Add a DB Cross Site Scripting lesson

git-svn-id: http://webgoat.googlecode.com/svn/trunk@173 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java

@@ -0,0 +1,253 @@
+package org.owasp.webgoat.lessons.DBCrossSiteScripting;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.ecs.ElementContainer;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
+import org.owasp.webgoat.session.ParameterNotFoundException;
+import org.owasp.webgoat.session.UnauthenticatedException;
+import org.owasp.webgoat.session.UnauthorizedException;
+import org.owasp.webgoat.session.ValidationException;
+import org.owasp.webgoat.session.WebSession;
+
+/**
+ /*******************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ *
+ */
+public class DBCrossSiteScripting extends GoatHillsFinancial
+{
+    private final static Integer DEFAULT_RANKING = new Integer(100);
+
+    public final static String STAGE1 = "Stage 1";
+    
+    public final static String STAGE2 = "Stage 2";
+    
+    protected void registerActions(String className)
+    {
+	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+
+	// These actions are special in that they chain to other actions.
+	registerAction(new Login(this, className, LOGIN_ACTION,
+		getAction(LISTSTAFF_ACTION)));
+	registerAction(new Logout(this, className, LOGOUT_ACTION,
+		getAction(LOGIN_ACTION)));
+	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
+		getAction(VIEWPROFILE_ACTION)));
+	registerAction(new UpdateProfile(this, className,
+		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+	registerAction(new DeleteProfile(this, className,
+		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
+    }
+
+    /**
+     *  Gets the category attribute of the CrossSiteScripting object
+     *
+     * @return    The category value
+     */
+    public Category getDefaultCategory()
+    {
+	return Category.A4;
+    }
+
+    /**
+     *  Gets the hints attribute of the DirectoryScreen object
+     *
+     * @return    The hints value
+     */
+    protected List<String> getHints(WebSession s)
+    {
+	List<String> hints = new ArrayList<String>();
+
+	// Stage 1
+	hints.add("You can put HTML tags in form input fields.");
+	hints
+		.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
+	hints
+		.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
+	hints
+		.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
+
+	// Stage 2
+	hints
+		.add("Many scripts rely on the use of special characters such as: &lt;");
+	hints
+		.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
+	hints
+		.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
+
+	return hints;
+    }
+
+
+    /**
+     *  Gets the instructions attribute of the ParameterInjection object
+     *
+     * @return    The instructions value
+     */
+    public String getInstructions(WebSession s)
+    {
+	String instructions = "";
+
+	if (!getLessonTracker(s).getCompleted())
+	{
+		String stage = getStage(s);
+		if (STAGE1.equals(stage))
+	    {
+		    instructions = "Execute a Stored Cross Site Scripting (XSS) attack.<br>"
+			    + "For this exercise, your mission is to cause the application to serve a script of your making "
+			    + " to some other user.";
+	    }
+		else if (STAGE2.equals(stage))
+		{
+		    instructions = "Block Stored XSS using Input Validation.<br>"
+			    + "You will modify the stored procedure in the database to perform input validation on the vulnerable input field "
+			    + "you just exploited.";
+		}
+	}
+
+	return instructions;
+
+    }
+
+    @Override
+	public String[] getStages() {
+		return new String[] {STAGE1, STAGE2};
+	}
+
+    public void handleRequest(WebSession s)
+    {
+	if (s.getLessonSession(this) == null)
+	    s.openLessonSession(this);
+
+	String requestedActionName = null;
+	try
+	{
+	    requestedActionName = s.getParser().getStringParameter("action");
+	}
+	catch (ParameterNotFoundException pnfe)
+	{
+	    // Let them eat login page.
+	    requestedActionName = LOGIN_ACTION;
+	}
+
+	if (requestedActionName != null)
+	{
+	    try
+	    {
+		LessonAction action = getAction(requestedActionName);
+
+		if (action != null)
+		{
+		    if (!action.requiresAuthentication()
+			    || action.isAuthenticated(s))
+		    {
+			action.handleRequest(s);
+			//setCurrentAction(s, action.getNextPage(s));
+		    }
+		}
+		else
+		{
+		    setCurrentAction(s, ERROR_ACTION);
+		}
+	    }
+	    catch (ParameterNotFoundException pnfe)
+	    {
+		System.out.println("Missing parameter");
+		pnfe.printStackTrace();
+		setCurrentAction(s, ERROR_ACTION);
+	    }
+	    catch (ValidationException ve)
+	    {
+		System.out.println("Validation failed");
+		ve.printStackTrace();
+		setCurrentAction(s, ERROR_ACTION);
+	    }
+	    catch (UnauthenticatedException ue)
+	    {
+		s.setMessage("Login failed");
+		System.out.println("Authentication failure");
+		ue.printStackTrace();
+	    }
+	    catch (UnauthorizedException ue2)
+	    {
+		s.setMessage("You are not authorized to perform this function");
+		System.out.println("Authorization failure");
+		ue2.printStackTrace();
+	    }
+	    catch (Exception e)
+	    {
+		// All other errors send the user to the generic error page
+		System.out.println("handleRequest() error");
+		e.printStackTrace();
+		setCurrentAction(s, ERROR_ACTION);
+	    }
+	}
+
+	// All this does for this lesson is ensure that a non-null content exists.
+	setContent(new ElementContainer());
+    }
+
+    protected Integer getDefaultRanking()
+    {
+	return DEFAULT_RANKING;
+    }
+
+
+    /**
+     *  Gets the title attribute of the CrossSiteScripting object
+     *
+     * @return    The title value
+     */
+    public String getTitle()
+    {
+	return "LAB: DB Cross Site Scripting (XSS)";
+    }
+
+	@Override
+	protected boolean getDefaultHidden() {
+		return ! getWebgoatContext().getDatabaseDriver().contains("oracle");
+	}
+    
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java

