Modified the ranking of the lessons. CSRF has been moved to "Broken Access Control"
git-svn-id: http://webgoat.googlecode.com/svn/trunk@81 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
esheri3
parent
38e9a8967b
commit
e121871396
@ -67,53 +67,51 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
*/
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
try
|
||||
{
|
||||
String user = s.getParser().getRawParameter(USER, users[0]);
|
||||
String resource = s.getParser().getRawParameter(RESOURCE,
|
||||
resources[0]);
|
||||
String credentials = getRoles(user).toString();
|
||||
ec.addElement(new P().addElement("Change user:"));
|
||||
ec.addElement(ECSFactory.makePulldown(USER, users, user, 1));
|
||||
ec.addElement(new P());
|
||||
|
||||
// These two lines would allow the user to select the resource from a list
|
||||
// Didn't seem right to me so I made them type it in.
|
||||
// ec.addElement( new P().addElement( "Choose a resource:" ) );
|
||||
// ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
|
||||
ec.addElement(new P().addElement("Select resource: "));
|
||||
ec.addElement(ECSFactory.makePulldown(RESOURCE, resources,
|
||||
resource, 1));
|
||||
|
||||
ec.addElement(new P());
|
||||
ec.addElement(ECSFactory.makeButton("Check Access"));
|
||||
|
||||
if (isAllowed(user, resource))
|
||||
{
|
||||
if (!getRoles(user).contains("Admin")
|
||||
&& resource.equals("Account Manager"))
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
try
|
||||
{
|
||||
makeSuccess(s);
|
||||
String user = s.getParser().getRawParameter(USER, users[0]);
|
||||
String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
|
||||
String credentials = getRoles(user).toString();
|
||||
ec.addElement(new P().addElement("Change user:"));
|
||||
ec.addElement(ECSFactory.makePulldown(USER, users, user, 1));
|
||||
ec.addElement(new P());
|
||||
|
||||
// These two lines would allow the user to select the resource from a list
|
||||
// Didn't seem right to me so I made them type it in.
|
||||
// ec.addElement( new P().addElement( "Choose a resource:" ) );
|
||||
// ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
|
||||
ec.addElement(new P().addElement("Select resource: "));
|
||||
ec.addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1));
|
||||
|
||||
ec.addElement(new P());
|
||||
ec.addElement(ECSFactory.makeButton("Check Access"));
|
||||
|
||||
if (isAllowed(user, resource))
|
||||
{
|
||||
if (!getRoles(user).contains("Admin")
|
||||
&& resource.equals("Account Manager"))
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
s.setMessage("User " + user + " " + credentials
|
||||
+ " was allowed to access resource " + resource);
|
||||
}
|
||||
else
|
||||
{
|
||||
s.setMessage("User " + user + " " + credentials
|
||||
+ " did not have privilege to access resource "
|
||||
+ resource);
|
||||
}
|
||||
}
|
||||
s.setMessage("User " + user + " " + credentials
|
||||
+ " was allowed to access resource " + resource);
|
||||
}
|
||||
else
|
||||
{
|
||||
s.setMessage("User " + user + " " + credentials
|
||||
+ " did not have privilege to access resource "
|
||||
+ resource);
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error generating " + this.getClass().getName());
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return (ec);
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error generating " + this.getClass().getName());
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return (ec);
|
||||
}
|
||||
|
||||
|
||||
@ -125,7 +123,7 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
|
||||
protected Category getDefaultCategory()
|
||||
{
|
||||
return AbstractLesson.A2;
|
||||
return AbstractLesson.A2;
|
||||
}
|
||||
|
||||
|
||||
@ -136,21 +134,19 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
*/
|
||||
protected List getHints()
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints
|
||||
.add("Many sites attempt to restrict access to resources by role.");
|
||||
hints
|
||||
.add("Developers frequently make mistakes implementing this scheme.");
|
||||
hints.add("Attempt combinations of users, roles, and resources.");
|
||||
return hints;
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("Many sites attempt to restrict access to resources by role.");
|
||||
hints.add("Developers frequently make mistakes implementing this scheme.");
|
||||
hints.add("Attempt combinations of users, roles, and resources.");
|
||||
return hints;
|
||||
}
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(120);
|
||||
private final static Integer DEFAULT_RANKING = new Integer(10);
|
||||
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
@ -162,33 +158,33 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
*/
|
||||
private List getResources(List rl)
|
||||
{
|
||||
// return the resources allowed for these roles
|
||||
ArrayList<String> list = new ArrayList<String>();
|
||||
|
||||
if (rl.contains(roles[0]))
|
||||
{
|
||||
list.add(resources[0]);
|
||||
}
|
||||
|
||||
if (rl.contains(roles[1]))
|
||||
{
|
||||
list.add(resources[1]);
|
||||
list.add(resources[5]);
|
||||
}
|
||||
|
||||
if (rl.contains(roles[2]))
|
||||
{
|
||||
list.add(resources[2]);
|
||||
list.add(resources[3]);
|
||||
}
|
||||
|
||||
if (rl.contains(roles[3]))
|
||||
{
|
||||
list.add(resources[4]);
|
||||
list.add(resources[5]);
|
||||
}
|
||||
|
||||
return list;
|
||||
// return the resources allowed for these roles
|
||||
ArrayList<String> list = new ArrayList<String>();
|
||||
|
||||
if (rl.contains(roles[0]))
|
||||
{
|
||||
list.add(resources[0]);
