diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java index 828a104ab..4c345175b 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java @@ -19,7 +19,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class LessonSource extends HammerHead diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java index f0be24e5d..011db1b97 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java @@ -44,7 +44,7 @@ import org.owasp.webgoat.session.WebgoatProperties; * published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify * and/or redistribute this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public abstract class AbstractLesson extends Screen implements Comparable @@ -139,7 +139,7 @@ public abstract class AbstractLesson extends Screen implements Comparable final static IMG previousGrey = new IMG( "images/left14.gif" ).setAlt( "Previous" ).setBorder( 0 ).setHspace( 0 ) .setVspace( 0 ); - private static Vector categories = new Vector(); + private static Vector categories = new Vector(); private Integer ranking; private Category category; private boolean hidden; @@ -275,7 +275,7 @@ public abstract class AbstractLesson extends Screen implements Comparable protected abstract boolean getDefaultHidden(); - public void setCategory(String categoryName) + public void setCategory_DELETE_ME(String categoryName) { if (categoryName != null) { diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java index bc3684a56..7b88e2bc3 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java @@ -103,7 +103,7 @@ public class AccessControlMatrix extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Many sites attempt to restrict access to resources by role." ); hints.add( "Developers frequently make mistakes implementing this scheme." ); hints.add( "Attempt combinations of users, roles, and resources." ); @@ -126,7 +126,7 @@ public class AccessControlMatrix extends LessonAdapter private List getResources( List rl ) { // return the resources allowed for these roles - ArrayList list = new ArrayList(); + ArrayList list = new ArrayList(); if ( rl.contains( roles[0] ) ) { @@ -165,7 +165,7 @@ public class AccessControlMatrix extends LessonAdapter private List getRoles( String user ) { - ArrayList list = new ArrayList(); + ArrayList list = new ArrayList(); if ( user.equals( users[0] ) ) { diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java index 231b920a1..120df12a9 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java @@ -21,7 +21,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class BasicAuthentication extends LessonAdapter @@ -37,12 +37,6 @@ public class BasicAuthentication extends LessonAdapter private final static String HEADER_NAME = "header"; private final static String HEADER_VALUE = "value"; - /** - * Save the session so it can be used in a staged lesson - */ - private WebSession session = null; - - /** * Description of the Method * @@ -51,7 +45,6 @@ public class BasicAuthentication extends LessonAdapter */ protected Element createContent( WebSession s ) { - session = s; return super.createStagedContent(s); } @@ -218,7 +211,7 @@ public class BasicAuthentication extends LessonAdapter */ public List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); // int stage = getLessonTracker(session, BASIC).getStage(); // switch ( stage ) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java index 0c8455b62..8c11ea71c 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java @@ -108,7 +108,7 @@ public class BlindSqlInjection extends LessonAdapter * * @return The category value */ - public Category getCategory() + protected Category getDefaultCategory() { return AbstractLesson.A6; } @@ -151,7 +151,7 @@ public class BlindSqlInjection extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); if (runningOnWindows()) { hints.add( "Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. " + "Create a SQL statement that you can use as a true/false test and then " + diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java index af9572818..9a7c79b96 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java @@ -14,7 +14,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class BufferOverflow extends LessonAdapter @@ -52,7 +52,7 @@ public class BufferOverflow extends LessonAdapter */ public List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Lesson Hint 1" ); hints.add( "Lesson Hint 2" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java index ab641b11b..0d81fca09 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -2,13 +2,10 @@ package org.owasp.webgoat.lessons; import java.util.ArrayList; import java.util.List; -import java.util.Arrays; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.StringElement; -import org.apache.ecs.html.B; -import org.apache.ecs.html.H1; import org.apache.ecs.html.Input; import org.apache.ecs.html.P; import org.apache.ecs.html.TD; @@ -90,7 +87,7 @@ public class CSRF extends LessonAdapter { @Override protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Enter some text and try to include an image in there." ); hints.add( "The format of an image in html is 
