diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java index fc68f2c50..968ffaf58 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java @@ -67,53 +67,51 @@ public class AccessControlMatrix extends LessonAdapter */ protected Element createContent(WebSession s) { - ElementContainer ec = new ElementContainer(); - - try - { - String user = s.getParser().getRawParameter(USER, users[0]); - String resource = s.getParser().getRawParameter(RESOURCE, - resources[0]); - String credentials = getRoles(user).toString(); - ec.addElement(new P().addElement("Change user:")); - ec.addElement(ECSFactory.makePulldown(USER, users, user, 1)); - ec.addElement(new P()); - - // These two lines would allow the user to select the resource from a list - // Didn't seem right to me so I made them type it in. - // ec.addElement( new P().addElement( "Choose a resource:" ) ); - // ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) ); - ec.addElement(new P().addElement("Select resource: ")); - ec.addElement(ECSFactory.makePulldown(RESOURCE, resources, - resource, 1)); - - ec.addElement(new P()); - ec.addElement(ECSFactory.makeButton("Check Access")); - - if (isAllowed(user, resource)) - { - if (!getRoles(user).contains("Admin") - && resource.equals("Account Manager")) + ElementContainer ec = new ElementContainer(); + + try { - makeSuccess(s); + String user = s.getParser().getRawParameter(USER, users[0]); + String resource = s.getParser().getRawParameter(RESOURCE, resources[0]); + String credentials = getRoles(user).toString(); + ec.addElement(new P().addElement("Change user:")); + ec.addElement(ECSFactory.makePulldown(USER, users, user, 1)); + ec.addElement(new P()); + + // These two lines would allow the user to select the resource from a list + // Didn't seem right to me so I made them type it in. + // ec.addElement( new P().addElement( "Choose a resource:" ) ); + // ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) ); + ec.addElement(new P().addElement("Select resource: ")); + ec.addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)); + + ec.addElement(new P()); + ec.addElement(ECSFactory.makeButton("Check Access")); + + if (isAllowed(user, resource)) + { + if (!getRoles(user).contains("Admin") + && resource.equals("Account Manager")) + { + makeSuccess(s); + } + s.setMessage("User " + user + " " + credentials + + " was allowed to access resource " + resource); + } + else + { + s.setMessage("User " + user + " " + credentials + + " did not have privilege to access resource " + + resource); + } } - s.setMessage("User " + user + " " + credentials - + " was allowed to access resource " + resource); - } - else - { - s.setMessage("User " + user + " " + credentials - + " did not have privilege to access resource " - + resource); - } - } - catch (Exception e) - { - s.setMessage("Error generating " + this.getClass().getName()); - e.printStackTrace(); - } - - return (ec); + catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); } @@ -125,7 +123,7 @@ public class AccessControlMatrix extends LessonAdapter protected Category getDefaultCategory() { - return AbstractLesson.A2; + return AbstractLesson.A2; } @@ -136,21 +134,19 @@ public class AccessControlMatrix extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); - hints - .add("Many sites attempt to restrict access to resources by role."); - hints - .add("Developers frequently make mistakes implementing this scheme."); - hints.add("Attempt combinations of users, roles, and resources."); - return hints; + List hints = new ArrayList(); + hints.add("Many sites attempt to restrict access to resources by role."); + hints.add("Developers frequently make mistakes implementing this scheme."); + hints.add("Attempt combinations of users, roles, and resources."); + return hints; } - private final static Integer DEFAULT_RANKING = new Integer(120); + private final static Integer DEFAULT_RANKING = new Integer(10); protected Integer getDefaultRanking() { - return DEFAULT_RANKING; + return DEFAULT_RANKING; } @@ -162,33 +158,33 @@ public class AccessControlMatrix extends LessonAdapter */ private List getResources(List rl) { - // return the resources allowed for these roles - ArrayList list = new ArrayList(); - - if (rl.contains(roles[0])) - { - list.add(resources[0]); - } - - if (rl.contains(roles[1])) - { - list.add(resources[1]); - list.add(resources[5]); - } - - if (rl.contains(roles[2])) - { - list.add(resources[2]); - list.add(resources[3]); - } - - if (rl.contains(roles[3])) - { - list.add(resources[4]); - list.add(resources[5]); - } - - return list; + // return the resources allowed for these roles + ArrayList list = new ArrayList(); + + if (rl.contains(roles[0])) + { + list.add(resources[0]); + } + + if (rl.contains(roles[1])) + { + list.add(resources[1]); + list.add(resources[5]); + } + + if (rl.contains(roles[2])) + { + list.add(resources[2]); + list.add(resources[3]); + } + + if (rl.contains(roles[3])) + { + list.add(resources[4]); + list.add(resources[5]); + } + + return list; } @@ -201,28 +197,28 @@ public class AccessControlMatrix extends LessonAdapter private List getRoles(String user) { - ArrayList list = new ArrayList(); - - if (user.equals(users[0])) - { - list.add(roles[0]); - } - else if (user.equals(users[1])) - { - list.add(roles[1]); - list.add(roles[2]); - } - else if (user.equals(users[2])) - { - list.add(roles[0]); - list.add(roles[2]); - } - else if (user.equals(users[3])) - { - list.add(roles[3]); - } - - return list; + ArrayList list = new ArrayList(); + + if (user.equals(users[0])) + { + list.add(roles[0]); + } + else if (user.equals(users[1])) + { + list.add(roles[1]); + list.add(roles[2]); + } + else if (user.equals(users[2])) + { + list.add(roles[0]); + list.add(roles[2]); + } + else if (user.equals(users[3])) + { + list.add(roles[3]); + } + + return list; } @@ -234,7 +230,7 @@ public class AccessControlMatrix extends LessonAdapter public String getTitle() { - return ("Using an Access Control Matrix"); + return ("Using an Access Control Matrix"); } @@ -253,8 +249,8 @@ public class AccessControlMatrix extends LessonAdapter private boolean isAllowed(String user, String resource) { - List roles = getRoles(user); - List resources = getResources(roles); - return (resources.contains(resource)); + List roles = getRoles(user); + List resources = getResources(roles); + return (resources.contains(resource)); } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java index ffd60e4dc..34d041d57 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -278,10 +278,10 @@ public class CSRF extends LessonAdapter { @Override protected Category getDefaultCategory() { - return AbstractLesson.A4; + return AbstractLesson.A2; } - private final static Integer DEFAULT_RANKING = new Integer(140); + private final static Integer DEFAULT_RANKING = new Integer(120); @Override protected Integer getDefaultRanking() { @@ -325,7 +325,7 @@ public class CSRF extends LessonAdapter { public Element getCredits() { - return super.getCustomCredits("Created by Sherif Koussa - Macadamian Technologies", AOC_LOGO); + return super.getCustomCredits("Created by Sherif Koussa - Macadamian Technologies", AOC_LOGO); } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java index c79440a24..c3630adbc 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java @@ -282,12 +282,12 @@ public class PathBasedAccessControl extends LessonAdapter return (instructions); } - private final static Integer DEFAULT_RANKING = new Integer(120); + private final static Integer DEFAULT_RANKING = new Integer(115); protected Integer getDefaultRanking() { - return DEFAULT_RANKING; + return DEFAULT_RANKING; } @@ -298,6 +298,6 @@ public class PathBasedAccessControl extends LessonAdapter */ public String getTitle() { - return ("How to Bypass a Path Based Access Control Scheme"); + return ("How to Bypass a Path Based Access Control Scheme"); } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java index 0bf943686..e3f2e1301 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java @@ -50,19 +50,18 @@ public class RemoteAdminFlaw extends LessonAdapter */ protected Element createContent(WebSession s) { - ElementContainer ec = new ElementContainer(); - - if (s.completedHackableAdmin()) - { - makeSuccess(s); - } - else - { - ec - .addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure " - + "out how to access the administrative interface for WebGoat."); - } - return ec; + ElementContainer ec = new ElementContainer(); + + if (s.completedHackableAdmin()) + { + makeSuccess(s); + } + else + { + ec.addElement("WebGoat has an admin interface. To 'complete' this lesson you must figure " + + "out how to access the administrative interface for WebGoat."); + } + return ec; } @@ -74,8 +73,7 @@ public class RemoteAdminFlaw extends LessonAdapter */ protected Category getDefaultCategory() { - - return AbstractLesson.A2; + return AbstractLesson.A2; } @@ -88,21 +86,19 @@ public class RemoteAdminFlaw extends LessonAdapter { List hints = new ArrayList(); hints.add("WebGoat has 2 admin interfaces."); - hints - .add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'"); - hints - .add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'"); + hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'"); + hints.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'"); hints.add("Follow the Source!"); return hints; } - private final static Integer DEFAULT_RANKING = new Integer(15); + private final static Integer DEFAULT_RANKING = new Integer(160); protected Integer getDefaultRanking() { - return DEFAULT_RANKING; + return DEFAULT_RANKING; } @@ -113,7 +109,7 @@ public class RemoteAdminFlaw extends LessonAdapter */ public String getTitle() { - return ("Remote Admin Access"); + return ("Remote Admin Access"); } }