From d92c716ff495958862a4983cfd4d826319cdaa60 Mon Sep 17 00:00:00 2001 From: mayhew64 Date: Tue, 8 Jan 2008 12:51:13 +0000 Subject: [PATCH] Added source parameter to "Show Java" for showing lesson source code. Added Google Mail configuration to UncheckedEmail lesson. git-svn-id: http://webgoat.googlecode.com/svn/trunk@218 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../org/owasp/webgoat/LessonSource.java | 311 ++++++------ .../owasp/webgoat/lessons/UncheckedEmail.java | 476 ++++++++++++------ 2 files changed, 472 insertions(+), 315 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java index f7ebe2adc..f4043bace 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java @@ -46,178 +46,169 @@ import org.owasp.webgoat.session.WebSession; public class LessonSource extends HammerHead { - /** - * - */ - private static final long serialVersionUID = 2588430536196446145L; + /** + * + */ + private static final long serialVersionUID = 2588430536196446145L; - /** - * Description of the Field - */ - public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; + /** + * Description of the Field + */ + public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; - public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; + public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; - /** - * Description of the Method - * - * @param request - * Description of the Parameter - * @param response - * Description of the Parameter - * @exception IOException - * Description of the Exception - * @exception ServletException - * Description of the Exception - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws IOException, ServletException - { - String source = null; - - try + /** + * Description of the Method + * + * @param request + * Description of the Parameter + * @param response + * Description of the Parameter + * @exception IOException + * Description of the Exception + * @exception ServletException + * Description of the Exception + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - // System.out.println( "Entering doPost: " ); - // System.out.println( " - request " + request); - // System.out.println( " - principle: " + request.getUserPrincipal() - // ); - // setCacheHeaders(response, 0); - WebSession session = (WebSession) request.getSession(true).getAttribute( - WebSession.SESSION); - // FIXME: Too much in this call. - session.update(request, response, this.getServletName()); + String source = null; - String showSolution = session.getParser().getRawParameter("solution"); - if (showSolution != null) - { - // FIXME: we could probably just forward off to the file if the file - // existed. However, we do provide some feedback from the - // getSolution() method if something goes wrong. - - // Get the Java solution of the lesson. - source = getSolution(session); + try + { + // System.out.println( "Entering doPost: " ); + // System.out.println( " - request " + request); + // System.out.println( " - principle: " + request.getUserPrincipal() + // ); + // setCacheHeaders(response, 0); + WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); + // FIXME: Too much in this call. + session.update(request, response, this.getServletName()); - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSolution(true); + boolean showSolution = session.getParser().getBooleanParameter("solution", false); + boolean showSource = session.getParser().getBooleanParameter("source", false); + if (showSolution) + { + // Get the Java solution of the lesson. + source = getSolution(session); - } else - { + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSolution(true); - // Get the Java source of the lesson. FIXME: Not needed - source = getSource(session); + } else if (showSource) + { - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSource(true); - } - } - catch (Throwable t) - { - t.printStackTrace(); - log("ERROR: " + t); - } - finally - { - try - { - this.writeSource(source, response); - } - catch (Throwable thr) - { - thr.printStackTrace(); - log(request, "Could not write error screen: " + thr.getMessage()); - } - // System.out.println( "Leaving doPost: " ); + // Get the Java source of the lesson. FIXME: Not needed + source = getSource(session); - } - } + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSource(true); + } + } + catch (Throwable t) + { + t.printStackTrace(); + log("ERROR: " + t); + } + finally + { + try + { + this.writeSource(source, response); + } + catch (Throwable thr) + { + thr.printStackTrace(); + log(request, "Could not write error screen: " + thr.getMessage()); + } + // System.out.println( "Leaving doPost: " ); - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected String getSource(WebSession s) - { - - String source = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); - - if (s.isUser() || s.isChallenge()) - { - - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - - if (lesson != null) - { - source = lesson.getSource(s); - } - } - if (source == null) - { - return "Source code is not available. Contact " - + s.getWebgoatContext().getFeedbackAddress(); - } - return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, - "Code Section Deliberately Omitted")); - } - - - protected String getSolution(WebSession s) - { - - String source = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); - - if (s.isUser() || s.isChallenge()) - { - - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - - if (lesson != null) - { - source = lesson.getSolution(s); - } - } - if (source == null) - { - return "Solution is not available. Contact " - + s.getWebgoatContext().getFeedbackAddress(); - } - return (source); - } - - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @param response - * Description of the Parameter - * @exception IOException - * Description of the Exception - */ - protected void writeSource(String s, HttpServletResponse response) throws IOException - { - response.setContentType("text/html"); - - PrintWriter out = response.getWriter(); - - if (s == null) - { - s = new String(); + } } - out.print(s); - out.close(); - } + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @return Description of the Return Value + */ + protected String getSource(WebSession s) + { + + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); + + if (s.isUser() || s.isChallenge()) + { + + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + + if (lesson != null) + { + source = lesson.getSource(s); + } + } + if (source == null) + { + return "Source code is not available. Contact " + s.getWebgoatContext().getFeedbackAddress(); + } + return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, + "Code Section Deliberately Omitted")); + } + + protected String getSolution(WebSession s) + { + + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); + + if (s.isUser() || s.isChallenge()) + { + + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + + if (lesson != null) + { + source = lesson.getSolution(s); + } + } + if (source == null) + { + return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddress(); + } + return (source); + } + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @param response + * Description of the Parameter + * @exception IOException + * Description of the Exception + */ + protected void writeSource(String s, HttpServletResponse response) throws IOException + { + response.setContentType("text/html"); + + PrintWriter out = response.getWriter(); + + if (s == null) + { + s = new String(); + } + + out.print(s); + out.close(); + } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java index 191be15ea..75b9036fd 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java @@ -3,8 +3,18 @@ package org.owasp.webgoat.lessons; import java.text.Format; import java.text.SimpleDateFormat; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; import java.util.List; +import java.util.Properties; + +import javax.mail.Message; +import javax.mail.MessagingException; +import javax.mail.PasswordAuthentication; +import javax.mail.Session; +import javax.mail.Transport; +import javax.mail.internet.InternetAddress; +import javax.mail.internet.MimeMessage; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; @@ -52,97 +62,126 @@ import org.owasp.webgoat.session.WebSession; * for free software projects. * * For details, please see http://code.google.com/p/webgoat/ - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 */ public class UncheckedEmail extends LessonAdapter { - private final static String MESSAGE = "msg"; + private final String YOUR_REAL_GMAIL_PASSWORD = "password"; - private final static String TO = "to"; + private final String YOUR_REAL_GMAIL_ID = "GMail id"; + private final static String MESSAGE = "msg"; - /** - * Description of the Method - * - * @param s Description of the Parameter - * @return Description of the Return Value - */ + private final static String HIDDEN_TO = "to"; + private final static String SUBJECT = "subject"; + private final static String GMAIL_ID = "gId"; + private final static String GMAIL_PASS = "gPass"; - protected Element createContent(WebSession s) - { + private static final String SMTP_HOST_NAME = "smtp.gmail.com"; + private static final String SMTP_PORT = "465"; + private static final String emailFromAddress = "webgoat@owasp.org"; + private static final String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory"; - ElementContainer ec = new ElementContainer(); - try + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @return Description of the Return Value + */ + + protected Element createContent(WebSession s) { - String to = s.getParser().getRawParameter(TO, ""); - Table t = new Table().setCellSpacing(0).setCellPadding(2) - .setBorder(0).setWidth("90%").setAlign("center"); + ElementContainer ec = new ElementContainer(); + try + { + String to = s.getParser().getRawParameter(HIDDEN_TO, ""); + String gId = s.getParser().getRawParameter(GMAIL_ID, ""); + String gPass = s.getParser().getRawParameter(GMAIL_PASS, ""); + String message = s.getParser().getRawParameter(MESSAGE, ""); + String subject = s.getParser().getRawParameter(SUBJECT, ""); - if (s.isColor()) - { - t.setBorder(1); - } + boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass)); - TR tr = new TR(); - tr.addElement(new TH().addElement("Send OWASP your Comments