@@ -0,0 +1,242 @@
+package org.owasp.webgoat.lessons.DBCrossSiteScripting;
+
+import java.sql.CallableStatement;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
+import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
+import org.owasp.webgoat.session.Employee;
+import org.owasp.webgoat.session.ParameterNotFoundException;
+import org.owasp.webgoat.session.UnauthenticatedException;
+import org.owasp.webgoat.session.UnauthorizedException;
+import org.owasp.webgoat.session.ValidationException;
+import org.owasp.webgoat.session.WebSession;
+
+/*******************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ */
+public class UpdateProfile extends DefaultLessonAction
+{
+
+    private LessonAction chainedAction;
+
+
+    public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
+	    String actionName, LessonAction chainedAction)
+    {
+	super(lesson, lessonName, actionName);
+	this.chainedAction = chainedAction;
+    }
+
+
+    public void handleRequest(WebSession s) throws ParameterNotFoundException,
+	    UnauthenticatedException, UnauthorizedException,
+	    ValidationException
+    {
+	if (isAuthenticated(s))
+	{
+	    int userId = getIntSessionAttribute(s, getLessonName() + "."
+			    + RoleBasedAccessControl.USER_ID);
+
+		HttpServletRequest request = s.getRequest();
+		int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
+		String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
+		String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
+		String ssn = request.getParameter(DBCrossSiteScripting.SSN);
+		String title = request.getParameter(DBCrossSiteScripting.TITLE);
+		String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
+		String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
+		String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
+		int manager = Integer.parseInt(request
+			.getParameter(DBCrossSiteScripting.MANAGER));
+		String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
+		int salary = Integer.parseInt(request
+			.getParameter(DBCrossSiteScripting.SALARY));
+		String ccn = request.getParameter(DBCrossSiteScripting.CCN);
+		int ccnLimit = Integer.parseInt(request
+			.getParameter(DBCrossSiteScripting.CCN_LIMIT));
+		String disciplinaryActionDate = request
+			.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
+		String disciplinaryActionNotes = request
+			.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
+		String personalDescription = request
+			.getParameter(DBCrossSiteScripting.DESCRIPTION);
+
+		Employee employee = new Employee(subjectId, firstName, lastName, ssn,
+			title, phone, address1, address2, manager, startDate, salary,
+			ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
+			personalDescription);
+
+    	try 
+    	{
+	    if (subjectId > 0)
+	    {
+	    		this.changeEmployeeProfile(s, userId, subjectId, employee);
+		setRequestAttribute(s, getLessonName() + "."
+			+ DBCrossSiteScripting.EMPLOYEE_ID, Integer
+			.toString(subjectId));
+			if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
+			{
+				address1 = address1.toLowerCase();
+				boolean pass = address1.contains("<script>");
+				pass &= address1.contains("alert");
+				pass &= address1.contains("</script>");
+				if (pass)
+				{
+					setStageComplete(s, DBCrossSiteScripting.STAGE1);
+					s.setMessage("Congratulations, you have completed " + DBCrossSiteScripting.STAGE1);
+				}
+			}
+	    }
+	    else
+		this.createEmployeeProfile(s, userId, employee);
+    	}
+    	catch (SQLException e)
