name>CodingExercises</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param> <init-param>
<!-- Specify an address where you would like comments to be sent. --> <!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages --> <!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For <!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For
example, replace "<" with "&lt;" and ">" with "&gt;". --> example, replace "<" with "&lt;" and ">" with "&gt;". -->
<param-name>FeedbackAddress</param-name> <param-name>FeedbackAddress</param-name>
<param-value> <param-value>
&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt; &lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
</param-value> </param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>DatabaseDriver</param-name> <param-name>DatabaseDriver</param-name>
<param-value> <param-value>
org.hsqldb.jdbcDriver org.hsqldb.jdbcDriver
</param-value> </param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>DatabaseConnectionString</param-name> <param-name>DatabaseConnectionString</param-name>
<!-- <!--
The string "${USER}" in the connection string will be replaced by the active username The string "${USER}" in the connection string will be replaced by the active username
when making a connection. when making a connection.
--> -->
<param-value>jdbc:hsqldb:mem:${USER}</param-value> <param-value>jdbc:hsqldb:mem:${USER}</param-value>
</init-param> </init-param>
<init-param> <!--
<param-name>DefaultLanguage</param-name> <init-param>
<param-value>en</param-value> <param-name>DefaultLanguage</param-name>
</init-param> <param-value>en</param-value>
<!-- Load this servlet at server startup time --> </init-param>
<load-on-startup>5</load-on-startup> -->
</servlet> <!-- Load this servlet at server startup time -->
<servlet> <load-on-startup>5</load-on-startup>
<servlet-name>LessonSource</servlet-name> </servlet>
<description> <servlet>
This servlet returns the Java source of the current lesson. <servlet-name>LessonSource</servlet-name>
</description> <description>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class> This servlet returns the Java source of the current lesson.
</servlet> </description>
<servlet> <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
<servlet-name>Catcher</servlet-name> </servlet>
<description> <servlet>
This servlet catches any posts and marks the appropriate lesson property. <servlet-name>Catcher</servlet-name>
</description> <description>
<servlet-class>org.owasp.webgoat.Catcher</servlet-class> This servlet catches any posts and marks the appropriate lesson property.
</servlet> </description>
<servlet> <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
<servlet-name>conf</servlet-name> </servlet>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file> <servlet>
</servlet> <servlet-name>conf</servlet-name>
<!-- spring MVC --> <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
<servlet> </servlet>
<servlet-name>mvc-dispatcher</servlet-name> <!-- spring MVC -->
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <servlet>
<load-on-startup>1</load-on-startup> <servlet-name>mvc-dispatcher</servlet-name>
</servlet> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<servlet-mapping> <load-on-startup>1</load-on-startup>
<servlet-name>mvc-dispatcher</servlet-name> </servlet>
<url-pattern>*.mvc</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>mvc-dispatcher</servlet-name>
<listener> <url-pattern>*.mvc</url-pattern>
<description>Spring context init</description> </servlet-mapping>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> <listener>
</listener> <description>Spring context init</description>
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
<description>WebGoat application init</description> </listener>
<listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class> <listener>
</listener> <description>Spring context init</description>
<!-- end spring MVC --> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
<!-- spring security --> </listener>
<filter> <listener>
<filter-name>springSecurityFilterChain</filter-name> <description>WebGoat application init</description>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <listener-class>org.owasp.webgoat.application.WebGoatServletListener</listener-class>
</filter> </listener>
<filter-mapping> <!-- end spring MVC -->
<filter-name>springSecurityFilterChain</filter-name> <!-- spring security -->
<url-pattern>/*</url-pattern> <filter>
</filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
<!-- end spring security --> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<!-- Define mappings that are used by the servlet container to </filter>
translate a particular request URI (context-relative) to a <filter-mapping>
particular servlet. The examples below correspond to the <filter-name>springSecurityFilterChain</filter-name>
servlet descriptions above. Thus, a request URI like: <url-pattern>/*</url-pattern>
</filter-mapping>
http://localhost:8080/{contextpath}/graph <!-- end spring security -->
<!-- Define mappings that are used by the servlet container to
will be mapped to the "graph" servlet, while a request like: translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the
http://localhost:8080/{contextpath}/saveCustomer.mvc servlet descriptions above. Thus, a request URI like:
will be mapped to the "controller" servlet. http://localhost:8080/{contextpath}/graph
You may define any number of servlet mappings, including zero. will be mapped to the "graph" servlet, while a request like:
It is also legal to define more than one mapping for the same
servlet, if you wish to. http://localhost:8080/{contextpath}/saveCustomer.mvc
-->
<servlet-mapping> will be mapped to the "controller" servlet.