<img src=\"[URL]\" width=\"1\" height=\"1\" />
"); hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java index 77122de04..70a01bb4f 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java @@ -1,5 +1,14 @@ package org.owasp.webgoat.lessons; +/** + * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web + * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP + * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute + * this software. + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 + */ public class Category implements Comparable { diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java index 9ed711b1a..1318d9eab 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java @@ -43,7 +43,7 @@ import org.owasp.webgoat.util.ExecResults; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class Challenge2Screen extends LessonAdapter @@ -451,7 +451,7 @@ public class Challenge2Screen extends LessonAdapter { // - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "You need to gain access to the Java source code for this lesson." ); hints.add( "Seriously, no more hints -- it's a CHALLENGE!" ); hints.add( "Come on -- give it a rest!" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java index 02058dcf5..73275b6fa 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java @@ -54,19 +54,21 @@ public class CommandInjection extends LessonAdapter { index = helpFile.indexOf(';'); } - + index = index + 1; + int helpFileLen = helpFile.length() -1; // subtract 1 for the closing quote + System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]"); if (( osName.indexOf( "Windows" ) != -1 && - ( helpFile.substring(index + 1).trim().toLowerCase().equals("netstat -a") || - helpFile.substring(index + 1).trim().toLowerCase().equals("dir") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ls") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ifconfig") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ipconfig") )) || - (helpFile.substring(index + 1).trim().toLowerCase().equals("netstat -a #") || - helpFile.substring(index + 1).trim().toLowerCase().equals("dir #") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ls #") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ls -l #") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ifconfig #") || - helpFile.substring(index + 1).trim().toLowerCase().equals("ipconfig #") )) + ( helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("netstat -a") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig") )) || + (helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("netstat -a #") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir #") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls #") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls -l #") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig #") || + helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig #") )) { illegalCommand = false; } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java index 3fe6569ce..3223eecf1 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java @@ -140,7 +140,7 @@ public class CrossSiteScripting extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); // Stage 1 hints.add( "You can put HTML tags in form input fields." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java index 238e9da4a..e4c1d0d13 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java @@ -3,7 +3,6 @@ package org.owasp.webgoat.lessons.CrossSiteScripting; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import java.sql.PreparedStatement; import java.util.regex.Matcher; import java.util.regex.Pattern; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java index 7d82ae68c..6df01c5ae 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java @@ -552,14 +552,10 @@ public class Encoding extends LessonAdapter public List getHints() { - List hints = new ArrayList(); - + List hints = new ArrayList(); hints.add( "Enter a string and press 'go'" ); - hints.add( "Enter 'abc' and notice the rot13 encoding is 'nop' ( increase each letter by 13 characters )." ); - hints.add( "Enter 'a c' and notice the url encoding is 'a+c' ( ' ' is converted to '+' )." ); - return hints; } @@ -573,7 +569,6 @@ public class Encoding extends LessonAdapter public String getInstructions(WebSession s) { - return "This lesson will familiarize the user with different encoding schemes. "; } @@ -596,7 +591,6 @@ public class Encoding extends LessonAdapter public String getTitle() { - return ( "Encoding Basics" ); } @@ -613,27 +607,18 @@ public class Encoding extends LessonAdapter { byte[] b = str.getBytes(); - MessageDigest