+    	{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+    		if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && e.getMessage().contains("ORA-06512") &&
+    				!employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
+    		{
+    		    s
+    			    .setMessage("You have successfully completed this lesson");
+    		    setStageComplete(s, DBCrossSiteScripting.STAGE2);
+    		}
+
+    	}
+    	catch (ClassNotFoundException e)
+    	{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+    	}
+
+	    try
+	    {
+		chainedAction.handleRequest(s);
+	    }
+	    catch (UnauthenticatedException ue1)
+	    {
+		System.out.println("Internal server error");
+		ue1.printStackTrace();
+	    }
+	    catch (UnauthorizedException ue2)
+	    {
+		System.out.println("Internal server error");
+		ue2.printStackTrace();
+	    }
+	}
+	else
+	    throw new UnauthenticatedException();
+    }
+
+    public String getNextPage(WebSession s)
+    {
+	return DBCrossSiteScripting.VIEWPROFILE_ACTION;
+    }
+
+
+    public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
+	    Employee employee) throws SQLException, ClassNotFoundException
+    {
+    	try
+    	{
+		String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
+		CallableStatement call = WebSession.getConnection(s).prepareCall(update);
+	    // Note: The password field is ONLY set by ChangePassword
+		call.setInt(1, userId);
+		call.setString(2, employee.getFirstName());
+		call.setString(3, employee.getLastName());
+		call.setString(4, employee.getSsn());
+		call.setString(5, employee.getTitle());
+		call.setString(6, employee.getPhoneNumber());
+		call.setString(7, employee.getAddress1());
+		call.setString(8, employee.getAddress2());
+		call.setInt(9, employee.getManager());
+		call.setString(10, employee.getStartDate());
+		call.setInt(11, employee.getSalary());
+		call.setString(12, employee.getCcn());
+		call.setInt(13, employee.getCcnLimit());
+		call.setString(14, employee.getDisciplinaryActionDate());
+		call.setString(15, employee.getDisciplinaryActionNotes());
+		call.setString(16, employee.getPersonalDescription());
+		call.executeUpdate();
+    	}
+    	catch (ClassNotFoundException e) 
+    	{
+    		e.printStackTrace();
+    	}
+    }
+
+    public void createEmployeeProfile(WebSession s, int userId,
+	    Employee employee) throws UnauthorizedException
+    {
+	try
+	{
+	    // FIXME: Cannot choose the id because we cannot guarantee uniqueness
+	    String query = "INSERT INTO employee VALUES ( max(userid)+1, '"
+		    + employee.getFirstName() + "','" + employee.getLastName()
+		    + "','" + employee.getSsn() + "','"
+		    + employee.getFirstName().toLowerCase() + "','"
+		    + employee.getTitle() + "','" + employee.getPhoneNumber()
+		    + "','" + employee.getAddress1() + "','"
+		    + employee.getAddress2() + "'," + employee.getManager()
+		    + ",'" + employee.getStartDate() + "',"
+		    + employee.getSalary() + ",'" + employee.getCcn() + "',"
+		    + employee.getCcnLimit() + ",'"
+		    + employee.getDisciplinaryActionDate() + "','"
+		    + employee.getDisciplinaryActionNotes() + "','"
+		    + employee.getPersonalDescription() + "')";
+
+	    //System.out.println("Query:  " + query);
+
+	    try
+	    {
+		Statement statement = WebSession.getConnection(s)
+			.createStatement();
+		statement.executeUpdate(query);
+	    }
+	    catch (SQLException sqle)
+	    {
+		s.setMessage("Error updating employee profile");
+		sqle.printStackTrace();
+	    }
+	}
+	catch (Exception e)
+	{
+	    s.setMessage("Error updating employee profile");
+	    e.printStackTrace();
+	}
+    }
+
+}

