dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a DB Cross Site Scripting lesson

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@173 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2007-07-11 12:56:13 +00:00
parent 73035769aa
commit d1fe861a75
16 changed files with 1023 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

253
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java Executable file
View File

@ -0,0 +1,253 @@
package org.owasp.webgoat.lessons.DBCrossSiteScripting;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/**
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
*/
public class DBCrossSiteScripting extends GoatHillsFinancial
{
private final static Integer DEFAULT_RANKING = new Integer(100);
public final static String STAGE1 = "Stage 1";
public final static String STAGE2 = "Stage 2";
protected void registerActions(String className)
{
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
// These actions are special in that they chain to other actions.
registerAction(new Login(this, className, LOGIN_ACTION,
getAction(LISTSTAFF_ACTION)));
registerAction(new Logout(this, className, LOGOUT_ACTION,
getAction(LOGIN_ACTION)));
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
getAction(VIEWPROFILE_ACTION)));
registerAction(new UpdateProfile(this, className,
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
registerAction(new DeleteProfile(this, className,
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
}
/**
* Gets the category attribute of the CrossSiteScripting object
*
* @return The category value
*/
public Category getDefaultCategory()
{
return Category.A4;
}
/**
* Gets the hints attribute of the DirectoryScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
// Stage 1
hints.add("You can put HTML tags in form input fields.");
hints
.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
hints
.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
hints
.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
// Stage 2
hints
.add("Many scripts rely on the use of special characters such as: &lt;");
hints
.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
hints
.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
return hints;
}
/**
* Gets the instructions attribute of the ParameterInjection object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "";
if (!getLessonTracker(s).getCompleted())
{
String stage = getStage(s);
if (STAGE1.equals(stage))
{
instructions = "Execute a Stored Cross Site Scripting (XSS) attack.<br>"
+ "For this exercise, your mission is to cause the application to serve a script of your making "
+ " to some other user.";
}
else if (STAGE2.equals(stage))
{
instructions = "Block Stored XSS using Input Validation.<br>"
+ "You will modify the stored procedure in the database to perform input validation on the vulnerable input field "
+ "you just exploited.";
}
}
return instructions;
}
@Override
public String[] getStages() {
return new String[] {STAGE1, STAGE2};
}
public void handleRequest(WebSession s)
{
if (s.getLessonSession(this) == null)
s.openLessonSession(this);
String requestedActionName = null;
try
{
requestedActionName = s.getParser().getStringParameter("action");
}
catch (ParameterNotFoundException pnfe)
{
// Let them eat login page.
requestedActionName = LOGIN_ACTION;
}
if (requestedActionName != null)
{
try
{
LessonAction action = getAction(requestedActionName);
if (action != null)
{
if (!action.requiresAuthentication()
|| action.isAuthenticated(s))
{
action.handleRequest(s);
//setCurrentAction(s, action.getNextPage(s));
}
}
else
{
setCurrentAction(s, ERROR_ACTION);
}
}
catch (ParameterNotFoundException pnfe)
{
System.out.println("Missing parameter");
pnfe.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
catch (ValidationException ve)
{
System.out.println("Validation failed");
ve.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
catch (UnauthenticatedException ue)
{
s.setMessage("Login failed");
System.out.println("Authentication failure");
ue.printStackTrace();
}
catch (UnauthorizedException ue2)
{
s.setMessage("You are not authorized to perform this function");
System.out.println("Authorization failure");
ue2.printStackTrace();
}
catch (Exception e)
{
// All other errors send the user to the generic error page
System.out.println("handleRequest() error");
e.printStackTrace();
setCurrentAction(s, ERROR_ACTION);
}
}
// All this does for this lesson is ensure that a non-null content exists.
setContent(new ElementContainer());
}
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the CrossSiteScripting object
*
* @return The title value
*/
public String getTitle()
{
return "LAB: DB Cross Site Scripting (XSS)";
}
@Override
protected boolean getDefaultHidden() {
return ! getWebgoatContext().getDatabaseDriver().contains("oracle");
}
}

242
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java Executable file
View File