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern> You may define any number of servlet mappings, including zero.
</servlet-mapping> It is also legal to define more than one mapping for the same
<servlet-mapping> servlet, if you wish to.
<servlet-name>AxisServlet</servlet-name> -->
<url-pattern>*.jws</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AxisServlet</servlet-name>
<servlet-mapping> <url-pattern>/servlet/AxisServlet</url-pattern>
<servlet-name>AxisServlet</servlet-name> </servlet-mapping>
<url-pattern>/services/*</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AxisServlet</servlet-name>
<servlet-mapping> <url-pattern>*.jws</url-pattern>
<servlet-name>SOAPMonitorService</servlet-name> </servlet-mapping>
<url-pattern>/SOAPMonitor</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AxisServlet</servlet-name>
<!-- uncomment this if you want the admin servlet --> <url-pattern>/services/*</url-pattern>
<servlet-mapping> </servlet-mapping>
<servlet-name>AdminServlet</servlet-name> <servlet-mapping>
<url-pattern>/servlet/AdminServlet</url-pattern> <servlet-name>SOAPMonitorService</servlet-name>
</servlet-mapping> <url-pattern>/SOAPMonitor</url-pattern>
<servlet-mapping> </servlet-mapping>
<servlet-name>WebGoat</servlet-name> <!-- uncomment this if you want the admin servlet -->
<url-pattern>/attack</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>AdminServlet</servlet-name>
<servlet-mapping> <url-pattern>/servlet/AdminServlet</url-pattern>
<servlet-name>LessonSource</servlet-name> </servlet-mapping>
<url-pattern>/source</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>WebGoat</servlet-name>
<servlet-mapping> <url-pattern>/attack</url-pattern>
<servlet-name>Catcher</servlet-name> </servlet-mapping>
<url-pattern>/catcher</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>LessonSource</servlet-name>
<servlet-mapping> <url-pattern>/source</url-pattern>
<servlet-name>conf</servlet-name> </servlet-mapping>
<url-pattern>/conf</url-pattern> <servlet-mapping>
</servlet-mapping> <servlet-name>Catcher</servlet-name>
<!-- Define the default session timeout for your application, <url-pattern>/catcher</url-pattern>
in minutes. From a servlet or JSP page, you can modify </servlet-mapping>
the timeout for a particular session dynamically by using <servlet-mapping>
HttpSession.getMaxInactiveInterval(). --> <servlet-name>conf</servlet-name>
<session-config> <url-pattern>/conf</url-pattern>
<!-- 2 days --> </servlet-mapping>
<session-timeout>2880</session-timeout> <!-- Define the default session timeout for your application,
</session-config> in minutes. From a servlet or JSP page, you can modify
<mime-mapping> the timeout for a particular session dynamically by using
<extension>wmv</extension> HttpSession.getMaxInactiveInterval(). -->
<mime-type>video/x-ms-wmv</mime-type> <session-config>
</mime-mapping> <!-- 2 days -->
<welcome-file-list> <session-timeout>2880</session-timeout>
<welcome-file>index.jsp</welcome-file> </session-config>
</welcome-file-list> <mime-mapping>
</web-app> <extension>wmv</extension>
<mime-type>video/x-ms-wmv</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

589
src/main/webapp/main.jsp
View File

@ -1,294 +1,295 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java" <%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*"
errorPage="" %> errorPage="" %>
<% <%
WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION)); WebSession webSession = ((WebSession) session.getAttribute(WebSession.SESSION));
Course course = webSession.getCourse(); Course course = webSession.getCourse();
AbstractLesson currentLesson = webSession.getCurrentLesson(); AbstractLesson currentLesson = webSession.getCurrentLesson();
%> LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
<head> <html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <head>
<title><%=currentLesson.getTitle()%></title> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<link rel="stylesheet" href="css/webgoat.css" type="text/css" /> <title><%=currentLesson.getTitle()%></title>
<link rel="stylesheet" href="css/lesson.css" type="text/css" /> <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
<link rel="stylesheet" href="css/menu.css" type="text/css" /> <link rel="stylesheet" href="css/lesson.css" type="text/css" />
<link rel="stylesheet" href="css/layers.css" type="text/css" /> <link rel="stylesheet" href="css/menu.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script> <link rel="stylesheet" href="css/layers.css" type="text/css" />
<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script> <script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
</head> <script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
<% </head>
final String menuPrefix = WebSession.MENU; <%
final String submenuPrefix = "submenu"; final String menuPrefix = WebSession.MENU;