") - .setAlign("left").setColSpan(3)); - t.addElement(tr); + ec.addElement(new HR()); + createGoogleCredentials(s, ec); + ec.addElement(new HR()); + ec.addElement(new BR()); + createMailMessage(s, subject, message, ec); - tr = new TR(); - tr.addElement(new TD().addElement(" ").setColSpan(3)); - t.addElement(tr); + ec.addElement(new HR()); + if (to.length() > 0) + { - tr = new TR(); - tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign( - "left").setWidth("55%").setVAlign("BOTTOM")); - //tr.addElement(new TH().addElement(" ")); - tr.addElement(new TH().setColSpan(2).addElement(new H3("Contact Information:")) - .setAlign("left").setVAlign("BOTTOM")); - t.addElement(tr); + if (haveCredentials) + { + Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass); + formatMail(ec, sentMessage); + } else + { + sendSimulatedMail(ec, to, subject, message); + } + } - tr = new TR(); - tr - .addElement(new TD() - .addElement("We value your comments. To send OWASP your questions or comments regarding the " - + "WebGoat tool, please enter your comments below. The information you provide will be handled according " - + "to our Privacy Policy.")); - //tr.addElement(new TD().addElement(" ")); - tr.addElement(new TD().setColSpan(2).addElement( - "OWASP
" + "9175 Guilford Rd
Suite 300
" - + "Columbia, MD. 21046").setVAlign("top")); - t.addElement(tr); + // only complete the lesson if they changed the "to" hidden field + if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to)) + { + makeSuccess(s); + } + } + catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + return (ec); + } - tr = new TR(); - tr.addElement(new TD().addElement(" ").setColSpan(3)); - t.addElement(tr); + private void formatMail(ElementContainer ec, Message sentMessage) + { + try + { + ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: " + + Arrays.asList(sentMessage.getAllRecipients())))); + ec.addElement(new BR()); + ec.addElement(new StringElement("MAIL FROM: " + Arrays.asList(sentMessage.getReplyTo()))); + ec.addElement(new BR()); + ec.addElement(new StringElement("RCPT TO: " + Arrays.asList(sentMessage.getAllRecipients()))); + ec.addElement(new BR()); + ec + .addElement(new StringElement("Message-ID: " + + Arrays.asList(sentMessage.getHeader("Message-ID")))); + ec.addElement(new BR()); + ec.addElement(new StringElement("Date: " + sentMessage.getSentDate())); + ec.addElement(new BR()); + ec.addElement(new StringElement("Subject: " + sentMessage.getSubject())); + ec.addElement(new BR()); + ec.addElement(new StringElement("Message: ")); + ec.addElement(new BR()); + ec.addElement(new BR()); + ec.addElement(new StringElement(sentMessage.getContent().toString())); + } + catch (Exception e) + { + // TODO Auto-generated catch block + ec.addElement(new StringElement("Fatal error while sending message")); + ec.addElement(new BR()); + ec.addElement(new StringElement(e.getMessage())); + } - Input input = new Input(Input.HIDDEN, TO, "webgoat.admin@owasp.org"); - tr = new TR(); - tr.addElement(new TD().addElement("Questions or Comments:")); - tr.addElement(new TD().addElement(" ")); - tr.addElement(new TD().setAlign("LEFT").addElement(input)); - t.addElement(tr); + } - tr = new TR(); - String message = s.getParser().getRawParameter(MESSAGE, ""); - TextArea ta = new TextArea(MESSAGE, 5, 40); - ta.addElement(new StringElement(convertMetachars(message))); - tr.addElement(new TD().setAlign("LEFT").addElement(ta)); - tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE") - .addElement(ECSFactory.makeButton("Send!"))); - tr.addElement(new TD().addElement(" ")); - t.addElement(tr); - ec.addElement(t); - - // Eventually we could send the actually mail, but the point should already be made - //ec.addElement(exec( use java mail here + to)); - - if (to.length() > 0) - { + /** + * @param ec + * @param to + * @param message + */ + private void sendSimulatedMail(ElementContainer ec, String to, String subject, String message) + { Format formatter; // Get today's date Date date = new Date(); @@ -150,114 +189,241 @@ public class UncheckedEmail extends LessonAdapter String today = formatter.format(date); // Tue, 09 Jan 2002 22:14:02 -0500 - ec.addElement(new HR()); - ec - .addElement(new Center() - .addElement(new B() - .addElement("You sent the following message to: " - + to))); + ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: " + to))); ec.addElement(new BR()); - ec.addElement(new StringElement( - "Return-Path: <webgoat@owasp.org>")); + ec.addElement(new StringElement("Return-Path: <webgoat@owasp.org>")); ec.addElement(new BR()); ec.addElement(new StringElement("Delivered-To: " + to)); ec.addElement(new BR()); - ec.addElement(new StringElement( - "Received: (qmail 614458 invoked by uid 239); " - + today)); + ec.addElement(new StringElement("Received: (qmail 614458 invoked by uid 239); " + today)); ec.addElement(new BR()); - ec.addElement(new StringElement("for <" + to + ">; " - + today)); + ec.addElement(new