From de71f2700e3163edd49111433d555d3c7591743b Mon Sep 17 00:00:00 2001
From: Ilguiz Latypov <ilatypov@yahoo.ca>
Date: Sat, 7 Nov 2015 03:56:34 -0500
Subject: [PATCH] Let user-composed (CSRF) attacks send one-request actions, as
 opposed to the address bar MVC links requesting lessons.  The lesson display
 servlets have javascript that requests data and actions.

---
 .../owasp/webgoat/lessons/AbstractLesson.java | 31 ++++++++--
 .../webgoat/lessons/AbstractLessonTest.java   | 62 +++++++++++++++++++
 2 files changed, 87 insertions(+), 6 deletions(-)
 create mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
index 5834a6c41..4effc1d76 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
@@ -626,18 +626,37 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
     /**
      * Get the link that can be used to request this screen.
      *
+     * Rendering the link in the browser may result in Javascript sending
+     * additional requests to perform necessary actions or to obtain data
+     * relevant to the lesson or the element of the lesson selected by the
+     * user.  Thanks to using the hash mark "#" and Javascript handling the
+     * clicks, the user will experience less waiting as the pages do not have
+     * to reload entirely.
+     *
      * @return a {@link java.lang.String} object.
      */
     public String getLink() {
-        StringBuffer link = new StringBuffer();
+        StringBuffer link = new StringBuffer(getPath());
 
         // mvc update:
-        link.append(getPath()).append("/");
-        link.append(getScreenId());
-        link.append("/");
-        link.append(getCategory().getRanking());
+        return link
+            .append("/").append(getScreenId())
+            .append("/").append(getCategory().getRanking()).toString();
+    }
 
-        return link.toString();
+    /**
+     * Get the link to the target servlet.
+     *
+     * Unlike getLink() this method does not require rendering the output of
+     * the request to the link in order to execute the servlet's method with
+     * conventional HTTP query parameters.
+     */
+    public String getServletLink() {
+        StringBuffer link = new StringBuffer("attack");
+
+        return link
+            .append("?Screen=").append(getScreenId())
+            .append("&menu=").append(getCategory().getRanking()).toString();
     }
 
     /**
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java
new file mode 100644
index 000000000..82b74e34b
--- /dev/null
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java
@@ -0,0 +1,62 @@
+package org.owasp.webgoat.lessons;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.hamcrest.CoreMatchers;
+import org.junit.Test;
+import org.owasp.webgoat.session.WebSession;
+
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertThat;
+
+public class AbstractLessonTest  {
+
+    private AbstractLesson lesson = new AbstractLesson() {
+        protected Element createContent(WebSession s) {
+            return new ElementContainer();
+        }
+        public Category getCategory() {
+            return Category.XSS;
+        }
+        protected Integer getDefaultRanking() { 
+            return new Integer(5);
+        }
+        protected Category getDefaultCategory() {
+            return Category.INTRODUCTION;
+        }
+        protected boolean getDefaultHidden() {
+            return false;
+        }
+        protected List<String> getHints(WebSession s) {
+            return Arrays.<String>asList();
+        }
+        public String getInstructions(WebSession s) {
+            return "Instructions";
+        }
+        public String getTitle() {
+            return "title";
+        }
+        public String getCurrentAction(WebSession s) {
+            return "an action";
+        }
+        public void restartLesson() {
+        }
+        public void setCurrentAction(WebSession s, String lessonScreen) {
+        }
+    };
+
+    @Test
+    public void testLinks() {
+        String mvcLink = lesson.getLink();
+        assertThat(mvcLink, CoreMatchers.startsWith("#attack/"));
+        assertThat(mvcLink, CoreMatchers.endsWith("/900"));
+
+        String srvLink = lesson.getServletLink();
+        assertThat(srvLink, CoreMatchers.startsWith("attack?Screen="));
+        assertThat(srvLink, CoreMatchers.endsWith("&menu=900"));
+    }
+}
+
+