dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added source parameter to "Show Java" for showing lesson source code. Added Google Mail configuration to UncheckedEmail lesson.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@218 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2008-01-08 12:51:13 +00:00
parent 23e7fe1f4f
commit d92c716ff4
2 changed files with 472 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
View File

@ -70,8 +70,7 @@ public class LessonSource extends HammerHead
* @exception ServletException * @exception ServletException
* Description of the Exception * Description of the Exception
*/ */
public void doPost(HttpServletRequest request, HttpServletResponse response) public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
throws IOException, ServletException
{ {
String source = null; String source = null;
@ -82,17 +81,14 @@ public class LessonSource extends HammerHead
// System.out.println( " - principle: " + request.getUserPrincipal() // System.out.println( " - principle: " + request.getUserPrincipal()
// ); // );
// setCacheHeaders(response, 0); // setCacheHeaders(response, 0);
WebSession session = (WebSession) request.getSession(true).getAttribute( WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
WebSession.SESSION);
// FIXME: Too much in this call. // FIXME: Too much in this call.
session.update(request, response, this.getServletName()); session.update(request, response, this.getServletName());
String showSolution = session.getParser().getRawParameter("solution"); boolean showSolution = session.getParser().getBooleanParameter("solution", false);
if (showSolution != null) boolean showSource = session.getParser().getBooleanParameter("source", false);
if (showSolution)
{ {
// FIXME: we could probably just forward off to the file if the file
// existed. However, we do provide some feedback from the
// getSolution() method if something goes wrong.
// Get the Java solution of the lesson. // Get the Java solution of the lesson.
source = getSolution(session); source = getSolution(session);
@ -102,8 +98,7 @@ public class LessonSource extends HammerHead
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
lesson.getLessonTracker(session).setViewedSolution(true); lesson.getLessonTracker(session).setViewedSolution(true);
} else if (showSource)
} else
{ {
// Get the Java source of the lesson. FIXME: Not needed // Get the Java source of the lesson. FIXME: Not needed
@ -162,14 +157,12 @@ public class LessonSource extends HammerHead
} }
if (source == null) if (source == null)
{ {
return "Source code is not available. Contact " return "Source code is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
+ s.getWebgoatContext().getFeedbackAddress();
} }
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted")); "Code Section Deliberately Omitted"));
} }
protected String getSolution(WebSession s) protected String getSolution(WebSession s)
{ {
@ -189,13 +182,11 @@ public class LessonSource extends HammerHead
} }
if (source == null) if (source == null)
{ {
return "Solution is not available. Contact " return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
+ s.getWebgoatContext().getFeedbackAddress();
} }
return (source); return (source);
} }
/** /**
* Description of the Method * Description of the Method
* *

386
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
View File

@ -3,8 +3,18 @@ package org.owasp.webgoat.lessons;
import java.text.Format; import java.text.Format;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date; import java.util.Date;
import java.util.List; import java.util.List;
import java.util.Properties;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import org.apache.ecs.Element; import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
@ -59,15 +69,27 @@ import org.owasp.webgoat.session.WebSession;
public class UncheckedEmail extends LessonAdapter public class UncheckedEmail extends LessonAdapter
{ {
private final String YOUR_REAL_GMAIL_PASSWORD = "password";
private final String YOUR_REAL_GMAIL_ID = "GMail id";
private final static String MESSAGE = "msg"; private final static String MESSAGE = "msg";
private final static String TO = "to"; private final static String HIDDEN_TO = "to";
private final static String SUBJECT = "subject";
private final static String GMAIL_ID = "gId";
private final static String GMAIL_PASS = "gPass";
private static final String SMTP_HOST_NAME = "smtp.gmail.com";
private static final String SMTP_PORT = "465";