final String mbutPrefix = "mbut"; final String submenuPrefix = "submenu";
String printHint = ""; final String mbutPrefix = "mbut";
String printParameters = ""; String printHint = "";
String printCookies = ""; String printParameters = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">"; String printCookies = "";
String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
List categories = course.getCategories();
List categories = course.getCategories();
StringBuffer buildList = new StringBuffer();
StringBuffer buildList = new StringBuffer();
Iterator iter1 = categories.iterator();
while (iter1.hasNext()) { Iterator iter1 = categories.iterator();
Category category = (Category) iter1.next(); while (iter1.hasNext()) {
Category category = (Category) iter1.next();
buildList.append("'");
buildList.append(menuPrefix); buildList.append("'");
buildList.append(category.getRanking()); buildList.append(menuPrefix);
buildList.append("','"); buildList.append(category.getRanking());
buildList.append(submenuPrefix); buildList.append("','");
buildList.append(category.getRanking()); buildList.append(submenuPrefix);
buildList.append("','"); buildList.append(category.getRanking());
buildList.append(mbutPrefix); buildList.append("','");
buildList.append(category.getRanking()); buildList.append(mbutPrefix);
buildList.append("'"); buildList.append(category.getRanking());
buildList.append("'");
if (iter1.hasNext()) {
buildList.append(","); if (iter1.hasNext()) {
} buildList.append(",");
}%> }
<body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>); }%>
trigMM1url('<%= menuPrefix%>', 1); <body class="page" onload="setMenuMagic1(10, 40, 10, 'menubottom',<%=buildList%>);
MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg'); trigMM1url('<%= menuPrefix%>', 1);
initIframe();"> MM_preloadImages('images/buttons/hintLeftOver.jpg', 'images/buttons/hintOver.jpg', 'images/buttons/hintRightOver.jpg', 'images/buttons/paramsOver.jpg', 'images/buttons/htmlOver.jpg', 'images/buttons/cookiesOver.jpg', 'images/buttons/javaOver.jpg', 'images/buttons/plansOver.jpg', 'images/buttons/logout.jpg', 'images/buttons/helpOver.jpg');
initIframe();">
<div id="wrap">
<% <div id="wrap">
int topCord = 140; <%
int zIndex = 105; int topCord = 140;
int zIndex = 105;
Iterator iter2 = categories.iterator();
while (iter2.hasNext()) { Iterator iter2 = categories.iterator();
Category category = (Category) iter2.next(); while (iter2.hasNext()) {
%> Category category = (Category) iter2.next();
<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1); %>
return false" onfocus="if (this.blur) <div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>', 1);
this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div> return false" onfocus="if (this.blur)
<% this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
topCord = topCord + 30; <%
zIndex = zIndex + 1; topCord = topCord + 30;
} zIndex = zIndex + 1;
}
int topSubMenu = 72;
int topSubMenu = 72;
Iterator iter3 = categories.iterator();
while (iter3.hasNext()) { Iterator iter3 = categories.iterator();
Category category = (Category) iter3.next(); while (iter3.hasNext()) {
List lessons = webSession.getLessons(category); Category category = (Category) iter3.next();
Iterator iter4 = lessons.iterator(); List lessons = webSession.getLessons(category);
%> Iterator iter4 = lessons.iterator();
<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>"> %>
<table width="150" border="0" cellspacing="6" cellpadding="0"><% <div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
<table width="150" border="0" cellspacing="6" cellpadding="0"><%
topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1; topSubMenu = topSubMenu + 30;
zIndex = zIndex + 1;
while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next(); while (iter4.hasNext()) {
AbstractLesson lesson = (AbstractLesson) iter4.next();
%><tr>
<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td> %><tr>
</tr> <td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
<% if (lesson instanceof RandomLessonAdapter) { </tr>
RandomLessonAdapter rla = (RandomLessonAdapter) lesson; <% if (lesson instanceof RandomLessonAdapter) {
String[] stages = rla.getStages(); RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
if (stages != null) String[] stages = rla.getStages();
for (int i = 0; i < stages.length; i++) { if (stages != null)
%> for (int i = 0; i < stages.length; i++) {
<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a> %>
</td></tr> <tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i + 1)%>">Stage <%=i + 1%>: <%=stages[i]%></a>
<% </td></tr>
} <%
} }
%> }
<% %>
} <%
%> }
</table> %>
</div><% </table>
}%> </div><%
<div id="top"></div> }%>
<div id="topLeft"> <div id="top"></div>
<div align="left"> <div id="topLeft">
<% if (currentLesson.getAvailableLanguages().size() != 0) { <div align="left">
