diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
index f7ebe2adc..f4043bace 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
@@ -46,178 +46,169 @@ import org.owasp.webgoat.session.WebSession;
public class LessonSource extends HammerHead
{
- /**
- *
- */
- private static final long serialVersionUID = 2588430536196446145L;
+ /**
+ *
+ */
+ private static final long serialVersionUID = 2588430536196446145L;
- /**
- * Description of the Field
- */
- public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
+ /**
+ * Description of the Field
+ */
+ public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
- public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
+ public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
- /**
- * Description of the Method
- *
- * @param request
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @exception IOException
- * Description of the Exception
- * @exception ServletException
- * Description of the Exception
- */
- public void doPost(HttpServletRequest request, HttpServletResponse response)
- throws IOException, ServletException
- {
- String source = null;
-
- try
+ /**
+ * Description of the Method
+ *
+ * @param request
+ * Description of the Parameter
+ * @param response
+ * Description of the Parameter
+ * @exception IOException
+ * Description of the Exception
+ * @exception ServletException
+ * Description of the Exception
+ */
+ public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
- // System.out.println( "Entering doPost: " );
- // System.out.println( " - request " + request);
- // System.out.println( " - principle: " + request.getUserPrincipal()
- // );
- // setCacheHeaders(response, 0);
- WebSession session = (WebSession) request.getSession(true).getAttribute(
- WebSession.SESSION);
- // FIXME: Too much in this call.
- session.update(request, response, this.getServletName());
+ String source = null;
- String showSolution = session.getParser().getRawParameter("solution");
- if (showSolution != null)
- {
- // FIXME: we could probably just forward off to the file if the file
- // existed. However, we do provide some feedback from the
- // getSolution() method if something goes wrong.
-
- // Get the Java solution of the lesson.
- source = getSolution(session);
+ try
+ {
+ // System.out.println( "Entering doPost: " );
+ // System.out.println( " - request " + request);
+ // System.out.println( " - principle: " + request.getUserPrincipal()
+ // );
+ // setCacheHeaders(response, 0);
+ WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
+ // FIXME: Too much in this call.
+ session.update(request, response, this.getServletName());
- int scr = session.getCurrentScreen();
- Course course = session.getCourse();
- AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
- lesson.getLessonTracker(session).setViewedSolution(true);
+ boolean showSolution = session.getParser().getBooleanParameter("solution", false);
+ boolean showSource = session.getParser().getBooleanParameter("source", false);
+ if (showSolution)
+ {
+ // Get the Java solution of the lesson.
+ source = getSolution(session);
- } else
- {
+ int scr = session.getCurrentScreen();
+ Course course = session.getCourse();
+ AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
+ lesson.getLessonTracker(session).setViewedSolution(true);
- // Get the Java source of the lesson. FIXME: Not needed
- source = getSource(session);
+ } else if (showSource)
+ {
- int scr = session.getCurrentScreen();
- Course course = session.getCourse();
- AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
- lesson.getLessonTracker(session).setViewedSource(true);
- }
- }
- catch (Throwable t)
- {
- t.printStackTrace();
- log("ERROR: " + t);
- }
- finally
- {
- try
- {
- this.writeSource(source, response);
- }
- catch (Throwable thr)
- {
- thr.printStackTrace();
- log(request, "Could not write error screen: " + thr.getMessage());
- }
- // System.out.println( "Leaving doPost: " );
+ // Get the Java source of the lesson. FIXME: Not needed
+ source = getSource(session);
- }
- }
+ int scr = session.getCurrentScreen();
+ Course course = session.getCourse();
+ AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
+ lesson.getLessonTracker(session).setViewedSource(true);
+ }
+ }
+ catch (Throwable t)
+ {
+ t.printStackTrace();
+ log("ERROR: " + t);
+ }
+ finally
+ {
+ try
+ {
+ this.writeSource(source, response);
+ }
+ catch (Throwable thr)
+ {
+ thr.printStackTrace();
+ log(request, "Could not write error screen: " + thr.getMessage());
+ }
+ // System.out.println( "Leaving doPost: " );
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @return Description of the Return Value
- */
- protected String getSource(WebSession s)
- {
-
- String source = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isChallenge())
- {
-
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
- if (lesson != null)
- {
- source = lesson.getSource(s);
- }
- }
- if (source == null)
- {
- return "Source code is not available. Contact "
- + s.getWebgoatContext().getFeedbackAddress();
- }
- return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
- "Code Section Deliberately Omitted"));
- }
-
-
- protected String getSolution(WebSession s)
- {
-
- String source = null;
- int scr = s.getCurrentScreen();
- Course course = s.getCourse();
-
- if (s.isUser() || s.isChallenge())
- {
-
- AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
- if (lesson != null)
- {
- source = lesson.getSolution(s);
- }
- }
- if (source == null)
- {
- return "Solution is not available. Contact "
- + s.getWebgoatContext().getFeedbackAddress();
- }
- return (source);
- }
-
-
- /**
- * Description of the Method
- *
- * @param s
- * Description of the Parameter
- * @param response
- * Description of the Parameter
- * @exception IOException
- * Description of the Exception
- */
- protected void writeSource(String s, HttpServletResponse response) throws IOException
- {
- response.setContentType("text/html");
-
- PrintWriter out = response.getWriter();
-
- if (s == null)
- {
- s = new String();
+ }
}
- out.print(s);
- out.close();
- }
+ /**
+ * Description of the Method
+ *
+ * @param s
+ * Description of the Parameter
+ * @return Description of the Return Value
+ */
+ protected String getSource(WebSession s)
+ {
+
+ String source = null;
+ int scr = s.getCurrentScreen();
+ Course course = s.getCourse();
+
+ if (s.isUser() || s.isChallenge())
+ {
+
+ AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+
+ if (lesson != null)
+ {
+ source = lesson.getSource(s);
+ }
+ }
+ if (source == null)
+ {
+ return "Source code is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
+ }
+ return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
+ "Code Section Deliberately Omitted"));
+ }
+
+ protected String getSolution(WebSession s)
+ {
+
+ String source = null;
+ int scr = s.getCurrentScreen();
+ Course course = s.getCourse();
+
+ if (s.isUser() || s.isChallenge())
+ {
+
+ AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+
+ if (lesson != null)
+ {
+ source = lesson.getSolution(s);
+ }
+ }
+ if (source == null)
+ {
+ return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
+ }
+ return (source);
+ }
+
+ /**
+ * Description of the Method
+ *
+ * @param s
+ * Description of the Parameter
+ * @param response
+ * Description of the Parameter
+ * @exception IOException
+ * Description of the Exception
+ */
+ protected void writeSource(String s, HttpServletResponse response) throws IOException
+ {
+ response.setContentType("text/html");
+
+ PrintWriter out = response.getWriter();
+
+ if (s == null)
+ {
+ s = new String();
+ }
+
+ out.print(s);
+ out.close();
+ }
}
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
index 191be15ea..75b9036fd 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
@@ -3,8 +3,18 @@ package org.owasp.webgoat.lessons;
import java.text.Format;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
import java.util.List;
+import java.util.Properties;
+
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.PasswordAuthentication;
+import javax.mail.Session;
+import javax.mail.Transport;
+import javax.mail.internet.InternetAddress;
+import javax.mail.internet.MimeMessage;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
