dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added a catch block for the "ParameterNotFoundException". Failure to catch this exception lead to an error message when the DOS lesson is viewed.

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@125 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
esheri3 2007-04-05 16:14:39 +00:00
parent 20484796f9
commit e19c3353e7
1 changed files with 95 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
View File

@ -22,6 +22,7 @@ import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.ParameterNotFoundException;
/******************************************************************************* /*******************************************************************************
* *
@ -91,9 +92,7 @@ public class DOS_Login extends LessonAdapter
// don;t allow user name from other lessons. it would be too simple. // don;t allow user name from other lessons. it would be too simple.
if (username.equals("jeff") || username.equals("dave")) if (username.equals("jeff") || username.equals("dave"))
{ {
ec ec.addElement(new H2("Login Failed: 'jeff' and 'dave' are not valid for this lesson"));
.addElement(new H2(
"Login Failed: 'jeff' and 'dave' are not valid for this lesson"));
return (ec.addElement(makeLogin(s))); return (ec.addElement(makeLogin(s)));
} }
@ -106,25 +105,23 @@ public class DOS_Login extends LessonAdapter
String query = "SELECT * FROM user_system_data WHERE user_name = '" String query = "SELECT * FROM user_system_data WHERE user_name = '"
+ username + "' and password = '" + password + "'"; + username + "' and password = '" + password + "'";
ec.addElement(new StringElement(query)); ec.addElement(new StringElement(query));
try try
{ {
Statement statement = connection.createStatement( Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY);
ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query); ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first() == true)) if ((results != null) && (results.first() == true))
{ {
ResultSetMetaData resultsMetaData = results.getMetaData(); ResultSetMetaData resultsMetaData = results.getMetaData();
ec.addElement(DatabaseUtilities.writeTable(results, ec.addElement(DatabaseUtilities.writeTable(results,resultsMetaData));
resultsMetaData));
results.last(); results.last();
// If they get back more than one user they succeeded // If they get back more than one user they succeeded
if (results.getRow() >= 1) if (results.getRow() >= 1)
{ {
// Make sure this isn't data from an sql injected query. // Make sure this isn't data from an sql injected query.
if (results.getString(2).equals(username) if (results.getString(2).equals(username) && results.getString(3).equals(password))
&& results.getString(3).equals(password))
{ {
String insertData1 = "INSERT INTO user_login VALUES ( '" String insertData1 = "INSERT INTO user_login VALUES ( '"
+ username + username
@ -134,23 +131,19 @@ public class DOS_Login extends LessonAdapter
statement.executeUpdate(insertData1); statement.executeUpdate(insertData1);
} }
// check the total count of logins // check the total count of logins
query = "SELECT * FROM user_login WHERE webgoat_user = '" query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";
+ s.getUserName() + "'";
results = statement.executeQuery(query); results = statement.executeQuery(query);
results.last(); results.last();
// If they get back more than one user they succeeded // If they get back more than one user they succeeded
if (results.getRow() >= 3) if (results.getRow() >= 3)
{ {
makeSuccess(s); makeSuccess(s);
String deleteData1 = "DELETE from user_login WHERE webgoat_user = '" String deleteData1 = "DELETE from user_login WHERE webgoat_user = '" + s.getUserName() + "'";
+ s.getUserName() + "'";
statement.executeUpdate(deleteData1); statement.executeUpdate(deleteData1);
return (new H1("Congratulations! Lesson Completed")); return (new H1("Congratulations! Lesson Completed"));
} }
ec.addElement(new H2( ec.addElement(new H2("Login Succeeded: Total login count: " + results.getRow()));
"Login Succeeded: Total login count: "
+ results.getRow()));
} }
} }
else else
@ -172,6 +165,15 @@ public class DOS_Login extends LessonAdapter
sqle.printStackTrace(); sqle.printStackTrace();
} }
} }
catch (ParameterNotFoundException pnfe)
{
/**
* Catching this exception prevents the "Error generating org.owasp.webgoat.lesson.DOS_Login"
* message from being displayed on first load. Note that if we are missing a parameter in
* the request, we do not want to continue processing and we simply want to display the
* default login page.
*/
}
catch (Exception e) catch (Exception e)
{ {
s.setMessage("Error generating " + this.getClass().getName()); s.setMessage("Error generating " + this.getClass().getName());