%> <% if (currentLesson.getAvailableLanguages().size() != 0) {
<form method="get" action="attack" style="display: inline;"> %>
Choose another language: <select name="language" size="1" <form method="get" action="attack" style="display: inline;">
onChange="changeLanguage();"> Choose another language: <select name="language" size="1"
<% onChange="changeLanguage();">
for (String lang : currentLesson.getAvailableLanguages()) { <%
%> for (String lang : currentLesson.getAvailableLanguages()) {
<option value="<%=lang%>" %>
<% if (webSession.getCurrrentLanguage().equals(lang)) { <option value="<%=lang%>"
out.println("selected"); <% if (webSession.getCurrrentLanguage().equals(lang)) {
}%>><%=lang%> out.println("selected");
</option> }%>><%=lang%>
<% </option>
<%
}
%> }
</select></form> %>
<% </select></form>
} else { <%
%> } else {
Internationalization is not available for this lesson %>
<% Internationalization is not available for this lesson
} <%
%> }
</div></div> %>
<div align="right" id="topRight"> </div></div>
<a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()" <div align="right" id="topRight">
onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img <a href="j_spring_security_logout" onmouseout="MM_swapImgRestore()"
src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45" onmouseover="MM_swapImage('logout', '', 'images/buttons/logoutOver.jpg', 1)"><img
height="22" border="0" id="logout" /></a> <a href="#getFAQ()" src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
onmouseout="MM_swapImgRestore()" height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img onmouseout="MM_swapImgRestore()"
src="images/buttons/help.jpg" alt="Help" name="help" width="22" onmouseover="MM_swapImage('help', '', 'images/buttons/helpOver.jpg', 1)"><img
height="22" border="0" id="help" /></a> src="images/buttons/help.jpg" alt="Help" name="help" width="22"
</div> height="22" border="0" id="help" /></a>
<div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div> </div>
<div id="hMenuBar"> <div id="lessonTitle" align="right"><%=currentLesson.getTitle()%></div>
<% <div id="hMenuBar">
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) { <%
%> if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS)) {
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)" %>
onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintLeft', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'hintLeft', 'images/buttons/hintLeftOver.jpg', '', 1)"
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)" </a>
onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hint', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'hint', 'images/buttons/hintOver.jpg', '', 1)"
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)" </a>
onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=NextHint" target="_top" onclick="MM_nbGroup('down', 'group1', 'hintRight', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'hintRight', 'images/buttons/hintRightOver.jpg', '', 1)"
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
<%}%> </a>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)" <%}%>
onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=Params" target="_top" onclick="MM_nbGroup('down', 'group1', 'params', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'params', 'images/buttons/paramsOver.jpg', '', 1)"
<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink()%>&show=Params" width="87" height="20" border="0" id="params"/>
<a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)" </a>
onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)" <a href="<%= webSession.getCurrentLesson().getLink()%>&show=Cookies" target="_top" onclick="MM_nbGroup('down', 'group1', 'cookies', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'cookies', 'images/buttons/cookiesOver.jpg', '', 1)"
<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)" </a>
onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)" <a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'plans', 'images/buttons/plansOver.jpg', '', 1)"
<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
<% </a>
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) { <%
%> if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE)) {
<a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source'); %>
return false;" target="javaWin" <a href="source" onclick="makeWindow(this.href + '?source=true', 'Java Source');
onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)" return false;" target="javaWin"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'java', 'images/buttons/javaOver.jpg', '', 1)"
<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution'); </a>
return false;" target="javaWin" <a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');
onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)" return false;" target="javaWin"
onmouseout="MM_nbGroup('out')"> onmouseover="MM_nbGroup('over', 'solutions', 'images/buttons/solutionsOver.jpg', '', 1)"
<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/> onmouseout="MM_nbGroup('out')">
</a> <img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
<%}%> </a>
<%}%>
</div>
<div id="twoCol"> </div>
<div id="menuSpacer"></div> <div id="twoCol">
<div id="lessonAreaTop"> <div id="menuSpacer"></div>
<% <div id="lessonAreaTop">
if (currentLesson != null) { <%
%> if (currentLesson != null) {
<div id="training_wrap"> %>
<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div> <div id="training_wrap">
<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=WebGoatI18N.get("RestartLesson")%></a></div> <div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=labelManager.get("SolutionVideos")%></a></div>
</div> <div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=labelManager.get("RestartLesson")%></a></div>
<% </div>
} <%
%> }
</div> %>
<div id="lessonArea"> </div>
<% <div id="lessonArea">
if (webSession.getHint() != null) { <%
printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>"; if (webSession.getHint() != null) {
out.println(printHint); printHint = "<div id=\"hint\" class=\"info\">" + webSession.getHint() + "</div><br>";
} out.println(printHint);
}
if (webSession.getParams() != null) {
Iterator i = webSession.getParams().iterator(); if (webSession.getParams() != null) {
while (i.hasNext()) { Iterator i = webSession.getParams().iterator();
Parameter p = (Parameter) i.next(); while (i.hasNext()) {
printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>"; Parameter p = (Parameter) i.next();
out.println(printParameters); printParameters = "<div id=\"parameter\" class=\"info\">" + p.getName() + "=" + p.getValue() + "</div><br>";
} out.println(printParameters);
} }
}
if (webSession.getCookies() != null) {
Iterator i = webSession.getCookies().iterator(); if (webSession.getCookies() != null) {
while (i.hasNext()) { Iterator i = webSession.getCookies().iterator();
Cookie c = (Cookie) i.next(); while (i.hasNext()) {
printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>"; Cookie c = (Cookie) i.next();
out.println(printCookies); printCookies = "<div id=\"cookie\" class=\"info\">" + c.getName() + " <img src=\"images/icons/rightArrow.jpg\" alt=\"\"> " + c.getValue() + "</div><br>";
} out.println(printCookies);
}%> }
<div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%> }%>
<br/> <div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;"><%=currentLesson.getLessonPlan(webSession)%>
<br/> <br/>
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a> <br/>
</div> <a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down', 'group1', 'plans', '', 1)">Close this Window</a>
<div id="lessonContent"> </div>
<% <div id="lessonContent">
AbstractLesson lesson = webSession.getCurrentLesson(); <%
if (lesson instanceof RandomLessonAdapter) { AbstractLesson lesson = webSession.getCurrentLesson();
RandomLessonAdapter rla = (RandomLessonAdapter) lesson; if (lesson instanceof RandomLessonAdapter) {
%> RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
<div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div> %>
<% <div class="info">Stage <%= rla.getLessonTracker(webSession).getStageNumber(rla.getStage(webSession)) + 1%></div>
} <%
%> }
<%=webSession.getInstructions()%></div> %>
<div id="message" class="info"><%=webSession.getMessage()%></div> <%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>
<%
if (currentLesson.getTemplatePage(webSession) != null) { <%
//System.out.println("Main.jsp - current lesson: " + currentLesson.getName() ); if (currentLesson.getTemplatePage(webSession) != null) {
//System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession)); //System.out.println("Main.jsp - current lesson: " + currentLesson.getName() );
%> //System.out.println(" - template Page: " + currentLesson.getTemplatePage(webSession));
<jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" /> %>
<% <jsp:include page="<%=currentLesson.getTemplatePage(webSession)%>" />
} else { <%
%> } else {
<div id="lessonContent"><%=currentLesson.getContent()%></div> %>
<% <div id="lessonContent"><%=currentLesson.getContent()%></div>
} <%
%> }
<div id="credits"> %>
<% out.println(currentLesson.getCredits());%> <div id="credits">
</div> <% out.println(currentLesson.getCredits());%>
</div> </div>
</div> </div>
</div>
<div id="bottom">
<div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> | <div id="bottom">
<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> | <div align="center"><a href="http://www.owasp.org">OWASP Foundation</a> |
<a href="reportBug.jsp">Report Bug</a> <a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> |
</div> <a href="reportBug.jsp">Report Bug</a>
</div> </div>
</div> </div>
</body> </div>
</html> </body>
</html>