@ -0,0 +1,242 @@
package org.owasp.webgoat.lessons.DBCrossSiteScripting;
import java.sql.CallableStatement;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.http.HttpServletRequest;
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
import org.owasp.webgoat.session.Employee;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class UpdateProfile extends DefaultLessonAction
{
private LessonAction chainedAction;
public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
String actionName, LessonAction chainedAction)
{
super(lesson, lessonName, actionName);
this.chainedAction = chainedAction;
}
public void handleRequest(WebSession s) throws ParameterNotFoundException,
UnauthenticatedException, UnauthorizedException,
ValidationException
{
if (isAuthenticated(s))
{
int userId = getIntSessionAttribute(s, getLessonName() + "."
+ RoleBasedAccessControl.USER_ID);
HttpServletRequest request = s.getRequest();
int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
String ssn = request.getParameter(DBCrossSiteScripting.SSN);
String title = request.getParameter(DBCrossSiteScripting.TITLE);
String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
int manager = Integer.parseInt(request
.getParameter(DBCrossSiteScripting.MANAGER));
String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
int salary = Integer.parseInt(request
.getParameter(DBCrossSiteScripting.SALARY));
String ccn = request.getParameter(DBCrossSiteScripting.CCN);
int ccnLimit = Integer.parseInt(request
.getParameter(DBCrossSiteScripting.CCN_LIMIT));
String disciplinaryActionDate = request
.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
String disciplinaryActionNotes = request
.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
String personalDescription = request
.getParameter(DBCrossSiteScripting.DESCRIPTION);
Employee employee = new Employee(subjectId, firstName, lastName, ssn,
title, phone, address1, address2, manager, startDate, salary,
ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
personalDescription);
try
{
if (subjectId > 0)
{
this.changeEmployeeProfile(s, userId, subjectId, employee);
setRequestAttribute(s, getLessonName() + "."
+ DBCrossSiteScripting.EMPLOYEE_ID, Integer
.toString(subjectId));
if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
{
address1 = address1.toLowerCase();
boolean pass = address1.contains("<script>");
pass &= address1.contains("alert");
pass &= address1.contains("</script>");
if (pass)
{
setStageComplete(s, DBCrossSiteScripting.STAGE1);
s.setMessage("Congratulations, you have completed " + DBCrossSiteScripting.STAGE1);
}
}
}
else
this.createEmployeeProfile(s, userId, employee);
}
catch (SQLException e)
{
s.setMessage("Error updating employee profile");
e.printStackTrace();
if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && e.getMessage().contains("ORA-06512") &&
!employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
{
s
.setMessage("You have successfully completed this lesson");
setStageComplete(s, DBCrossSiteScripting.STAGE2);
}
}
catch (ClassNotFoundException e)
{
s.setMessage("Error updating employee profile");
e.printStackTrace();
}
try
{
chainedAction.handleRequest(s);
}
catch (UnauthenticatedException ue1)
{
System.out.println("Internal server error");
ue1.printStackTrace();
}
catch (UnauthorizedException ue2)
{
System.out.println("Internal server error");
ue2.printStackTrace();
}
}
else
throw new UnauthenticatedException();
}
public String getNextPage(WebSession s)
{
return DBCrossSiteScripting.VIEWPROFILE_ACTION;
}
public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
Employee employee) throws SQLException, ClassNotFoundException
{
try
{
String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
CallableStatement call = WebSession.getConnection(s).prepareCall(update);
// Note: The password field is ONLY set by ChangePassword
call.setInt(1, userId);
call.setString(2, employee.getFirstName());
call.setString(3, employee.getLastName());
call.setString(4, employee.getSsn());
call.setString(5, employee.getTitle());
call.setString(6, employee.getPhoneNumber());
call.setString(7, employee.getAddress1());
call.setString(8, employee.getAddress2());
call.setInt(9, employee.getManager());
call.setString(10, employee.getStartDate());
call.setInt(11, employee.getSalary());
call.setString(12, employee.getCcn());
call.setInt(13, employee.getCcnLimit());
call.setString(14, employee.getDisciplinaryActionDate());
call.setString(15, employee.getDisciplinaryActionNotes());
call.setString(16, employee.getPersonalDescription());
call.executeUpdate();
}
catch (ClassNotFoundException e)
{
e.printStackTrace();
}
}
public void createEmployeeProfile(WebSession s, int userId,
Employee employee) throws UnauthorizedException
{
try
{
// FIXME: Cannot choose the id because we cannot guarantee uniqueness
String query = "INSERT INTO employee VALUES ( max(userid)+1, '"
+ employee.getFirstName() + "','" + employee.getLastName()
+ "','" + employee.getSsn() + "','"
+ employee.getFirstName().toLowerCase() + "','"
+ employee.getTitle() + "','" + employee.getPhoneNumber()
+ "','" + employee.getAddress1() + "','"
+ employee.getAddress2() + "'," + employee.getManager()
+ ",'" + employee.getStartDate() + "',"
+ employee.getSalary() + ",'" + employee.getCcn() + "',"
+ employee.getCcnLimit() + ",'"
+ employee.getDisciplinaryActionDate() + "','"
+ employee.getDisciplinaryActionNotes() + "','"
+ employee.getPersonalDescription() + "')";
//System.out.println("Query: " + query);
try
{
Statement statement = WebSession.getConnection(s)
.createStatement();
statement.executeUpdate(query);
}
catch (SQLException sqle)
{
s.setMessage("Error updating employee profile");
sqle.printStackTrace();
}
}
catch (Exception e)
{
s.setMessage("Error updating employee profile");
e.printStackTrace();
}
}
}