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java

@@ -0,0 +1,85 @@
+package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting;
+
+import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
+import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
+import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
+
+/* STAGE 2 FIXES
+Solution Summary (1. or 2.) 
+    1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
+       a validation step. Oracle 10G now supports regular expressions.
+    2. Apply a column constraint can also work IFF the existing data is clean
+
+Solution Steps: 
+1. Talk about the different database approaches.
+	a. Apply validation in the UPDATE stored proc
+		- Possible to bypass by not using that stored proc
+
+	b. Apply a table column constraint 
+		- Cannot be bypassed. The DB enforces the constraint under all conditions
+
+2. Fix the stored proc
+
+Define the pattern.
+Validate the field against the pattern.
+Raise an exception if invalid.
+
+CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
+    v_userid IN employee.userid%type, 
+    v_first_name IN employee.first_name%type, 
+    v_last_name IN employee.last_name%type, 
+    v_ssn IN employee.ssn%type, 
+    v_title IN employee.title%type, 
+    v_phone IN employee.phone%type, 
+    v_address1 IN employee.address1%type, 
+    v_address2 IN employee.address2%type, 
+    v_manager IN employee.manager%type, 
+    v_start_date IN employee.start_date%type, 
+    v_salary IN employee.salary%type, 
+    v_ccn IN employee.ccn%type, 
+    v_ccn_limit IN employee.ccn_limit%type, 
+    v_disciplined_date IN employee.disciplined_date%type, 
+    v_disciplined_notes IN employee.disciplined_notes%type, 
+    v_personal_description IN employee.personal_description%type
+)
+AS 
+    P_ADDRESS1 VARCHAR2(32000) := '^[a-zA-Z0-9,\. ]{0,80}$';    // Stage 2 - FIX
+BEGIN
+    IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN     // Stage 2 - FIX
+        RAISE VALUE_ERROR;                              // Stage 2 - FIX
+    END IF;                                             // Stage 2 - FIX
+    UPDATE EMPLOYEE
+    SET
+        first_name = v_first_name, 
+        last_name = v_last_name, 
+        ssn = v_ssn, 
+        title = v_title, 
+        phone = v_phone, 
+        address1 = v_address1, 
+        address2 = v_address2, 
+        manager = v_manager, 
+        start_date = v_Start_date,
+        salary = v_salary, 
+        ccn = v_ccn, 
+        ccn_limit = v_ccn_limit, 
+        disciplined_date = v_disciplined_date, 
+        disciplined_notes = v_disciplined_notes, 
+        personal_description = v_personal_description
+    WHERE
+        userid = v_userid;
+END;
+/
+
+3. Apply a table column constraint
+   	ALTER TABLE EMPLOYEE
+		ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
+*/
+
+public class UpdateProfile_i extends UpdateProfile
+{
+	public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
+	{
+		super(lesson, lessonName, actionName, chainedAction);
+	}
+
+}