|
||||
}
|
||||
|
||||
if (rl.contains(roles[1]))
|
||||
{
|
||||
list.add(resources[1]);
|
||||
list.add(resources[5]);
|
||||
}
|
||||
|
||||
if (rl.contains(roles[2]))
|
||||
{
|
||||
list.add(resources[2]);
|
||||
list.add(resources[3]);
|
||||
}
|
||||
|
||||
if (rl.contains(roles[3]))
|
||||
{
|
||||
list.add(resources[4]);
|
||||
list.add(resources[5]);
|
||||
}
|
||||
|
||||
return list;
|
||||
}
|
||||
|
||||
|
||||
@ -201,28 +197,28 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
|
||||
private List getRoles(String user)
|
||||
{
|
||||
ArrayList<String> list = new ArrayList<String>();
|
||||
|
||||
if (user.equals(users[0]))
|
||||
{
|
||||
list.add(roles[0]);
|
||||
}
|
||||
else if (user.equals(users[1]))
|
||||
{
|
||||
list.add(roles[1]);
|
||||
list.add(roles[2]);
|
||||
}
|
||||
else if (user.equals(users[2]))
|
||||
{
|
||||
list.add(roles[0]);
|
||||
list.add(roles[2]);
|
||||
}
|
||||
else if (user.equals(users[3]))
|
||||
{
|
||||
list.add(roles[3]);
|
||||
}
|
||||
|
||||
return list;
|
||||
ArrayList<String> list = new ArrayList<String>();
|
||||
|
||||
if (user.equals(users[0]))
|
||||
{
|
||||
list.add(roles[0]);
|
||||
}
|
||||
else if (user.equals(users[1]))
|
||||
{
|
||||
list.add(roles[1]);
|
||||
list.add(roles[2]);
|
||||
}
|
||||
else if (user.equals(users[2]))
|
||||
{
|
||||
list.add(roles[0]);
|
||||
list.add(roles[2]);
|
||||
}
|
||||
else if (user.equals(users[3]))
|
||||
{
|
||||
list.add(roles[3]);
|
||||
}
|
||||
|
||||
return list;
|
||||
}
|
||||
|
||||
|
||||
@ -234,7 +230,7 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
|
||||
public String getTitle()
|
||||
{
|
||||
return ("Using an Access Control Matrix");
|
||||
return ("Using an Access Control Matrix");
|
||||
}
|
||||
|
||||
|
||||
@ -253,8 +249,8 @@ public class AccessControlMatrix extends LessonAdapter
|
||||
|
||||
private boolean isAllowed(String user, String resource)
|
||||
{
|
||||
List roles = getRoles(user);
|
||||
List resources = getResources(roles);
|
||||
return (resources.contains(resource));
|
||||
List roles = getRoles(user);
|
||||
List resources = getResources(roles);
|
||||
return (resources.contains(resource));
|
||||
}
|
||||
}
|
||||
|
||||
@ -278,10 +278,10 @@ public class CSRF extends LessonAdapter {
|
||||
|
||||
@Override
|
||||
protected Category getDefaultCategory() {
|
||||
return AbstractLesson.A4;
|
||||
return AbstractLesson.A2;
|
||||
}
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(140);
|
||||
private final static Integer DEFAULT_RANKING = new Integer(120);
|
||||
|
||||
@Override
|
||||
protected Integer getDefaultRanking() {
|
||||
@ -325,7 +325,7 @@ public class CSRF extends LessonAdapter {
|
||||
|
||||
public Element getCredits()
|
||||
{
|
||||
return super.getCustomCredits("Created by Sherif Koussa - Macadamian Technologies", AOC_LOGO);
|
||||
return super.getCustomCredits("Created by Sherif Koussa - Macadamian Technologies", AOC_LOGO);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -282,12 +282,12 @@ public class PathBasedAccessControl extends LessonAdapter
|
||||
return (instructions);
|
||||
}
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(120);
|
||||
private final static Integer DEFAULT_RANKING = new Integer(115);
|
||||
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
@ -298,6 +298,6 @@ public class PathBasedAccessControl extends LessonAdapter
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return ("How to Bypass a Path Based Access Control Scheme");
|
||||
return ("How to Bypass a Path Based Access Control Scheme");
|
||||
}
|
||||
}
|
||||
|
||||
@ -50,19 +50,18 @@ public class RemoteAdminFlaw extends LessonAdapter
|
||||
*/
|
||||
protected Element createContent(WebSession s)
|
||||
{
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
if (s.completedHackableAdmin())
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
ec
|
||||
.addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure "
|
||||
+ "out how to access the administrative interface for WebGoat.");
|
||||
}
|
||||
return ec;
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
if (s.completedHackableAdmin())
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
ec.addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure "
|
||||
+ "out how to access the administrative interface for WebGoat.");
|
||||
}
|
||||
return ec;
|
||||
|
||||
}
|
||||
|
||||
@ -74,8 +73,7 @@ public class RemoteAdminFlaw extends LessonAdapter
|
||||
*/
|
||||
protected Category getDefaultCategory()
|
||||
{
|
||||
|
||||
return AbstractLesson.A2;
|
||||
return AbstractLesson.A2;
|
||||
}
|
||||
|
||||
|
||||
@ -88,21 +86,19 @@ public class RemoteAdminFlaw extends LessonAdapter
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add("WebGoat has 2 admin interfaces.");
|
||||
hints
|
||||
.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
|
||||
hints
|
||||
.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
|
||||
hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
|
||||
hints.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
|
||||
hints.add("Follow the Source!");
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(15);
|
||||
private final static Integer DEFAULT_RANKING = new Integer(160);
|
||||
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
@ -113,7 +109,7 @@ public class RemoteAdminFlaw extends LessonAdapter
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return ("Remote Admin Access");
|
||||
return ("Remote Admin Access");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user