85
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/DBCrossSiteScripting/UpdateProfile_i.java Executable file
View File

@ -0,0 +1,85 @@
package org.owasp.webgoat.lessons.instructor.DBCrossSiteScripting;
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile;
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
/* STAGE 2 FIXES
Solution Summary (1. or 2.)
1. Modify the UPDATE_EMPLOYEE stored procedure in the database and add
a validation step. Oracle 10G now supports regular expressions.
2. Apply a column constraint can also work IFF the existing data is clean
Solution Steps:
1. Talk about the different database approaches.
a. Apply validation in the UPDATE stored proc
- Possible to bypass by not using that stored proc
b. Apply a table column constraint
- Cannot be bypassed. The DB enforces the constraint under all conditions
2. Fix the stored proc
Define the pattern.
Validate the field against the pattern.
Raise an exception if invalid.
CREATE OR REPLACE PROCEDURE UPDATE_EMPLOYEE(
v_userid IN employee.userid%type,
v_first_name IN employee.first_name%type,
v_last_name IN employee.last_name%type,
v_ssn IN employee.ssn%type,
v_title IN employee.title%type,
v_phone IN employee.phone%type,
v_address1 IN employee.address1%type,
v_address2 IN employee.address2%type,
v_manager IN employee.manager%type,
v_start_date IN employee.start_date%type,
v_salary IN employee.salary%type,
v_ccn IN employee.ccn%type,
v_ccn_limit IN employee.ccn_limit%type,
v_disciplined_date IN employee.disciplined_date%type,
v_disciplined_notes IN employee.disciplined_notes%type,
v_personal_description IN employee.personal_description%type
)
AS
P_ADDRESS1 VARCHAR2(32000) := '^[a-zA-Z0-9,\. ]{0,80}$'; // Stage 2 - FIX
BEGIN
IF NOT REGEXP_LIKE(v_address1, P_ADDRESS1) THEN // Stage 2 - FIX
RAISE VALUE_ERROR; // Stage 2 - FIX
END IF; // Stage 2 - FIX
UPDATE EMPLOYEE
SET
first_name = v_first_name,
last_name = v_last_name,
ssn = v_ssn,
title = v_title,
phone = v_phone,
address1 = v_address1,
address2 = v_address2,
manager = v_manager,
start_date = v_Start_date,
salary = v_salary,
ccn = v_ccn,
ccn_limit = v_ccn_limit,
disciplined_date = v_disciplined_date,
disciplined_notes = v_disciplined_notes,
personal_description = v_personal_description
WHERE
userid = v_userid;
END;
/
3. Apply a table column constraint
ALTER TABLE EMPLOYEE
ADD CONSTRAINT address1_ck CHECK (REGEXP_LIKE(address1, '^[a-zA-Z0-9,\. ]{0,80}$'));
*/
public class UpdateProfile_i extends UpdateProfile
{
public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
{
super(lesson, lessonName, actionName, chainedAction);
}
}

14
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.css Executable file
View File

@ -0,0 +1,14 @@
#lesson_wrapper {height: 435px;width: 500px;}
#lesson_header {background-image: url(lessons/CrossSiteScripting/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
.lesson_workspace {background-image: url(lessons/CrossSiteScripting/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
.lesson_text {height: 240px;width: 460px;padding-top: 5px;}
#lesson_buttons_bottom {height: 20px;width: 460px;}
#lesson_b_b_left {width: 300px;float: left;}
#lesson_b_b_right input {width: 100px;float: right;}
.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}
.lesson_workspace { }
.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}
.lesson_text_db {color: #0066FF}
#lesson_login {background-image: url(lessons/CrossSiteScripting/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}
#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}
#lesson_search {background-image: url(lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}