StringElement("for <" + to + ">; " + today)); ec.addElement(new BR()); ec.addElement(new StringElement("To: " + to)); ec.addElement(new BR()); - ec - .addElement(new StringElement( - "From: Blame it on the Goat <webgoat@owasp.org>")); + ec.addElement(new StringElement("From: Blame it on the Goat <webgoat@owasp.org>")); ec.addElement(new BR()); - ec.addElement(new StringElement( - "Subject: OWASP security issues")); + ec.addElement(new StringElement("Subject: " + subject)); ec.addElement(new BR()); ec.addElement(new BR()); ec.addElement(new StringElement(message)); - } - - // only complete the lesson if they changed the "to" hidden field - if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to)) - { - makeSuccess(s); - } } - catch (Exception e) + + /** + * @param s + * @param ec + * @return + */ + private void createMailMessage(WebSession s, String subject, String message, ElementContainer ec) { - s.setMessage("Error generating " + this.getClass().getName()); - e.printStackTrace(); + TR tr; + Input input; + Table t = new Table().setCellSpacing(0).setCellPadding(1).setBorder(0).setWidth("90%").setAlign("center"); + + if (s.isColor()) + { + t.setBorder(1); + } + + tr = new TR(); + tr.addElement(new TH().addElement("Send OWASP your Comments
").setAlign("left").setColSpan(3)); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().addElement(" ").setColSpan(3)); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign("left").setWidth("55%").setVAlign("BOTTOM") + .setColSpan(2)); + tr.addElement(new TH().addElement(new H3("Contact Information:")).setAlign("left").setVAlign("BOTTOM")); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().addElement( + "We value your comments. " + "To send OWASP your questions or comments " + + "regarding the WebGoat tool, please enter your " + + "comments below. The information you provide will be " + + "handled according to our Privacy Policy.").setColSpan(2)); + tr.addElement(new TD().addElement( + "OWASP
" + "9175 Guilford Rd
Suite 300
" + + "Columbia, MD. 21046").setVAlign("top")); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().addElement(" ").setColSpan(3)); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().addElement("Subject:")); + input = new Input(Input.TEXT, SUBJECT, "Comment for WebGoat"); + tr.addElement(new TD().setAlign("LEFT").addElement(input)); + tr.addElement(new TD().addElement(" ")); + t.addElement(tr); + + input = new Input(Input.HIDDEN, HIDDEN_TO, "webgoat.admin@owasp.org"); + tr = new TR(); + tr.addElement(new TD().addElement("Questions or Comments:").setColSpan(2)); + tr.addElement(new TD().setAlign("LEFT").addElement(input)); + t.addElement(tr); + + tr = new TR(); + TextArea ta = new TextArea(MESSAGE, 5, 40); + ta.addElement(new StringElement(convertMetachars(message))); + tr.addElement(new TD().setAlign("LEFT").addElement(ta).setColSpan(2)); + tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE").addElement(ECSFactory.makeButton("Send!"))); + t.addElement(tr); + ec.addElement(t); } - return (ec); - } + /** + * @param s + * @param ec + */ + private void createGoogleCredentials(WebSession s, ElementContainer ec) + { + // Allow the user to configure a real email interface using gmail + Table t1 = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center"); + t1.setStyle("border-width:3px; border-style: solid;"); + if (s.isColor()) + { + t1.setBorder(1); + } - /** - * DOCUMENT ME! - * - * @return DOCUMENT ME! - */ - protected Category getDefaultCategory() - { - return Category.UNVALIDATED_PARAMETERS; - } + TR tr = new TR(); + tr.addElement(new TH().addElement("Google Mail Configuration (Optional)").setAlign("center").setColSpan(2)); + t1.addElement(tr); + tr = new TR(); + tr.addElement(new TD().addElement(" ").setAlign("left").setColSpan(2)); + t1.addElement(tr); - /** - * Gets the hints attribute of the EmailScreen object - * - * @return The hints value - */ - protected List getHints(WebSession s) - { - List hints = new ArrayList(); - hints.add("Try sending an anonymous message to yourself."); - hints - .add("Try inserting some html or javascript code in the message field"); - hints.add("Look at the hidden fields in the HTML."); - hints - .add("Insert <A href=\"http://www.aspectsecurity.com/webgoat.html\">Click here for Aspect</A> in the message field"); - hints - .add("Insert <script>alert(\"Bad Stuff\");</script> in the message field"); - return hints; - } + tr = new TR(); + tr.addElement(new TD() + .addElement( + "These configurations will enable WebGoat to send email on your " + + "behalf using your gmail account. Leave them as the default value " + + "to use WebGoat's simulated mail.").setAlign("left").setColSpan(2)); + t1.addElement(tr); + tr = new TR(); + tr.addElement(new TD().addElement(" ").setAlign("left").setColSpan(2)); + t1.addElement(tr); - /** - * Gets the instructions attribute of the UncheckedEmail object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "This form is an example of a customer support page. Using the form below try to:
" - + "1) Send a malicious script to the website admin.