private static final String emailFromAddress = "webgoat@owasp.org";
private static final String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
/** /**
* Description of the Method * Description of the Method
* *
* @param s Description of the Parameter * @param s
* Description of the Parameter
* @return Description of the Return Value * @return Description of the Return Value
*/ */
@ -77,109 +99,32 @@ public class UncheckedEmail extends LessonAdapter
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
try try
{ {
String to = s.getParser().getRawParameter(TO, ""); String to = s.getParser().getRawParameter(HIDDEN_TO, "");
String gId = s.getParser().getRawParameter(GMAIL_ID, "");
Table t = new Table().setCellSpacing(0).setCellPadding(2) String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");
.setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement("Send OWASP your Comments<BR>")
.setAlign("left").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign(
"left").setWidth("55%").setVAlign("BOTTOM"));
//tr.addElement(new TH().addElement("&nbsp;"));
tr.addElement(new TH().setColSpan(2).addElement(new H3("Contact Information:"))
.setAlign("left").setVAlign("BOTTOM"));
t.addElement(tr);
tr = new TR();
tr
.addElement(new TD()
.addElement("We value your comments. To send OWASP your questions or comments regarding the "
+ "WebGoat tool, please enter your comments below. The information you provide will be handled according "
+ "to our <U>Privacy Policy</U>."));
//tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().setColSpan(2).addElement(
"<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
+ "Columbia, MD. 21046").setVAlign("top"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
Input input = new Input(Input.HIDDEN, TO, "webgoat.admin@owasp.org");
tr = new TR();
tr.addElement(new TD().addElement("Questions or Comments:"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().setAlign("LEFT").addElement(input));
t.addElement(tr);
tr = new TR();
String message = s.getParser().getRawParameter(MESSAGE, ""); String message = s.getParser().getRawParameter(MESSAGE, "");
TextArea ta = new TextArea(MESSAGE, 5, 40); String subject = s.getParser().getRawParameter(SUBJECT, "");
ta.addElement(new StringElement(convertMetachars(message)));
tr.addElement(new TD().setAlign("LEFT").addElement(ta));
tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE")
.addElement(ECSFactory.makeButton("Send!")));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
// Eventually we could send the actually mail, but the point should already be made boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));
//ec.addElement(exec( use java mail here + to));
if (to.length() > 0)
{
Format formatter;
// Get today's date
Date date = new Date();
formatter = new SimpleDateFormat("E, dd MMM yyyy HH:mm:ss Z");
String today = formatter.format(date);
// Tue, 09 Jan 2002 22:14:02 -0500
ec.addElement(new HR()); ec.addElement(new HR());
ec createGoogleCredentials(s, ec);
.addElement(new Center() ec.addElement(new HR());
.addElement(new B()
.addElement("You sent the following message to: "
+ to)));
ec.addElement(new BR()); ec.addElement(new BR());
ec.addElement(new StringElement( createMailMessage(s, subject, message, ec);
"<b>Return-Path:</b> &lt;webgoat@owasp.org&gt;"));
ec.addElement(new BR()); ec.addElement(new HR());
ec.addElement(new StringElement("<b>Delivered-To:</b> " + to)); if (to.length() > 0)
ec.addElement(new BR()); {
ec.addElement(new StringElement(
"<b>Received:</b> (qmail 614458 invoked by uid 239); " if (haveCredentials)
+ today)); {
ec.addElement(new BR()); Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);
ec.addElement(new StringElement("for &lt;" + to + "&gt;; " formatMail(ec, sentMessage);
+ today)); } else
ec.addElement(new BR()); {
ec.addElement(new StringElement("<b>To:</b> " + to)); sendSimulatedMail(ec, to, subject, message);
ec.addElement(new BR()); }
ec
.addElement(new StringElement(
"<b>From:</b> Blame it on the Goat &lt;webgoat@owasp.org&gt;"));
ec.addElement(new BR());
ec.addElement(new StringElement(
"<b>Subject:</b> OWASP security issues"));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(message));
} }
// only complete the lesson if they changed the "to" hidden field // only complete the lesson if they changed the "to" hidden field
@ -196,6 +141,232 @@ public class UncheckedEmail extends LessonAdapter
return (ec); return (ec);
} }