26
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/DBCrossSiteScripting.jsp Executable file
View File

@ -0,0 +1,26 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting"
errorPage="" %>
<style>
<jsp:include page="DBCrossSiteScripting.css" />
</style>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
DBCrossSiteScripting currentLesson = (DBCrossSiteScripting) webSession.getCurrentLesson();
%>
<div id="lesson_wrapper">
<div id="lesson_header"></div>
<div class="lesson_workspace">
<%
String subViewPage = currentLesson.getPage(webSession);
if (subViewPage != null)
{
//System.out.println("Including sub view page: " + subViewPage);
%>
<jsp:include page="<%=subViewPage%>" />
<%
}
%>
</div>
</div>

134
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/EditProfile.jsp Executable file
View File

@ -0,0 +1,134 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting.Employee");
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<Table>
<TR><TD>
First Name:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.FIRST_NAME%>" type="text" value="<%=employee.getFirstName()%>"/>
</TD>
<TD>
Last Name:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.LAST_NAME%>" type="text" value="<%=employee.getLastName()%>"/>
</TD>
</TR>
<TR><TD>
Street:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.ADDRESS1%>" type="text" value="<%=employee.getAddress1()%>"/>
</TD>
<TD>
City/State:
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.ADDRESS2%>" type="text" value="<%=employee.getAddress2()%>"/>
</TD>
</TR>
<TR><TD>
Phone:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.PHONE_NUMBER%>" type="text" value="<%=employee.getPhoneNumber()%>"/>
</TD>
<TD>
Start Date:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.START_DATE%>" type="text" value="<%=employee.getStartDate()%>"/>
</TD>
</TR>
<TR><TD>
SSN:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.SSN%>" type="text" value="<%=employee.getSsn()%>"/>
</TD>
<TD>
Salary:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.SALARY%>" type="text" value="<%=employee.getSalary()%>"/>
</TD>
</TR>
<TR><TD>
Credit Card:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.CCN%>" type="text" value="<%=employee.getCcn()%>"/>
</TD>
<TD>
Credit Card Limit:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.CCN_LIMIT%>" type="text" value="<%=employee.getCcnLimit()%>"/>
</TD>
</TR>
<TR><TD>
Comments:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.DESCRIPTION%>" type="text" value="<%=employee.getPersonalDescription()%>"/>
</TD>
<TD>
Manager:
</TD>
<TD>
<select class="lesson_text_db" name="<%=DBCrossSiteScripting.MANAGER%>">
<%
List employees = (List) session.getAttribute("DBCrossSiteScripting.Staff");
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();
%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()%></option>
<%}%>
</select>
</TD>
</TR>
<TR><TD>
Disciplinary Explanation:
</TD>
<TD>
<textarea name="<%=DBCrossSiteScripting.DISCIPLINARY_NOTES%>" cols="16" rows="3" class="lesson_text_db" ><%=employee.getDisciplinaryActionNotes()%></textarea>
</TD>
<TD>
Disciplinary Action Dates:
</TD>
<TD>
<input class="lesson_text_db" name="<%=DBCrossSiteScripting.DISCIPLINARY_DATE%>" type="text" value="<%=employee.getDisciplinaryActionDate()%>"/>
</TD>
</TR>
</Table>
<BR>
<div class="lesson_buttons_bottom">
<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="57">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.VIEWPROFILE_ACTION%>"/>
</td>
<td width="81">
<input name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" type="hidden" value="<%=employee.getId()%>">
<input name="<%=DBCrossSiteScripting.TITLE%>" type="hidden" value="<%=employee.getTitle()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.UPDATEPROFILE_ACTION%>"/>
</td>
<td width="211"></td>
<td width="83">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGOUT_ACTION%>"/>
</td>
</tr>
</table>
</div>
</form>
</div>

54
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ListStaff.jsp Executable file
View File

@ -0,0 +1,54 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
int myUserId = webSession.getUserIdInLesson();
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Staff Listing Page</div>
<br>
<br>
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>
<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" size="11">
<%
List employees = (List) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.STAFF_ATTRIBUTE_KEY);
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
}%>
</select>
</label></td>
<td>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.SEARCHSTAFF_ACTION%>"/><br>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.VIEWPROFILE_ACTION%>"/><br>
<%
if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.CREATEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
<%
}
%>
<%
if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.DELETEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/><br>
<%
}
%>
<br>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGOUT_ACTION%>"/>
</td>
</tr>
</table>
</form>