@@ -52,97 +62,126 @@ import org.owasp.webgoat.session.WebSession;
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
- *
- * @author Bruce Mayhew WebGoat
- * @created October 28, 2003
+ *
+ * @author Bruce Mayhew WebGoat
+ * @created October 28, 2003
*/
public class UncheckedEmail extends LessonAdapter
{
- private final static String MESSAGE = "msg";
+ private final String YOUR_REAL_GMAIL_PASSWORD = "password";
- private final static String TO = "to";
+ private final String YOUR_REAL_GMAIL_ID = "GMail id";
+ private final static String MESSAGE = "msg";
- /**
- * Description of the Method
- *
- * @param s Description of the Parameter
- * @return Description of the Return Value
- */
+ private final static String HIDDEN_TO = "to";
+ private final static String SUBJECT = "subject";
+ private final static String GMAIL_ID = "gId";
+ private final static String GMAIL_PASS = "gPass";
- protected Element createContent(WebSession s)
- {
+ private static final String SMTP_HOST_NAME = "smtp.gmail.com";
+ private static final String SMTP_PORT = "465";
+ private static final String emailFromAddress = "webgoat@owasp.org";
+ private static final String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
- ElementContainer ec = new ElementContainer();
- try
+ /**
+ * Description of the Method
+ *
+ * @param s
+ * Description of the Parameter
+ * @return Description of the Return Value
+ */
+
+ protected Element createContent(WebSession s)
{
- String to = s.getParser().getRawParameter(TO, "");
- Table t = new Table().setCellSpacing(0).setCellPadding(2)
- .setBorder(0).setWidth("90%").setAlign("center");
+ ElementContainer ec = new ElementContainer();
+ try
+ {
+ String to = s.getParser().getRawParameter(HIDDEN_TO, "");
+ String gId = s.getParser().getRawParameter(GMAIL_ID, "");
+ String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");
+ String message = s.getParser().getRawParameter(MESSAGE, "");
+ String subject = s.getParser().getRawParameter(SUBJECT, "");
- if (s.isColor())
- {
- t.setBorder(1);
- }
+ boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));
- TR tr = new TR();
- tr.addElement(new TH().addElement("Send OWASP your Comments
")
- .setAlign("left").setColSpan(3));
- t.addElement(tr);
+ ec.addElement(new HR());
+ createGoogleCredentials(s, ec);
+ ec.addElement(new HR());
+ ec.addElement(new BR());
+ createMailMessage(s, subject, message, ec);
- tr = new TR();
- tr.addElement(new TD().addElement(" ").setColSpan(3));
- t.addElement(tr);
+ ec.addElement(new HR());
+ if (to.length() > 0)
+ {
- tr = new TR();
- tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign(
- "left").setWidth("55%").setVAlign("BOTTOM"));
- //tr.addElement(new TH().addElement(" "));
- tr.addElement(new TH().setColSpan(2).addElement(new H3("Contact Information:"))
- .setAlign("left").setVAlign("BOTTOM"));
- t.addElement(tr);
+ if (haveCredentials)
+ {
+ Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);
+ formatMail(ec, sentMessage);
+ } else
+ {
+ sendSimulatedMail(ec, to, subject, message);
+ }
+ }
- tr = new TR();
- tr
- .addElement(new TD()
- .addElement("We value your comments. To send OWASP your questions or comments regarding the "
- + "WebGoat tool, please enter your comments below. The information you provide will be handled according "
- + "to our Privacy Policy."));
- //tr.addElement(new TD().addElement(" "));
- tr.addElement(new TD().setColSpan(2).addElement(
- "OWASP
" + "9175 Guilford Rd
Suite 300
"
- + "Columbia, MD. 21046").setVAlign("top"));
- t.addElement(tr);
+ // only complete the lesson if they changed the "to" hidden field
+ if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to))
+ {
+ makeSuccess(s);
+ }
+ }
+ catch (Exception e)
+ {
+ s.setMessage("Error generating " + this.getClass().getName());
+ e.printStackTrace();
+ }
+ return (ec);
+ }
- tr = new TR();
- tr.addElement(new TD().addElement(" ").setColSpan(3));
- t.addElement(tr);
+ private void formatMail(ElementContainer ec, Message sentMessage)
+ {
+ try
+ {
+ ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: "
+ + Arrays.asList(sentMessage.getAllRecipients()))));
+ ec.addElement(new BR());
