diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java new file mode 100755 index 000000000..fbdd92a9f --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java @@ -0,0 +1,253 @@ +package org.owasp.webgoat.lessons.DBCrossSiteScripting; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.ecs.ElementContainer; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; +import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/** + /******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + * + */ +public class DBCrossSiteScripting extends GoatHillsFinancial +{ + private final static Integer DEFAULT_RANKING = new Integer(100); + + public final static String STAGE1 = "Stage 1"; + + public final static String STAGE2 = "Stage 2"; + + protected void registerActions(String className) + { + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); + + // These actions are special in that they chain to other actions. + registerAction(new Login(this, className, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, className, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, className, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, className, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + + /** + * Gets the category attribute of the CrossSiteScripting object + * + * @return The category value + */ + public Category getDefaultCategory() + { + return Category.A4; + } + + /** + * Gets the hints attribute of the DirectoryScreen object + * + * @return The hints value + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + + // Stage 1 + hints.add("You can put HTML tags in form input fields."); + hints + .add("Bury a SCRIPT tag in the field to attack anyone who reads it."); + hints + .add("Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in message fields."); + hints + .add("Enter this: <script>alert(\"document.cookie\");</script> in message fields."); + + // Stage 2 + hints + .add("Many scripts rely on the use of special characters such as: <"); + hints + .add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering)."); + hints + .add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern)."); + + return hints; + } + + + /** + * Gets the instructions attribute of the ParameterInjection object + * + * @return The instructions value + */ + public String getInstructions(WebSession s) + { + String instructions = ""; + + if (!getLessonTracker(s).getCompleted()) + { + String stage = getStage(s); + if (STAGE1.equals(stage)) + { + instructions = "Execute a Stored Cross Site Scripting (XSS) attack.
" + + "For this exercise, your mission is to cause the application to serve a script of your making " + + " to some other user."; + } + else if (STAGE2.equals(stage)) + { + instructions = "Block Stored XSS using Input Validation.
" + + "You will modify the stored procedure in the database to perform input validation on the vulnerable input field " + + "you just exploited."; + } + } + + return instructions; + + } + + @Override + public String[] getStages() { + return new String[] {STAGE1, STAGE2}; + } + + public void handleRequest(WebSession s) + { + if (s.getLessonSession(this) == null) + s.openLessonSession(this); + + String requestedActionName = null; + try + { + requestedActionName = s.getParser().getStringParameter("action"); + } + catch (ParameterNotFoundException pnfe) + { + // Let them eat login page. + requestedActionName = LOGIN_ACTION; + } + + if (requestedActionName != null) + { + try + { + LessonAction action = getAction(requestedActionName); + + if (action != null) + { + if (!action.requiresAuthentication() + || action.isAuthenticated(s)) + { + action.handleRequest(s); + //setCurrentAction(s, action.getNextPage(s)); + } + } + else + { + setCurrentAction(s, ERROR_ACTION); + } + } + catch (ParameterNotFoundException pnfe) + { + System.out.println("Missing parameter"); + pnfe.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + catch (ValidationException ve) + { + System.out.println("Validation failed"); + ve.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + catch (UnauthenticatedException ue) + { + s.setMessage("Login failed"); + System.out.println("Authentication failure"); + ue.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + s.setMessage("You are not authorized to perform this function"); + System.out.println("Authorization failure"); + ue2.printStackTrace(); + } + catch (Exception e) + { + // All other errors send the user to the generic error page + System.out.println("handleRequest() error"); + e.printStackTrace(); + setCurrentAction(s, ERROR_ACTION); + } + } + + // All this does for this lesson is ensure that a non-null content exists. + setContent(new ElementContainer()); + } + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + + /** + * Gets the title attribute of the CrossSiteScripting object + * + * @return The title value + */ + public String getTitle() + { + return "LAB: DB Cross Site Scripting (XSS)"; + } + + @Override + protected boolean getDefaultHidden() { + return ! getWebgoatContext().getDatabaseDriver().contains("oracle"); + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java new file mode 100755 index 000000000..bcbee54b5 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java @@ -0,0 +1,242 @@ +package