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css

@@ -0,0 +1,14 @@
+#lesson_wrapper {height: 435px;width: 500px;}
+#lesson_header {background-image: url(lessons/CrossSiteScripting/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
+.lesson_workspace {background-image: url(lessons/CrossSiteScripting/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
+.lesson_text {height: 240px;width: 460px;padding-top: 5px;}
+#lesson_buttons_bottom {height: 20px;width: 460px;}
+#lesson_b_b_left {width: 300px;float: left;}
+#lesson_b_b_right input {width: 100px;float: right;}
+.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}
+.lesson_workspace { }
+.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}
+.lesson_text_db {color: #0066FF}
+#lesson_login {background-image: url(lessons/CrossSiteScripting/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}
+#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}
+#lesson_search {background-image: url(lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp

@@ -0,0 +1,26 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" 
+	errorPage="" %>
+<style>
+<jsp:include page="DBCrossSiteScripting.css" />
+</style>
+<%
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+DBCrossSiteScripting currentLesson = (DBCrossSiteScripting) webSession.getCurrentLesson();
+%>
+<div id="lesson_wrapper">
+	<div id="lesson_header"></div>
+	<div class="lesson_workspace">
+	<%
+	String subViewPage = currentLesson.getPage(webSession);
+	if (subViewPage != null)
+	{
+		//System.out.println("Including sub view page: " + subViewPage);
+	%>
+	<jsp:include page="<%=subViewPage%>" />
+	<%
+	}
+	%>
+
+	</div>
+</div>

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp

@@ -0,0 +1,134 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting.Employee");
+%>
+		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
+		<div class="lesson_text">
+			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+				<Table>
+				<TR><TD>
+						First Name:
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.FIRST_NAME%>" type="text" value="<%=employee.getFirstName()%>"/>
+					</TD>
+					<TD>				
+						Last Name:
+					</TD>
+					<TD>
+					 	<input class="lesson_text_db" name="<%=DBCrossSiteScripting.LAST_NAME%>" type="text" value="<%=employee.getLastName()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>				
+						Street: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.ADDRESS1%>" type="text" value="<%=employee.getAddress1()%>"/>
+					</TD>
+					<TD>				
+						City/State: 
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.ADDRESS2%>" type="text" value="<%=employee.getAddress2()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Phone: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.PHONE_NUMBER%>" type="text" value="<%=employee.getPhoneNumber()%>"/>
+					</TD>
+					<TD>				
+						Start Date: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.START_DATE%>" type="text" value="<%=employee.getStartDate()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+			    		SSN: 
+			    	</TD>
+			    	<TD>
+			    		<input class="lesson_text_db" name="<%=DBCrossSiteScripting.SSN%>" type="text" value="<%=employee.getSsn()%>"/> 
+					</TD>
+					<TD>				
+						Salary: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.SALARY%>" type="text" value="<%=employee.getSalary()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Credit Card: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.CCN%>" type="text" value="<%=employee.getCcn()%>"/>
+					</TD>
+					<TD>				
+						Credit Card Limit: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.CCN_LIMIT%>" type="text" value="<%=employee.getCcnLimit()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Comments: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.DESCRIPTION%>" type="text" value="<%=employee.getPersonalDescription()%>"/>
+					</TD>
+					<TD>				
+						Manager: 
+					</TD>
+					<TD>
+						<select class="lesson_text_db" name="<%=DBCrossSiteScripting.MANAGER%>">
+						<%
+				      	List employees = (List) session.getAttribute("DBCrossSiteScripting.Staff");
+				      	Iterator i = employees.iterator();
+						while (i.hasNext())
+						{
+							EmployeeStub stub = (EmployeeStub) i.next();
+								%>
+								<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()%></option>
+						<%}%>
+						</select>
+					</TD>	
+				</TR>
+				<TR><TD>
+						Disciplinary Explanation: 
+					</TD>
+					<TD>
+						<textarea name="<%=DBCrossSiteScripting.DISCIPLINARY_NOTES%>" cols="16" rows="3" class="lesson_text_db" ><%=employee.getDisciplinaryActionNotes()%></textarea>
+					</TD>
+					<TD>				
+						Disciplinary Action Dates: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=DBCrossSiteScripting.DISCIPLINARY_DATE%>" type="text" value="<%=employee.getDisciplinaryActionDate()%>"/>
+					</TD>
+				</TR>
+				</Table>
+				<BR>
+				<div class="lesson_buttons_bottom">
+				<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
+               		<tr>
+                     		<td width="57">
+							<input type="submit" name="action" value="<%=DBCrossSiteScripting.VIEWPROFILE_ACTION%>"/>
+				  		</td>
+				  		
+                       	<td width="81">
+ 							<input name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" type="hidden" value="<%=employee.getId()%>">
+							<input name="<%=DBCrossSiteScripting.TITLE%>" type="hidden" value="<%=employee.getTitle()%>">
+							<input type="submit" name="action" value="<%=DBCrossSiteScripting.UPDATEPROFILE_ACTION%>"/>
+						</td>
+                        	<td width="211"></td>
+                        	<td width="83">
+	 						<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGOUT_ACTION%>"/>
+						</td>
+                 	</tr>
+              	</table>
+              	</div>
+			</form>
+		</div>