+ ec.addElement(new StringElement("MAIL FROM: " + Arrays.asList(sentMessage.getReplyTo())));
+ ec.addElement(new BR());
+ ec.addElement(new StringElement("RCPT TO: " + Arrays.asList(sentMessage.getAllRecipients())));
+ ec.addElement(new BR());
+ ec
+ .addElement(new StringElement("Message-ID: "
+ + Arrays.asList(sentMessage.getHeader("Message-ID"))));
+ ec.addElement(new BR());
+ ec.addElement(new StringElement("Date: " + sentMessage.getSentDate()));
+ ec.addElement(new BR());
+ ec.addElement(new StringElement("Subject: " + sentMessage.getSubject()));
+ ec.addElement(new BR());
+ ec.addElement(new StringElement("Message: "));
+ ec.addElement(new BR());
+ ec.addElement(new BR());
+ ec.addElement(new StringElement(sentMessage.getContent().toString()));
+ }
+ catch (Exception e)
+ {
+ // TODO Auto-generated catch block
+ ec.addElement(new StringElement("Fatal error while sending message"));
+ ec.addElement(new BR());
+ ec.addElement(new StringElement(e.getMessage()));
+ }
- Input input = new Input(Input.HIDDEN, TO, "webgoat.admin@owasp.org");
- tr = new TR();
- tr.addElement(new TD().addElement("Questions or Comments:"));
- tr.addElement(new TD().addElement(" "));
- tr.addElement(new TD().setAlign("LEFT").addElement(input));
- t.addElement(tr);
+ }
- tr = new TR();
- String message = s.getParser().getRawParameter(MESSAGE, "");
- TextArea ta = new TextArea(MESSAGE, 5, 40);
- ta.addElement(new StringElement(convertMetachars(message)));
- tr.addElement(new TD().setAlign("LEFT").addElement(ta));
- tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE")
- .addElement(ECSFactory.makeButton("Send!")));
- tr.addElement(new TD().addElement(" "));
- t.addElement(tr);
- ec.addElement(t);
-
- // Eventually we could send the actually mail, but the point should already be made
- //ec.addElement(exec( use java mail here + to));
-
- if (to.length() > 0)
- {
+ /**
+ * @param ec
+ * @param to
+ * @param message
+ */
+ private void sendSimulatedMail(ElementContainer ec, String to, String subject, String message)
+ {
Format formatter;
// Get today's date
Date date = new Date();
@@ -150,114 +189,241 @@ public class UncheckedEmail extends LessonAdapter
String today = formatter.format(date);
// Tue, 09 Jan 2002 22:14:02 -0500
- ec.addElement(new HR());
- ec
- .addElement(new Center()
- .addElement(new B()
- .addElement("You sent the following message to: "
- + to)));
+ ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: " + to)));
ec.addElement(new BR());
- ec.addElement(new StringElement(
- "Return-Path: <webgoat@owasp.org>"));
+ ec.addElement(new StringElement("Return-Path: <webgoat@owasp.org>"));
ec.addElement(new BR());
ec.addElement(new StringElement("Delivered-To: " + to));
ec.addElement(new BR());
- ec.addElement(new StringElement(
- "Received: (qmail 614458 invoked by uid 239); "
- + today));
+ ec.addElement(new StringElement("Received: (qmail 614458 invoked by uid 239); " + today));
ec.addElement(new BR());
- ec.addElement(new StringElement("for <" + to + ">; "
- + today));
+ ec.addElement(new StringElement("for <" + to + ">; " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("To: " + to));
ec.addElement(new BR());
- ec
- .addElement(new StringElement(
- "From: Blame it on the Goat <webgoat@owasp.org>"));
+ ec.addElement(new StringElement("From: Blame it on the Goat <webgoat@owasp.org>"));
ec.addElement(new BR());
- ec.addElement(new StringElement(
- "Subject: OWASP security issues"));
+ ec.addElement(new StringElement("Subject: " + subject));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(message));
- }
-
- // only complete the lesson if they changed the "to" hidden field
- if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to))
- {
- makeSuccess(s);
- }
}
- catch (Exception e)
+
+ /**
+ * @param s
+ * @param ec
+ * @return
+ */
+ private void createMailMessage(WebSession s, String subject, String message, ElementContainer ec)
{
- s.setMessage("Error generating " + this.getClass().getName());
- e.printStackTrace();
+ TR tr;
+ Input input;
+ Table t = new Table().setCellSpacing(0).setCellPadding(1).setBorder(0).setWidth("90%").setAlign("center");
+
+ if (s.isColor())
+ {
+ t.setBorder(1);
+ }
+
+ tr = new TR();
+ tr.addElement(new TH().addElement("Send OWASP your Comments
").setAlign("left").setColSpan(3));
+ t.addElement(tr);
+
+ tr = new TR();
+ tr.addElement(new TD().addElement(" ").setColSpan(3));
+ t.addElement(tr);
+
+ tr = new TR();
+ tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign("left").setWidth("55%").setVAlign("BOTTOM")
+ .setColSpan(2));
+ tr.addElement(new TH().addElement(new H3("Contact Information:")).setAlign("left").setVAlign("BOTTOM"));
+ t.addElement(tr);
+
+ tr = new TR();
+ tr.addElement(new TD().addElement(
+ "We value your comments. " + "To send OWASP your questions or comments "
+ + "regarding the WebGoat tool, please enter your "
+ + "comments below. The information you provide will be "
+ + "handled according to our Privacy Policy.").setColSpan(2));
+ tr.addElement(new TD().addElement(
+ "OWASP
" + "9175 Guilford Rd
Suite 300
"
+ + "Columbia, MD. 21046").setVAlign("top"));
+ t.addElement(tr);
+
+ tr = new TR();
+ tr.addElement(new TD().addElement(" ").setColSpan(3));
+ t.addElement(tr);
+
+ tr = new TR();
+ tr.addElement(new TD().addElement("Subject:"));
+ input = new Input(Input.TEXT, SUBJECT, "Comment for WebGoat");
+ tr.addElement(new TD().setAlign("LEFT").addElement(input));
+ tr.addElement(new TD().addElement(" "));
+ t.addElement(tr);
+
+ input = new Input(Input.HIDDEN, HIDDEN_TO, "webgoat.admin@owasp.org");
+ tr = new TR();
+ tr.addElement(new TD().addElement("Questions or Comments:").setColSpan(2));
+ tr.addElement(new TD().setAlign("LEFT").addElement(input));
+ t.addElement(tr);
+
+ tr = new TR();
+ TextArea ta = new TextArea(MESSAGE, 5, 40);
+ ta.addElement(new StringElement(convertMetachars(message)));
+ tr.addElement(new TD().setAlign("LEFT").addElement(ta).setColSpan(2));
+ tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE").addElement(ECSFactory.makeButton("Send!")));
+ t.addElement(tr);
+ ec.addElement(t);
}
- return (ec);
- }
+ /**
+ * @param s
+ * @param ec
+ */
+ private void createGoogleCredentials(WebSession s, ElementContainer ec)
+ {
+ // Allow the user to configure a real email interface using gmail
+ Table t1 = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+ t1.setStyle("border-width:3px; border-style: solid;");
+ if (s.isColor())
+ {
+ t1.setBorder(1);
+ }
- /**
- * DOCUMENT ME!
- *
- * @return DOCUMENT ME!
- */
- protected Category getDefaultCategory()
- {
- return Category.UNVALIDATED_PARAMETERS;
- }
+ TR tr = new TR();
+ tr.addElement(new TH().addElement("Google Mail Configuration (Optional)").setAlign("center").setColSpan(2));
+ t1.addElement(tr);
+ tr = new TR();
+ tr.addElement(new TD().addElement(" ").setAlign("left").setColSpan(2));
+ t1.addElement(tr);
- /**
- * Gets the hints attribute of the EmailScreen object
- *
- * @return The hints value
- */
- protected List getHints(WebSession s)
- {
- List hints = new ArrayList();
- hints.add("Try sending an anonymous message to yourself.");
- hints
- .add("Try inserting some html or javascript code in the message field");
- hints.add("Look at the hidden fields in the HTML.");
- hints
- .add("Insert <A href=\"http://www.aspectsecurity.com/webgoat.html\">Click here for Aspect</A> in the message field");
- hints
- .add("Insert <script>alert(\"Bad Stuff\");</script> in the message field");
- return hints;
- }
+ tr = new TR();
+ tr.addElement(new TD()
+ .addElement(
+ "These configurations will enable WebGoat to send email on your "
+ + "behalf using your gmail account. Leave them as the default value "
+ + "to use WebGoat's simulated mail.").setAlign("left").setColSpan(2));
+ t1.addElement(tr);
+ tr = new TR();
+ tr.addElement(new TD().addElement(" ").setAlign("left").setColSpan(2));
+ t1.addElement(tr);
- /**
- * Gets the instructions attribute of the UncheckedEmail object
- *
- * @return The instructions value
- */
- public String getInstructions(WebSession s)
- {
- String instructions = "This form is an example of a customer support page. Using the form below try to:
"
- + "1) Send a malicious script to the website admin.
"
- + "2) Send a malicious script to a 'friend' from OWASP.
";
- return (instructions);
- }
+ tr = new TR();
+ tr.addElement(new TD().addElement("GMail login id:"));
+ Input input = new Input(Input.TEXT, GMAIL_ID, YOUR_REAL_GMAIL_ID);
+ tr.addElement(new TD().addElement(input));
+ t1.addElement(tr);
+ tr = new TR();
+ tr.addElement(new TD().addElement("GMail password:"));
+ input = new Input(Input.PASSWORD, GMAIL_PASS, YOUR_REAL_GMAIL_PASSWORD);
+ tr.addElement(new TD().addElement(input));
+ t1.addElement(tr);
+ ec.addElement(t1);
- private final static Integer DEFAULT_RANKING = new Integer(55);
+ }
+ private Message sendGoogleMail(String recipients, String subject, String message, String from,
+ final String mailAccount, final String mailPassword) throws MessagingException
+ {
+ boolean debug = false;
- protected Integer getDefaultRanking()
- {
- return DEFAULT_RANKING;
- }
+ Properties props = new Properties();
+ props.put("mail.smtp.host", SMTP_HOST_NAME);
+ props.put("mail.smtp.auth", "true");
+ props.put("mail.debug", "false");
+ props.put("mail.smtp.port", SMTP_PORT);
+ props.put("mail.smtp.socketFactory.port", SMTP_PORT);
+ props.put("mail.smtp.socketFactory.class", SSL_FACTORY);
+ props.put("mail.smtp.socketFactory.fallback", "false");
+ Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator()
+ {
- /**
- * Gets the title attribute of the EmailScreen object
- *
- * @return The title value
- */
- public String getTitle()
- {
- return ("Exploit Unchecked Email");
- }
+ protected PasswordAuthentication getPasswordAuthentication()
+ {
+ return new PasswordAuthentication(mailAccount, mailPassword);
+ }
+ });
+
+ session.setDebug(debug);
+
+ Message msg = new MimeMessage(session);
+ InternetAddress addressFrom = new InternetAddress(from);
+ msg.setFrom(addressFrom);
+
+ InternetAddress[] addressTo = new InternetAddress[1];
+ // for (int i = 0; i < recipients.length; i++)
+ // {
+ addressTo[0] = new InternetAddress(recipients);
+ // }
+ msg.setRecipients(Message.RecipientType.TO, addressTo);
+
+ // Setting the Subject and Content Type
+ msg.setSubject(subject);
+ msg.setContent(message, "text/plain");
+ Transport.send(msg);
+
+ return msg;
+ }
+
+ /**
+ * DOCUMENT ME!
+ *
+ * @return DOCUMENT ME!
+ */
+ protected Category getDefaultCategory()
+ {
+ return Category.UNVALIDATED_PARAMETERS;
+ }
+
+ /**
+ * Gets the hints attribute of the EmailScreen object
+ *
+ * @return The hints value
+ */
+ protected List getHints(WebSession s)
+ {
+ List hints = new ArrayList();
+ hints.add("Try sending an anonymous message to yourself.");
+ hints.add("Try inserting some html or javascript code in the message field");
+ hints.add("Look at the hidden fields in the HTML.");
+ hints
+ .add("Insert <A href=\"http://code.google.com/p/webgoat/\">Click here for the WebGoat Project</A> in the message field");
+ hints.add("Insert <script>alert(\"Bad Stuff\");</script> in the message field");
+ return hints;
+ }
+
+ /**
+ * Gets the instructions attribute of the UncheckedEmail object
+ *
+ * @return The instructions value
+ */
+ public String getInstructions(WebSession s)
+ {
+ String instructions =
+ "This form is an example of a customer support page. Using the form below try to:
"
+ + "1) Send a malicious script to the website admin.
"
+ + "2) Send a malicious script to a 'friend' from OWASP.
";
+ return (instructions);
+ }
+
+ private final static Integer DEFAULT_RANKING = new Integer(55);
+
+ protected Integer getDefaultRanking()
+ {
+ return DEFAULT_RANKING;
+ }
+
+ /**
+ * Gets the title attribute of the EmailScreen object
+ *
+ * @return The title value
+ */
+ public String getTitle()
+ {
+ return ("Exploit Unchecked Email");
+ }
}