private void formatMail(ElementContainer ec, Message sentMessage)
{
try
{
ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: "
+ Arrays.asList(sentMessage.getAllRecipients()))));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>MAIL FROM:</b> " + Arrays.asList(sentMessage.getReplyTo())));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>RCPT TO:</b> " + Arrays.asList(sentMessage.getAllRecipients())));
ec.addElement(new BR());
ec
.addElement(new StringElement("<b>Message-ID:</b> "
+ Arrays.asList(sentMessage.getHeader("Message-ID"))));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Date:</b> " + sentMessage.getSentDate()));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Subject:</b> " + sentMessage.getSubject()));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Message:</b> "));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(sentMessage.getContent().toString()));
}
catch (Exception e)
{
// TODO Auto-generated catch block
ec.addElement(new StringElement("Fatal error while sending message"));
ec.addElement(new BR());
ec.addElement(new StringElement(e.getMessage()));
}
}
/**
* @param ec
* @param to
* @param message
*/
private void sendSimulatedMail(ElementContainer ec, String to, String subject, String message)
{
Format formatter;
// Get today's date
Date date = new Date();
formatter = new SimpleDateFormat("E, dd MMM yyyy HH:mm:ss Z");
String today = formatter.format(date);
// Tue, 09 Jan 2002 22:14:02 -0500
ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: " + to)));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Return-Path:</b> &lt;webgoat@owasp.org&gt;"));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Delivered-To:</b> " + to));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Received:</b> (qmail 614458 invoked by uid 239); " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("for &lt;" + to + "&gt;; " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>To:</b> " + to));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>From:</b> Blame it on the Goat &lt;webgoat@owasp.org&gt;"));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Subject:</b> " + subject));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(message));
}
/**
* @param s
* @param ec
* @return
*/
private void createMailMessage(WebSession s, String subject, String message, ElementContainer ec)
{
TR tr;
Input input;
Table t = new Table().setCellSpacing(0).setCellPadding(1).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
tr = new TR();
tr.addElement(new TH().addElement("Send OWASP your Comments<BR>").setAlign("left").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign("left").setWidth("55%").setVAlign("BOTTOM")
.setColSpan(2));
tr.addElement(new TH().addElement(new H3("Contact Information:")).setAlign("left").setVAlign("BOTTOM"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(
"We value your comments. " + "To send OWASP your questions or comments "
+ "regarding the WebGoat tool, please enter your "
+ "comments below. The information you provide will be "
+ "handled according to our <U>Privacy Policy</U>.").setColSpan(2));
tr.addElement(new TD().addElement(
"<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
+ "Columbia, MD. 21046").setVAlign("top"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Subject:"));
input = new Input(Input.TEXT, SUBJECT, "Comment for WebGoat");
tr.addElement(new TD().setAlign("LEFT").addElement(input));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
input = new Input(Input.HIDDEN, HIDDEN_TO, "webgoat.admin@owasp.org");
tr = new TR();
tr.addElement(new TD().addElement("Questions or Comments:").setColSpan(2));
tr.addElement(new TD().setAlign("LEFT").addElement(input));
t.addElement(tr);
tr = new TR();
TextArea ta = new TextArea(MESSAGE, 5, 40);
ta.addElement(new StringElement(convertMetachars(message)));
tr.addElement(new TD().setAlign("LEFT").addElement(ta).setColSpan(2));
tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE").addElement(ECSFactory.makeButton("Send!")));
t.addElement(tr);
ec.addElement(t);
}
/**
* @param s
* @param ec
*/
private void createGoogleCredentials(WebSession s, ElementContainer ec)
{
// Allow the user to configure a real email interface using gmail
Table t1 = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
t1.setStyle("border-width:3px; border-style: solid;");
if (s.isColor())
{
t1.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement("Google Mail Configuration (Optional)").setAlign("center").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD()
.addElement(
"These configurations will enable WebGoat to send email on your "
+ "behalf using your gmail account. Leave them as the default value "
+ "to use WebGoat's simulated mail.").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("GMail login id:"));
Input input = new Input(Input.TEXT, GMAIL_ID, YOUR_REAL_GMAIL_ID);
tr.addElement(new TD().addElement(input));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("GMail password:"));
input = new Input(Input.PASSWORD, GMAIL_PASS, YOUR_REAL_GMAIL_PASSWORD);
tr.addElement(new TD().addElement(input));
t1.addElement(tr);
ec.addElement(t1);
}
private Message sendGoogleMail(String recipients, String subject, String message, String from,
final String mailAccount, final String mailPassword) throws MessagingException
{
boolean debug = false;
Properties props = new Properties();
props.put("mail.smtp.host", SMTP_HOST_NAME);
props.put("mail.smtp.auth", "true");
props.put("mail.debug", "false");
props.put("mail.smtp.port", SMTP_PORT);
props.put("mail.smtp.socketFactory.port", SMTP_PORT);
props.put("mail.smtp.socketFactory.class", SSL_FACTORY);
props.put("mail.smtp.socketFactory.fallback", "false");
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator()
{
protected PasswordAuthentication getPasswordAuthentication()
{
return new PasswordAuthentication(mailAccount, mailPassword);
}
});
session.setDebug(debug);
Message msg = new MimeMessage(session);
InternetAddress addressFrom = new InternetAddress(from);
msg.setFrom(addressFrom);
InternetAddress[] addressTo = new InternetAddress[1];
// for (int i = 0; i < recipients.length; i++)
// {
addressTo[0] = new InternetAddress(recipients);
// }
msg.setRecipients(Message.RecipientType.TO, addressTo);
// Setting the Subject and Content Type
msg.setSubject(subject);
msg.setContent(message, "text/plain");
Transport.send(msg);
return msg;
}
/** /**
* DOCUMENT ME! * DOCUMENT ME!
@ -207,7 +378,6 @@ public class UncheckedEmail extends LessonAdapter
return Category.UNVALIDATED_PARAMETERS; return Category.UNVALIDATED_PARAMETERS;
} }
/** /**
* Gets the hints attribute of the EmailScreen object * Gets the hints attribute of the EmailScreen object
* *
@ -217,17 +387,14 @@ public class UncheckedEmail extends LessonAdapter
{ {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
hints.add("Try sending an anonymous message to yourself."); hints.add("Try sending an anonymous message to yourself.");
hints hints.add("Try inserting some html or javascript code in the message field");
.add("Try inserting some html or javascript code in the message field");
hints.add("Look at the hidden fields in the HTML."); hints.add("Look at the hidden fields in the HTML.");
hints hints
.add("Insert &lt;A href=\"http://www.aspectsecurity.com/webgoat.html\"&gt;Click here for Aspect&lt;/A&gt in the message field"); .add("Insert &lt;A href=\"http://code.google.com/p/webgoat/\"&gt;Click here for the WebGoat Project&lt;/A&gt in the message field");
hints hints.add("Insert &lt;script&gt;alert(\"Bad Stuff\");&lt;/script&gt; in the message field");
.add("Insert &lt;script&gt;alert(\"Bad Stuff\");&lt;/script&gt; in the message field");
return hints; return hints;
} }
/** /**
* Gets the instructions attribute of the UncheckedEmail object * Gets the instructions attribute of the UncheckedEmail object
* *
@ -235,7 +402,8 @@ public class UncheckedEmail extends LessonAdapter
*/ */
public String getInstructions(WebSession s) public String getInstructions(WebSession s)
{ {
String instructions = "This form is an example of a customer support page. Using the form below try to:<br>" String instructions =
"This form is an example of a customer support page. Using the form below try to:<br>"
+ "1) Send a malicious script to the website admin.<br>" + "1) Send a malicious script to the website admin.<br>"
+ "2) Send a malicious script to a 'friend' from OWASP.<br>"; + "2) Send a malicious script to a 'friend' from OWASP.<br>";
return (instructions); return (instructions);
@ -243,13 +411,11 @@ public class UncheckedEmail extends LessonAdapter
private final static Integer DEFAULT_RANKING = new Integer(55); private final static Integer DEFAULT_RANKING = new Integer(55);
protected Integer getDefaultRanking() protected Integer getDefaultRanking()
{ {
return DEFAULT_RANKING; return DEFAULT_RANKING;
} }
/** /**
* Gets the title attribute of the EmailScreen object * Gets the title attribute of the EmailScreen object
* *