" - + "2) Send a malicious script to a 'friend' from OWASP.
"; - return (instructions); - } + tr = new TR(); + tr.addElement(new TD().addElement("GMail login id:")); + Input input = new Input(Input.TEXT, GMAIL_ID, YOUR_REAL_GMAIL_ID); + tr.addElement(new TD().addElement(input)); + t1.addElement(tr); + tr = new TR(); + tr.addElement(new TD().addElement("GMail password:")); + input = new Input(Input.PASSWORD, GMAIL_PASS, YOUR_REAL_GMAIL_PASSWORD); + tr.addElement(new TD().addElement(input)); + t1.addElement(tr); + ec.addElement(t1); - private final static Integer DEFAULT_RANKING = new Integer(55); + } + private Message sendGoogleMail(String recipients, String subject, String message, String from, + final String mailAccount, final String mailPassword) throws MessagingException + { + boolean debug = false; - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } + Properties props = new Properties(); + props.put("mail.smtp.host", SMTP_HOST_NAME); + props.put("mail.smtp.auth", "true"); + props.put("mail.debug", "false"); + props.put("mail.smtp.port", SMTP_PORT); + props.put("mail.smtp.socketFactory.port", SMTP_PORT); + props.put("mail.smtp.socketFactory.class", SSL_FACTORY); + props.put("mail.smtp.socketFactory.fallback", "false"); + Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() + { - /** - * Gets the title attribute of the EmailScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Exploit Unchecked Email"); - } + protected PasswordAuthentication getPasswordAuthentication() + { + return new PasswordAuthentication(mailAccount, mailPassword); + } + }); + + session.setDebug(debug); + + Message msg = new MimeMessage(session); + InternetAddress addressFrom = new InternetAddress(from); + msg.setFrom(addressFrom); + + InternetAddress[] addressTo = new InternetAddress[1]; + // for (int i = 0; i < recipients.length; i++) + // { + addressTo[0] = new InternetAddress(recipients); + // } + msg.setRecipients(Message.RecipientType.TO, addressTo); + + // Setting the Subject and Content Type + msg.setSubject(subject); + msg.setContent(message, "text/plain"); + Transport.send(msg); + + return msg; + } + + /** + * DOCUMENT ME! + * + * @return DOCUMENT ME! + */ + protected Category getDefaultCategory() + { + return Category.UNVALIDATED_PARAMETERS; + } + + /** + * Gets the hints attribute of the EmailScreen object + * + * @return The hints value + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + hints.add("Try sending an anonymous message to yourself."); + hints.add("Try inserting some html or javascript code in the message field"); + hints.add("Look at the hidden fields in the HTML."); + hints + .add("Insert <A href=\"http://code.google.com/p/webgoat/\">Click here for the WebGoat Project</A> in the message field"); + hints.add("Insert <script>alert(\"Bad Stuff\");</script> in the message field"); + return hints; + } + + /** + * Gets the instructions attribute of the UncheckedEmail object + * + * @return The instructions value + */ + public String getInstructions(WebSession s) + { + String instructions = + "This form is an example of a customer support page. Using the form below try to:
" + + "1) Send a malicious script to the website admin.
" + + "2) Send a malicious script to a 'friend' from OWASP.
"; + return (instructions); + } + + private final static Integer DEFAULT_RANKING = new Integer(55); + + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the title attribute of the EmailScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Exploit Unchecked Email"); + } }