org.owasp.webgoat.lessons.DBCrossSiteScripting; + +import java.sql.CallableStatement; +import java.sql.SQLException; +import java.sql.Statement; + +import javax.servlet.http.HttpServletRequest; + +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; +import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; +import org.owasp.webgoat.session.Employee; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.UnauthenticatedException; +import org.owasp.webgoat.session.UnauthorizedException; +import org.owasp.webgoat.session.ValidationException; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +public class UpdateProfile extends DefaultLessonAction +{ + + private LessonAction chainedAction; + + + public UpdateProfile(GoatHillsFinancial lesson, String lessonName, + String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName); + this.chainedAction = chainedAction; + } + + + public void handleRequest(WebSession s) throws ParameterNotFoundException, + UnauthenticatedException, UnauthorizedException, + ValidationException + { + if (isAuthenticated(s)) + { + int userId = getIntSessionAttribute(s, getLessonName() + "." + + RoleBasedAccessControl.USER_ID); + + HttpServletRequest request = s.getRequest(); + int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID)); + String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME); + String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME); + String ssn = request.getParameter(DBCrossSiteScripting.SSN); + String title = request.getParameter(DBCrossSiteScripting.TITLE); + String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER); + String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1); + String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2); + int manager = Integer.parseInt(request + .getParameter(DBCrossSiteScripting.MANAGER)); + String startDate = request.getParameter(DBCrossSiteScripting.START_DATE); + int salary = Integer.parseInt(request + .getParameter(DBCrossSiteScripting.SALARY)); + String ccn = request.getParameter(DBCrossSiteScripting.CCN); + int ccnLimit = Integer.parseInt(request + .getParameter(DBCrossSiteScripting.CCN_LIMIT)); + String disciplinaryActionDate = request + .getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE); + String disciplinaryActionNotes = request + .getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES); + String personalDescription = request + .getParameter(DBCrossSiteScripting.DESCRIPTION); + + Employee employee = new Employee(subjectId, firstName, lastName, ssn, + title, phone, address1, address2, manager, startDate, salary, + ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes, + personalDescription); + + try + { + if (subjectId > 0) + { + this.changeEmployeeProfile(s, userId, subjectId, employee); + setRequestAttribute(s, getLessonName() + "." + + DBCrossSiteScripting.EMPLOYEE_ID, Integer + .toString(subjectId)); + if (DBCrossSiteScripting.STAGE1.equals(getStage(s))) + { + address1 = address1.toLowerCase(); + boolean pass = address1.contains(""); + if (pass) + { + setStageComplete(s, DBCrossSiteScripting.STAGE1); + s.setMessage("Congratulations, you have completed " + DBCrossSiteScripting.STAGE1); + } + } + } + else + this.createEmployeeProfile(s, userId, employee); + } + catch (SQLException e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && e.getMessage().contains("ORA-06512") && + !employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$")) + { + s + .setMessage("You have successfully completed this lesson"); + setStageComplete(s, DBCrossSiteScripting.STAGE2); + } + + } + catch (ClassNotFoundException e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + } + + try + { + chainedAction.handleRequest(s); + } + catch (UnauthenticatedException ue1) + { + System.out.println("Internal server error"); + ue1.printStackTrace(); + } + catch (UnauthorizedException ue2) + { + System.out.println("Internal server error"); + ue2.printStackTrace(); + } + } + else + throw new UnauthenticatedException(); + } + + public String getNextPage(WebSession s) + { + return DBCrossSiteScripting.VIEWPROFILE_ACTION; + } + + + public void changeEmployeeProfile(WebSession s, int userId, int subjectId, + Employee employee) throws SQLException, ClassNotFoundException + { + try + { + String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }"; + CallableStatement call = WebSession.getConnection(s).prepareCall(update); + // Note: The password field is ONLY set by ChangePassword + call.setInt(1, userId); + call.setString(2, employee.getFirstName()); + call.setString(3, employee.getLastName()); + call.setString(4, employee.getSsn()); + call.setString(5, employee.getTitle()); + call.setString(6, employee.getPhoneNumber()); + call.setString(7, employee.getAddress1()); + call.setString(8, employee.getAddress2()); + call.setInt(9, employee.getManager()); + call.setString(10, employee.getStartDate()); + call.setInt(11, employee.getSalary()); + call.setString(12, employee.getCcn()); + call.setInt(13, employee.getCcnLimit()); + call.setString(14, employee.getDisciplinaryActionDate()); + call.setString(15, employee.getDisciplinaryActionNotes()); + call.setString(16, employee.getPersonalDescription()); + call.executeUpdate(); + } + catch (ClassNotFoundException e) + { + e.printStackTrace(); + } + } + + public void createEmployeeProfile(WebSession s, int userId, + Employee employee) throws UnauthorizedException + { + try + { + // FIXME: Cannot choose the id because we cannot guarantee uniqueness + String query = "INSERT INTO employee VALUES ( max(userid)+1, '" + + employee.getFirstName() + "','" + employee.getLastName() + + "','" + employee.getSsn() + "','" + + employee.getFirstName().toLowerCase() + "','" + + employee.getTitle() + "','" + employee.getPhoneNumber() + + "','" + employee.getAddress1() + "','" + + employee.getAddress2() + "'," + employee.getManager() + + ",'" + employee.getStartDate() + "'," + + employee.getSalary() + ",'" + employee.getCcn() + "'," + + employee.getCcnLimit() + ",'" + + employee.getDisciplinaryActionDate() + "','" + + employee.getDisciplinaryActionNotes() + "','" + + employee.getPersonalDescription() + "')"; + + //System.out.println("Query: " + query); + + try + { + Statement statement = WebSession.getConnection(s) + .createStatement(); + statement.executeUpdate(query); + } + catch (SQLException sqle) + { + s.setMessage("Error updating employee profile"); + sqle.printStackTrace(); + } + } + catch (Exception e) + { + s.setMessage("Error updating employee profile"); + e.printStackTrace(); + } + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java new file mode 100755 index 000000000..216995641 --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java @@ -0,0 +1,85 @@ +package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting; + +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; +import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; + +/* STAGE 2 FIXES +Solution Summary (1. or 2.) + 1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add + a validation step. Oracle 10G now supports regular expressions. + 2. Apply a column constraint can also work IFF the existing data is clean + +Solution Steps: +1. Talk about the different database approaches. + a. Apply validation in the UPDATE stored proc + - Possible to bypass by not using that stored proc + + b. Apply a table column constraint + - Cannot be bypassed. The DB enforces the constraint under all conditions + +2. Fix the stored proc + +Define the pattern. +Validate the field against the pattern. +Raise an exception if invalid. + +CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE( + v_userid IN employee.userid%type, + v_first_name IN employee.first_name%type, + v_last_name IN employee.last_name%type, + v_ssn IN employee.ssn%type, + v_title IN employee.title%type, + v_phone IN employee.phone%type, + v_address1 IN employee.address1%type, + v_address2 IN employee.address2%type, + v_manager IN employee.manager%type, + v_start_date IN employee.start_date%type, + v_salary IN employee.salary%type, + v_ccn IN employee.ccn%type, + v_ccn_limit IN employee.ccn_limit%type, + v_disciplined_date IN employee.disciplined_date%type, + v_disciplined_notes IN employee.disciplined_notes%type, + v_personal_description IN employee.personal_description%type +) +AS + P_ADDRESS1 VARCHAR2(32000) := '^[a-zA-Z0-9,\. ]{0,80}$'; // Stage 2 - FIX +BEGIN + IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN // Stage 2 - FIX + RAISE VALUE_ERROR; // Stage 2 - FIX + END IF; // Stage 2 - FIX + UPDATE EMPLOYEE + SET + first_name = v_first_name, + last_name = v_last_name, + ssn = v_ssn, + title = v_title, + phone = v_phone, + address1 = v_address1, + address2 = v_address2, + manager = v_manager, + start_date = v_Start_date, + salary = v_salary, + ccn = v_ccn, + ccn_limit = v_ccn_limit, + disciplined_date = v_disciplined_date, + disciplined_notes = v_disciplined_notes, + personal_description = v_personal_description + WHERE + userid = v_userid; +END; +/ + +3. Apply a table column constraint + ALTER TABLE EMPLOYEE + ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$')); +*/ + +public class UpdateProfile_i extends UpdateProfile +{ + public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) + { + super(lesson, lessonName, actionName, chainedAction); + } + +} diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css new file mode 100755 index 000000000..8ffcd6a7e --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css @@ -0,0 +1,14 @@ +#lesson_wrapper {height: 435px;width: 500px;} +#lesson_header {background-image: url(lessons/CrossSiteScripting/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;} +.lesson_workspace {background-image: url(lessons/CrossSiteScripting/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;} +.lesson_text {height: 240px;width: 460px;padding-top: 5px;} +#lesson_buttons_bottom {height: 20px;width: 460px;} +#lesson_b_b_left {width: 300px;float: left;} +#lesson_b_b_right input {width: 100px;float: right;} +.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;} +.lesson_workspace { } +.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;} +.lesson_text_db {color: #0066FF} +#lesson_login {background-image: url(lessons/CrossSiteScripting/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} +#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;} +#lesson_search {background-image: url(lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;} diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp new file mode 100755 index 000000000..7d6ec61e0 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp @@ -0,0 +1,26 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> + +<% +WebSession webSession = ((WebSession)session.getAttribute("websession")); +DBCrossSiteScripting currentLesson = (DBCrossSiteScripting) webSession.getCurrentLesson(); +%> +
+
+
+ <% + String subViewPage = currentLesson.getPage(webSession); + if (subViewPage != null) + { + //System.out.println("Including sub view page: " + subViewPage); + %> + + <% + } + %> + +
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp new file mode 100755 index 000000000..b4f869d3e --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp @@ -0,0 +1,134 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting.Employee"); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%>
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ First Name: + + + + Last Name: + + +
+ Street: + + + + City/State: + + +
+ Phone: + + + + Start Date: + + +
+ SSN: + + + + Salary: + + +
+ Credit Card: + + + + Credit Card Limit: + + +
+ Comments: + + + + Manager: + + +
+ Disciplinary Explanation: + + + + Disciplinary Action Dates: + + +
+
+
+ + + + + + + + +
+ + + + + + + +
+
+
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp new file mode 100755 index 000000000..4a7c2bdff --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp @@ -0,0 +1,54 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> +<% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + int myUserId = webSession.getUserIdInLesson(); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%> - Staff Listing Page
+
+
+
+

Select from the list below

+
+ + + + + +
+
+
+ <% + if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.CREATEPROFILE_ACTION)) + { + %> +
+ <% + } + %> + <% + if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.DELETEPROFILE_ACTION)) + { + %> +
+ <% + } + %> +
+ +
+ +
+ diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp new file mode 100755 index 000000000..607971305 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp @@ -0,0 +1,37 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> +
+
+ <% + WebSession webSession = ((WebSession)session.getAttribute("websession")); + %> +
+ +
+ +
+ +
+
+
\ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp new file mode 100755 index 000000000..e811c0ff8 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp @@ -0,0 +1,22 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" + errorPage="" %> + \ No newline at end of file diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp new file mode 100755 index 000000000..7780c2809 --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp @@ -0,0 +1,153 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" errorPage="" %> +<% +WebSession webSession = ((WebSession)session.getAttribute("websession")); + Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY); + DBCrossSiteScripting lesson = (DBCrossSiteScripting) webSession.getCurrentLesson(); +// int myUserId = getIntSessionAttribute(webSession, "DBCrossSiteScripting." + DBCrossSiteScripting.USER_ID); +%> +
Welcome Back <%=webSession.getUserNameInLesson()%>
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ First Name: + + <%=employee.getFirstName()%> + + Last Name: + + <%=employee.getLastName()%> +
+ Street: + + <%=employee.getAddress1()%> + + City/State: + + <%=employee.getAddress2()%> +
+ Phone: + + <%=employee.getPhoneNumber()%> + + Start Date: + + <%=employee.getStartDate()%> +
+ SSN: + + <%=employee.getSsn()%> + + Salary: + + <%=employee.getSalary()%> +
+ Credit Card: + + <%=employee.getCcn()%> + + Credit Card Limit: + + <%=employee.getCcnLimit()%> +
+ Comments: + + <%=employee.getPersonalDescription()%> + + Manager: + + <%=employee.getManager()%> +
+ Disciplinary Explanation: + + <%=employee.getDisciplinaryActionNotes()%> + + Disciplinary Action Dates: + + <%=employee.getDisciplinaryActionDate()%> +
+
+
+ + + + <% + } + %> + + + + + +
+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION)) + { + %> +
+ + +
+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION)) + { + %> +
+ + +
+ <% + } + %> + 		+ <% + if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION)) + { + %> +
+ + +
+ <% + } + %> + 		  +
+ +
+
+
diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp new file mode 100755 index 000000000..5af0a45dc --- /dev/null +++ b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp @@ -0,0 +1,3 @@ +<%@ page contentType="text/html; charset=ISO-8859-1" language="java" + errorPage="" %> +


An error has occurred. diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg new file mode 100755 index 000000000..39e1ed80d Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg new file mode 100755 index 000000000..60a809af0 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg new file mode 100755 index 000000000..c91f8a052 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg new file mode 100755 index 000000000..2c9512571 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg differ diff --git a/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg new file mode 100755 index 000000000..292d25654 Binary files /dev/null and b/ webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg differ