37
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/Login.jsp Executable file
View File

@ -0,0 +1,37 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting"
errorPage="" %>
<div id="lesson_login">
<div id="lesson_login_txt">
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<label>
<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>">
<%
Vector attrs = new Vector();
Enumeration ee = session.getAttributeNames();
while (ee.hasMoreElements())
attrs.add(ee.nextElement());
//System.out.println("Login.jsp inspecting session attributes: " + attrs);
//System.out.println("Retrieving employees list");
List employees = (List) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.STAFF_ATTRIBUTE_KEY);
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();
%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName() + " (" + stub.getRole() + ")"%></option>
<%}%>
</select>
</label>
<br>
<label>Password
<input name="password" type="password" size="10" maxlength="8" />
</label>
<br>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGIN_ACTION%>"/>
</form>
</div>
</div>

22
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/SearchStaff.jsp Executable file
View File

@ -0,0 +1,22 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting"
errorPage="" %>
<div id="lesson_search">
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
String searchedName = request.getParameter(DBCrossSiteScripting.SEARCHNAME);
if (searchedName != null)
{
%>
Employee <%=searchedName%> not found.
<%
}
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<label>Name
<input class="lesson_text_db" type="text" name="<%=DBCrossSiteScripting.SEARCHNAME%>"/>
</label>
<br>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.FINDPROFILE_ACTION%>"/>
</form>
</div>

153
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/ViewProfile.jsp Executable file
View File

@ -0,0 +1,153 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting" errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
Employee employee = (Employee) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY);
DBCrossSiteScripting lesson = (DBCrossSiteScripting) webSession.getCurrentLesson();
// int myUserId = getIntSessionAttribute(webSession, "DBCrossSiteScripting." + DBCrossSiteScripting.USER_ID);
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<Table>
<TR><TD>
First Name:
</TD>
<TD>
<%=employee.getFirstName()%>
</TD>
<TD>
Last Name:
</TD>
<TD>
<%=employee.getLastName()%>
</TD>
</TR>
<TR><TD>
Street:
</TD>
<TD>
<%=employee.getAddress1()%>
</TD>
<TD>
City/State:
<TD>
<%=employee.getAddress2()%>
</TD>
</TR>
<TR><TD>
Phone:
</TD>
<TD>
<%=employee.getPhoneNumber()%>
</TD>
<TD>
Start Date:
</TD>
<TD>
<%=employee.getStartDate()%>
</TD>
</TR>
<TR><TD>
SSN:
</TD>
<TD>
<%=employee.getSsn()%>
</TD>
<TD>
Salary:
</TD>
<TD>
<%=employee.getSalary()%>
</TD>
</TR>
<TR><TD>
Credit Card:
</TD>
<TD>
<%=employee.getCcn()%>
</TD>
<TD>
Credit Card Limit:
</TD>
<TD>
<%=employee.getCcnLimit()%>
</TD>
</TR>
<TR><TD>
Comments:
</TD>
<TD>
<%=employee.getPersonalDescription()%>
</TD>
<TD>
Manager:
</TD>
<TD>
<%=employee.getManager()%>
</TD>
</TR>
<TR><TD>
Disciplinary Explanation:
</TD>
<TD>
<%=employee.getDisciplinaryActionNotes()%>
</TD>
<TD>
Disciplinary Action Dates:
</TD>
<TD>
<%=employee.getDisciplinaryActionDate()%>
</TD>
</TR>
</Table>
</div>
<div class="lesson_buttons_bottom">
<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="50">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LISTSTAFF_ACTION%>"/>
</form></td>
<%
}
%>
<td width="50">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.EDITPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.EDITPROFILE_ACTION%>"/>
</form>
<%
}
%>
</td>
<td width="60">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), DBCrossSiteScripting.DELETEPROFILE_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="hidden" name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.DELETEPROFILE_ACTION%>"/>
</form>
<%
}
%>
</td>
<td width="190">&nbsp;</td>
<td width="76">
<form method="POST">
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGOUT_ACTION%>"/>
</form>
</td>
</tr>
</table>
</div>

3
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/error.jsp Executable file
View File

@ -0,0 +1,3 @@
<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
errorPage="" %>
<br><br><br>An error has occurred.

BIN
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_SearchWindow.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_header.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_loginWindow.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.7 KiB

BIN
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_menu.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.5 KiB

BIN
webgoat/main/project/WebContent/lessons/DBCrossSiteScripting/images/lesson1_workspace.jpg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB