dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added source parameter to "Show Java" for showing lesson source code. Added Google Mail configuration to UncheckedEmail lesson.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@218 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2008-01-08 12:51:13 +00:00
parent 23e7fe1f4f
commit d92c716ff4
2 changed files with 472 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

311
webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
View File

@ -46,178 +46,169 @@ import org.owasp.webgoat.session.WebSession;
public class LessonSource extends HammerHead
{
/**
*
*/
private static final long serialVersionUID = 2588430536196446145L;
/**
*
*/
private static final long serialVersionUID = 2588430536196446145L;
/**
* Description of the Field
*/
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
/**
* Description of the Field
*/
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/**
* Description of the Method
*
* @param request
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
* @exception ServletException
* Description of the Exception
*/
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
{
String source = null;
try
/**
* Description of the Method
*
* @param request
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
* @exception ServletException
* Description of the Exception
*/
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
// System.out.println( "Entering doPost: " );
// System.out.println( " - request " + request);
// System.out.println( " - principle: " + request.getUserPrincipal()
// );
// setCacheHeaders(response, 0);
WebSession session = (WebSession) request.getSession(true).getAttribute(
WebSession.SESSION);
// FIXME: Too much in this call.
session.update(request, response, this.getServletName());
String source = null;
String showSolution = session.getParser().getRawParameter("solution");
if (showSolution != null)
{
// FIXME: we could probably just forward off to the file if the file
// existed. However, we do provide some feedback from the
// getSolution() method if something goes wrong.
// Get the Java solution of the lesson.
source = getSolution(session);
try
{
// System.out.println( "Entering doPost: " );
// System.out.println( " - request " + request);
// System.out.println( " - principle: " + request.getUserPrincipal()
// );
// setCacheHeaders(response, 0);
WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
// FIXME: Too much in this call.
session.update(request, response, this.getServletName());
int scr = session.getCurrentScreen();
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
lesson.getLessonTracker(session).setViewedSolution(true);
boolean showSolution = session.getParser().getBooleanParameter("solution", false);
boolean showSource = session.getParser().getBooleanParameter("source", false);
if (showSolution)
{
// Get the Java solution of the lesson.
source = getSolution(session);
} else
{
int scr = session.getCurrentScreen();
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
lesson.getLessonTracker(session).setViewedSolution(true);
// Get the Java source of the lesson. FIXME: Not needed
source = getSource(session);
} else if (showSource)
{
int scr = session.getCurrentScreen();
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
lesson.getLessonTracker(session).setViewedSource(true);
}
}
catch (Throwable t)
{
t.printStackTrace();
log("ERROR: " + t);
}
finally
{
try
{
this.writeSource(source, response);
}
catch (Throwable thr)
{
thr.printStackTrace();
log(request, "Could not write error screen: " + thr.getMessage());
}
// System.out.println( "Leaving doPost: " );
// Get the Java source of the lesson. FIXME: Not needed
source = getSource(session);
}
}
int scr = session.getCurrentScreen();
Course course = session.getCourse();
AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
lesson.getLessonTracker(session).setViewedSource(true);
}
}
catch (Throwable t)
{
t.printStackTrace();
log("ERROR: " + t);
}
finally
{
try
{
this.writeSource(source, response);
}
catch (Throwable thr)
{
thr.printStackTrace();
log(request, "Could not write error screen: " + thr.getMessage());
}
// System.out.println( "Leaving doPost: " );
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s)
{
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge())
{
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null)
{
source = lesson.getSource(s);
}
}
if (source == null)
{
return "Source code is not available. Contact "
+ s.getWebgoatContext().getFeedbackAddress();
}
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted"));
}
protected String getSolution(WebSession s)
{
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge())
{
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null)
{
source = lesson.getSolution(s);
}
}
if (source == null)
{
return "Solution is not available. Contact "
+ s.getWebgoatContext().getFeedbackAddress();
}
return (source);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
*/
protected void writeSource(String s, HttpServletResponse response) throws IOException
{
response.setContentType("text/html");
PrintWriter out = response.getWriter();
if (s == null)
{
s = new String();
}
}
out.print(s);
out.close();
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected String getSource(WebSession s)
{
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge())
{
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null)
{
source = lesson.getSource(s);
}
}
if (source == null)
{
return "Source code is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
}
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted"));
}
protected String getSolution(WebSession s)
{
String source = null;
int scr = s.getCurrentScreen();
Course course = s.getCourse();
if (s.isUser() || s.isChallenge())
{
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null)
{
source = lesson.getSolution(s);
}
}
if (source == null)
{
return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
}
return (source);
}
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @param response
* Description of the Parameter
* @exception IOException
* Description of the Exception
*/
protected void writeSource(String s, HttpServletResponse response) throws IOException
{
response.setContentType("text/html");
PrintWriter out = response.getWriter();
if (s == null)
{
s = new String();
}
out.print(s);
out.close();
}
}

476
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
View File

@ -3,8 +3,18 @@ package org.owasp.webgoat.lessons;
import java.text.Format;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Properties;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
@ -52,97 +62,126 @@ import org.owasp.webgoat.session.WebSession;
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class UncheckedEmail extends LessonAdapter
{
private final static String MESSAGE = "msg";
private final String YOUR_REAL_GMAIL_PASSWORD = "password";
private final static String TO = "to";
private final String YOUR_REAL_GMAIL_ID = "GMail id";
private final static String MESSAGE = "msg";
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
private final static String HIDDEN_TO = "to";
private final static String SUBJECT = "subject";
private final static String GMAIL_ID = "gId";
private final static String GMAIL_PASS = "gPass";
protected Element createContent(WebSession s)
{
private static final String SMTP_HOST_NAME = "smtp.gmail.com";
private static final String SMTP_PORT = "465";
private static final String emailFromAddress = "webgoat@owasp.org";
private static final String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
ElementContainer ec = new ElementContainer();
try
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
String to = s.getParser().getRawParameter(TO, "");
Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(0).setWidth("90%").setAlign("center");
ElementContainer ec = new ElementContainer();
try
{
String to = s.getParser().getRawParameter(HIDDEN_TO, "");
String gId = s.getParser().getRawParameter(GMAIL_ID, "");
String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");
String message = s.getParser().getRawParameter(MESSAGE, "");
String subject = s.getParser().getRawParameter(SUBJECT, "");
if (s.isColor())
{
t.setBorder(1);
}
boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));
TR tr = new TR();
tr.addElement(new TH().addElement("Send OWASP your Comments<BR>")
.setAlign("left").setColSpan(3));
t.addElement(tr);
ec.addElement(new HR());
createGoogleCredentials(s, ec);
ec.addElement(new HR());
ec.addElement(new BR());
createMailMessage(s, subject, message, ec);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
ec.addElement(new HR());
if (to.length() > 0)
{
tr = new TR();
tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign(
"left").setWidth("55%").setVAlign("BOTTOM"));
//tr.addElement(new TH().addElement("&nbsp;"));
tr.addElement(new TH().setColSpan(2).addElement(new H3("Contact Information:"))
.setAlign("left").setVAlign("BOTTOM"));
t.addElement(tr);
if (haveCredentials)
{
Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);
formatMail(ec, sentMessage);
} else
{
sendSimulatedMail(ec, to, subject, message);
}
}
tr = new TR();
tr
.addElement(new TD()
.addElement("We value your comments. To send OWASP your questions or comments regarding the "
+ "WebGoat tool, please enter your comments below. The information you provide will be handled according "
+ "to our <U>Privacy Policy</U>."));
//tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().setColSpan(2).addElement(
"<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
+ "Columbia, MD. 21046").setVAlign("top"));
t.addElement(tr);
// only complete the lesson if they changed the "to" hidden field
if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to))
{
makeSuccess(s);
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
private void formatMail(ElementContainer ec, Message sentMessage)
{
try
{
ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: "
+ Arrays.asList(sentMessage.getAllRecipients()))));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>MAIL FROM:</b> " + Arrays.asList(sentMessage.getReplyTo())));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>RCPT TO:</b> " + Arrays.asList(sentMessage.getAllRecipients())));
ec.addElement(new BR());
ec
.addElement(new StringElement("<b>Message-ID:</b> "
+ Arrays.asList(sentMessage.getHeader("Message-ID"))));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Date:</b> " + sentMessage.getSentDate()));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Subject:</b> " + sentMessage.getSubject()));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Message:</b> "));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(sentMessage.getContent().toString()));
}
catch (Exception e)
{
// TODO Auto-generated catch block
ec.addElement(new StringElement("Fatal error while sending message"));
ec.addElement(new BR());
ec.addElement(new StringElement(e.getMessage()));
}
Input input = new Input(Input.HIDDEN, TO, "webgoat.admin@owasp.org");
tr = new TR();
tr.addElement(new TD().addElement("Questions or Comments:"));
tr.addElement(new TD().addElement("&nbsp;"));
tr.addElement(new TD().setAlign("LEFT").addElement(input));
t.addElement(tr);
}
tr = new TR();
String message = s.getParser().getRawParameter(MESSAGE, "");
TextArea ta = new TextArea(MESSAGE, 5, 40);
ta.addElement(new StringElement(convertMetachars(message)));
tr.addElement(new TD().setAlign("LEFT").addElement(ta));
tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE")
.addElement(ECSFactory.makeButton("Send!")));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
ec.addElement(t);
// Eventually we could send the actually mail, but the point should already be made
//ec.addElement(exec( use java mail here + to));
if (to.length() > 0)
{
/**
* @param ec
* @param to
* @param message
*/
private void sendSimulatedMail(ElementContainer ec, String to, String subject, String message)
{
Format formatter;
// Get today's date
Date date = new Date();
@ -150,114 +189,241 @@ public class UncheckedEmail extends LessonAdapter
String today = formatter.format(date);
// Tue, 09 Jan 2002 22:14:02 -0500
ec.addElement(new HR());
ec
.addElement(new Center()
.addElement(new B()
.addElement("You sent the following message to: "
+ to)));
ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: " + to)));
ec.addElement(new BR());
ec.addElement(new StringElement(
"<b>Return-Path:</b> &lt;webgoat@owasp.org&gt;"));
ec.addElement(new StringElement("<b>Return-Path:</b> &lt;webgoat@owasp.org&gt;"));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Delivered-To:</b> " + to));
ec.addElement(new BR());
ec.addElement(new StringElement(
"<b>Received:</b> (qmail 614458 invoked by uid 239); "
+ today));
ec.addElement(new StringElement("<b>Received:</b> (qmail 614458 invoked by uid 239); " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("for &lt;" + to + "&gt;; "
+ today));
ec.addElement(new StringElement("for &lt;" + to + "&gt;; " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>To:</b> " + to));
ec.addElement(new BR());
ec
.addElement(new StringElement(
"<b>From:</b> Blame it on the Goat &lt;webgoat@owasp.org&gt;"));
ec.addElement(new StringElement("<b>From:</b> Blame it on the Goat &lt;webgoat@owasp.org&gt;"));
ec.addElement(new BR());
ec.addElement(new StringElement(
"<b>Subject:</b> OWASP security issues"));
ec.addElement(new StringElement("<b>Subject:</b> " + subject));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(message));
}
// only complete the lesson if they changed the "to" hidden field
if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to))
{
makeSuccess(s);
}
}
catch (Exception e)
/**
* @param s
* @param ec
* @return
*/
private void createMailMessage(WebSession s, String subject, String message, ElementContainer ec)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
TR tr;
Input input;
Table t = new Table().setCellSpacing(0).setCellPadding(1).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
tr = new TR();
tr.addElement(new TH().addElement("Send OWASP your Comments<BR>").setAlign("left").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign("left").setWidth("55%").setVAlign("BOTTOM")
.setColSpan(2));
tr.addElement(new TH().addElement(new H3("Contact Information:")).setAlign("left").setVAlign("BOTTOM"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(
"We value your comments. " + "To send OWASP your questions or comments "
+ "regarding the WebGoat tool, please enter your "
+ "comments below. The information you provide will be "
+ "handled according to our <U>Privacy Policy</U>.").setColSpan(2));
tr.addElement(new TD().addElement(
"<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
+ "Columbia, MD. 21046").setVAlign("top"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Subject:"));
input = new Input(Input.TEXT, SUBJECT, "Comment for WebGoat");
tr.addElement(new TD().setAlign("LEFT").addElement(input));
tr.addElement(new TD().addElement("&nbsp;"));
t.addElement(tr);
input = new Input(Input.HIDDEN, HIDDEN_TO, "webgoat.admin@owasp.org");
tr = new TR();
tr.addElement(new TD().addElement("Questions or Comments:").setColSpan(2));
tr.addElement(new TD().setAlign("LEFT").addElement(input));
t.addElement(tr);
tr = new TR();
TextArea ta = new TextArea(MESSAGE, 5, 40);
ta.addElement(new StringElement(convertMetachars(message)));
tr.addElement(new TD().setAlign("LEFT").addElement(ta).setColSpan(2));
tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE").addElement(ECSFactory.makeButton("Send!")));
t.addElement(tr);
ec.addElement(t);
}
return (ec);
}
/**
* @param s
* @param ec
*/
private void createGoogleCredentials(WebSession s, ElementContainer ec)
{
// Allow the user to configure a real email interface using gmail
Table t1 = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
t1.setStyle("border-width:3px; border-style: solid;");
if (s.isColor())
{
t1.setBorder(1);
}
/**
* DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Category getDefaultCategory()
{
return Category.UNVALIDATED_PARAMETERS;
}
TR tr = new TR();
tr.addElement(new TH().addElement("Google Mail Configuration (Optional)").setAlign("center").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setAlign("left").setColSpan(2));
t1.addElement(tr);
/**
* Gets the hints attribute of the EmailScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try sending an anonymous message to yourself.");
hints
.add("Try inserting some html or javascript code in the message field");
hints.add("Look at the hidden fields in the HTML.");
hints
.add("Insert &lt;A href=\"http://www.aspectsecurity.com/webgoat.html\"&gt;Click here for Aspect&lt;/A&gt in the message field");
hints
.add("Insert &lt;script&gt;alert(\"Bad Stuff\");&lt;/script&gt; in the message field");
return hints;
}
tr = new TR();
tr.addElement(new TD()
.addElement(
"These configurations will enable WebGoat to send email on your "
+ "behalf using your gmail account. Leave them as the default value "
+ "to use WebGoat's simulated mail.").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("&nbsp;").setAlign("left").setColSpan(2));
t1.addElement(tr);
/**
* Gets the instructions attribute of the UncheckedEmail object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This form is an example of a customer support page. Using the form below try to:<br>"
+ "1) Send a malicious script to the website admin.<br>"
+ "2) Send a malicious script to a 'friend' from OWASP.<br>";
return (instructions);
}
tr = new TR();
tr.addElement(new TD().addElement("GMail login id:"));
Input input = new Input(Input.TEXT, GMAIL_ID, YOUR_REAL_GMAIL_ID);
tr.addElement(new TD().addElement(input));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("GMail password:"));
input = new Input(Input.PASSWORD, GMAIL_PASS, YOUR_REAL_GMAIL_PASSWORD);
tr.addElement(new TD().addElement(input));
t1.addElement(tr);
ec.addElement(t1);
private final static Integer DEFAULT_RANKING = new Integer(55);
}
private Message sendGoogleMail(String recipients, String subject, String message, String from,
final String mailAccount, final String mailPassword) throws MessagingException
{
boolean debug = false;
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
Properties props = new Properties();
props.put("mail.smtp.host", SMTP_HOST_NAME);
props.put("mail.smtp.auth", "true");
props.put("mail.debug", "false");
props.put("mail.smtp.port", SMTP_PORT);
props.put("mail.smtp.socketFactory.port", SMTP_PORT);
props.put("mail.smtp.socketFactory.class", SSL_FACTORY);
props.put("mail.smtp.socketFactory.fallback", "false");
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator()
{
/**
* Gets the title attribute of the EmailScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Exploit Unchecked Email");
}
protected PasswordAuthentication getPasswordAuthentication()
{
return new PasswordAuthentication(mailAccount, mailPassword);
}
});
session.setDebug(debug);
Message msg = new MimeMessage(session);
InternetAddress addressFrom = new InternetAddress(from);
msg.setFrom(addressFrom);
InternetAddress[] addressTo = new InternetAddress[1];
// for (int i = 0; i < recipients.length; i++)
// {
addressTo[0] = new InternetAddress(recipients);
// }
msg.setRecipients(Message.RecipientType.TO, addressTo);
// Setting the Subject and Content Type
msg.setSubject(subject);
msg.setContent(message, "text/plain");
Transport.send(msg);
return msg;
}
/**
* DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Category getDefaultCategory()
{
return Category.UNVALIDATED_PARAMETERS;
}
/**
* Gets the hints attribute of the EmailScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try sending an anonymous message to yourself.");
hints.add("Try inserting some html or javascript code in the message field");
hints.add("Look at the hidden fields in the HTML.");
hints
.add("Insert &lt;A href=\"http://code.google.com/p/webgoat/\"&gt;Click here for the WebGoat Project&lt;/A&gt in the message field");
hints.add("Insert &lt;script&gt;alert(\"Bad Stuff\");&lt;/script&gt; in the message field");
return hints;
}
/**
* Gets the instructions attribute of the UncheckedEmail object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions =
"This form is an example of a customer support page. Using the form below try to:<br>"
+ "1) Send a malicious script to the website admin.<br>"
+ "2) Send a malicious script to a 'friend' from OWASP.<br>";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(55);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the EmailScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Exploit Unchecked Email");
}
}