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp

@@ -0,0 +1,54 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	int myUserId = webSession.getUserIdInLesson();
+%>
+	<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Staff Listing Page</div>
+		<br>
+		<br>
+		<br>
+		<p>Select from the list below	</p>
+		<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+  <table width="60%" border="0" cellpadding="3">
+    <tr>
+      <td>  <label>
+  <select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" size="11">
+			      	<%
+			      	List employees = (List) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.STAFF_ATTRIBUTE_KEY);
+			      	Iterator i = employees.iterator();
+					while (i.hasNext())
+					{
+						EmployeeStub stub = (EmployeeStub) i.next();%>
+						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
+					}%>
+  </select>
+  </label></td>
+      <td>
+	        	<input type="submit" name="action" value="<%=DBCrossSiteScripting.SEARCHSTAFF_ACTION%>"/><br>
+	        	<input type="submit" name="action" value="<%=DBCrossSiteScripting.VIEWPROFILE_ACTION%>"/><br>
+            		<% 
+				if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.CREATEPROFILE_ACTION))
+				{
+				%>
+					<input type="submit" name="action" value="<%=DBCrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
+				<% 
+				}
+				%>
+            		<% 
+				if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.DELETEPROFILE_ACTION))
+				{
+				%>
+					<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/><br>
+				<% 
+				}
+				%>
+			<br>
+					<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGOUT_ACTION%>"/>
+	  </td>
+    </tr>
+  </table>
+
+		</form>
+		

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp

@@ -0,0 +1,37 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" 
+	errorPage="" %>
+	<div id="lesson_login">
+		<div id="lesson_login_txt">
+			<% 
+			WebSession webSession = ((WebSession)session.getAttribute("websession"));
+			%>
+			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+			    	<label>
+			      	<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>">
+			      	<%
+			      	Vector attrs = new Vector();
+			      	Enumeration ee = session.getAttributeNames();
+			      	while (ee.hasMoreElements())
+			      		attrs.add(ee.nextElement());
+			      	//System.out.println("Login.jsp inspecting session attributes: " + attrs);
+			      	//System.out.println("Retrieving employees list");
+			      	List employees = (List) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.STAFF_ATTRIBUTE_KEY);
+			      	Iterator i = employees.iterator();
+					while (i.hasNext())
+					{
+						EmployeeStub stub = (EmployeeStub) i.next();
+					%>
+			      	<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName() + " (" + stub.getRole() + ")"%></option>
+					<%}%>
+	                </select>
+		        </label>
+				<br>
+			    	<label>Password
+			    		<input name="password" type="password" size="10" maxlength="8" />
+			    </label>
+				<br>
+				<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGIN_ACTION%>"/>
+			</form>
+		</div>
+	</div>

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp

@@ -0,0 +1,22 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" 
+	errorPage="" %>
+	<div id="lesson_search">
+			<% 
+			WebSession webSession = ((WebSession)session.getAttribute("websession"));
+			String searchedName = request.getParameter(DBCrossSiteScripting.SEARCHNAME);
+			if (searchedName != null)
+			{
+			%>
+				Employee <%=searchedName%> not found.
+			<%
+			}
+			%>
+			<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+			    	<label>Name
+					<input class="lesson_text_db" type="text" name="<%=DBCrossSiteScripting.SEARCHNAME%>"/>
+		        </label>
+				<br>
+				<input type="submit" name="action" value="<%=DBCrossSiteScripting.FINDPROFILE_ACTION%>"/>
+			</form>
+	</div>

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp

@@ -0,0 +1,153 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" errorPage="" %>
+<%
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY);
+	DBCrossSiteScripting lesson = (DBCrossSiteScripting) webSession.getCurrentLesson();
+//	int myUserId = getIntSessionAttribute(webSession, "DBCrossSiteScripting." + DBCrossSiteScripting.USER_ID);
+%>
+		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
+		<div class="lesson_text">
+				<Table>
+				<TR><TD>
+						First Name:
+					</TD>
+					<TD>
+						<%=employee.getFirstName()%>
+					</TD>
+					<TD>				
+						Last Name:
+					</TD>
+					<TD>
+					 	<%=employee.getLastName()%>
+					</TD>
+				</TR>
+				<TR><TD>				
+						Street: 
+					</TD>
+					<TD>
+						<%=employee.getAddress1()%>
+					</TD>
+					<TD>				
+						City/State: 
+					<TD>
+						<%=employee.getAddress2()%>
+					</TD>
+				</TR>
+				<TR><TD>
+						Phone: 
+					</TD>
+					<TD>
+						<%=employee.getPhoneNumber()%>
+					</TD>
+					<TD>				
+						Start Date: 
+					</TD>
+					<TD>
+						<%=employee.getStartDate()%>
+					</TD>
+				</TR>
+				<TR><TD>
+			    		SSN: 
+			    	</TD>
+			    	<TD>
+			    		<%=employee.getSsn()%>
+					</TD>
+					<TD>				
+						Salary: 
+					</TD>
+					<TD>
+						<%=employee.getSalary()%>
+					</TD>
+				</TR>
+				<TR><TD>
+						Credit Card: 
+					</TD>
+					<TD>
+						<%=employee.getCcn()%>
+					</TD>
+					<TD>				
+						Credit Card Limit: 
+					</TD>
+					<TD>
+						<%=employee.getCcnLimit()%>
+					</TD>
+				</TR>
+				<TR><TD>
+						Comments: 
+					</TD>
+					<TD>
+						<%=employee.getPersonalDescription()%>
+					</TD>
+					<TD>				
+						Manager: 
+					</TD>
+					<TD>
+						<%=employee.getManager()%>
+					</TD>	
+				</TR>
+				<TR><TD>
+						Disciplinary Explanation: 
+					</TD>
+					<TD>
+						<%=employee.getDisciplinaryActionNotes()%>
+					</TD>
+					<TD>				
+						Disciplinary Action Dates: 
+					</TD>
+					<TD>
+						<%=employee.getDisciplinaryActionDate()%>
+					</TD>
+				</TR>
+				</Table>
+		</div>
+		<div class="lesson_buttons_bottom">
+		    <table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
+                 <tr>
+                 	<td width="50">
+					<%					
+					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION))
+					{
+					%>
+						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=DBCrossSiteScripting.LISTSTAFF_ACTION%>"/>
+						</form></td>
+					<% 
+					}
+					%>			
+		             <td width="50">
+					<%					
+					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION))
+					{
+					%>
+						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=DBCrossSiteScripting.EDITPROFILE_ACTION%>"/>
+						</form>
+					<% 
+					}
+					%>			
+					</td>
+                    <td width="60">
+					<%
+					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION))
+					{
+					%>
+						<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
+							<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/>
+						</form>
+					<% 
+					}
+					%>
+					</td>
+                      <td width="190">&nbsp;</td>
+                      <td width="76">
+						<form method="POST">
+							<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGOUT_ACTION%>"/>
+						</form>
+					</td>
+				</tr>
+         	</table>
+		</div>

webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp

@@ -0,0 +1,3 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	errorPage="" %>
+<br><br><br>An error has occurred.