md = null; try { - md = MessageDigest.getInstance( "MD5" ); - md.update( b ); - } - catch ( NoSuchAlgorithmException e ) { - // it's got to be there - e.printStackTrace(); - } - return ( base64Encode( md.digest() ) ); } @@ -648,29 +633,18 @@ public class Encoding extends LessonAdapter public static String hashSHA( String str ) { - byte[] b = str.getBytes(); - MessageDigest md = null; - try { - md = MessageDigest.getInstance( "SHA-256" ); - md.update( b ); - } - catch ( NoSuchAlgorithmException e ) { - // it's got to be there - e.printStackTrace(); - } - return ( base64Encode( md.digest() ) ); } @@ -685,40 +659,26 @@ public class Encoding extends LessonAdapter public static String hexDecode( String hexString ) { - try { - if ( ( hexString.length() % 3 ) != 0 ) { - return ( "String not comprised of Hex digit pairs." ); } - char[] chars = new char[hexString.length()]; - char[] convChars = new char[hexString.length() / 3]; - hexString.getChars( 0, hexString.length(), chars, 0 ); - for ( int i = 1; i < hexString.length(); i += 3 ) { - String hexToken = new String( chars, i, 2 ); - convChars[i / 3] = (char) Integer.parseInt( hexToken, 16 ); - } - return new String( convChars ); } - catch ( NumberFormatException nfe ) { - return ( "String not comprised of Hex digits" ); } - } @@ -732,22 +692,14 @@ public class Encoding extends LessonAdapter public static String hexEncode( String asciiString ) { - char[] ascii = new char[asciiString.length()]; - asciiString.getChars( 0, asciiString.length(), ascii, 0 ); - StringBuffer hexBuff = new StringBuffer(); - for ( int i = 0; i < asciiString.length(); i++ ) { - hexBuff.append( "%" ); - hexBuff.append( Integer.toHexString( ascii[i] ) ); - } - return hexBuff.toString().toUpperCase(); } @@ -761,73 +713,40 @@ public class Encoding extends LessonAdapter public static void main( String[] args ) { - try { - String userInput = args[0]; - String userKey = args[1]; - System.out.println( "Working with: " + userInput ); - System.out.print( "Base64 encoding: " ); - System.out.println( base64Encode( userInput ) + " : " + base64Decode( userInput ) ); - System.out.print( "Entity encoding: " ); - System.out.println( HtmlEncoder.encode( userInput ) + " : " + HtmlEncoder.decode( userInput ) ); - System.out.print( "Password based encryption (PBE): " ); - System.out.println( encryptString( userInput, userKey ) + " : " + decryptString( userInput, userKey ) ); - System.out.print( "MD5 hash: " ); - System.out.println( hashMD5( userInput ) + " : " + "Cannot reverse a hash" ); - System.out.print( "SHA-256 hash: " ); - System.out.println( hashSHA( userInput ) + " : " + "Cannot reverse a hash" ); - System.out.print( "Unicode encoding: " ); - System.out.println( "Not Implemented" + " : " + "Not Implemented" ); - System.out.print( "URL encoding: " ); - System.out.println( urlEncode( userInput ) + " : " + urlDecode( userInput ) ); - System.out.print( "Hex encoding: " ); - System.out.println( hexEncode( userInput ) + " : " + hexDecode( userInput ) ); - System.out.print( "Rot13 encoding: " ); - System.out.println( rot13( userInput ) + " : " + rot13( userInput ) ); - System.out.print( "XOR with password: " ); - System.out.println( xorEncode( userInput, userKey ) + " : " + xorDecode( userInput, userKey ) ); - System.out.print( "Double unicode encoding is..." ); - System.out.println( "Not Implemented" + " : " + "Not Implemented" ); - System.out.print( "Double URL encoding: " ); - System.out.println( urlEncode( urlEncode( userInput ) ) + " : " + urlDecode( urlDecode( userInput ) ) ); - } - catch ( Exception e ) { - e.printStackTrace(); - } - } @@ -868,31 +787,20 @@ public class Encoding extends LessonAdapter private TR makeTitleRow( String description, String value1, String value2 ) { - TD desc = new TD().addElement( new B().addElement( description ) ); - TD val1 = new TD().addElement( new B().addElement( value1 ) ); TD val2 = new TD().addElement( new B().addElement( value2 ) ); - desc.setAlign( "center" ); - val1.setAlign( "center" ); - val2.setAlign( "center" ); - TR tr = new TR(); - tr.addElement( desc ); - tr.addElement( val1 ); - tr.addElement( val2 ); - return ( tr ); } - /** * Description of the Method * @@ -902,56 +810,35 @@ public class Encoding extends LessonAdapter public static synchronized String rot13( String input ) { - StringBuffer output = new StringBuffer(); - if ( input != null ) { - for ( int i = 0; i < input.length(); i++ ) { - char inChar = input.charAt( i ); - if ( ( inChar >= 'A' ) & ( inChar <= 'Z' ) ) { - inChar += 13; - if ( inChar > 'Z' ) { - inChar -= 26; - } - } - if ( ( inChar >= 'a' ) & ( inChar <= 'z' ) ) { - inChar += 13; - if ( inChar > 'z' ) { - inChar -= 26; - } - } - output.append( inChar ); - } - } - return output.toString(); } - /** * Description of the Method * @@ -961,31 +848,21 @@ public class Encoding extends LessonAdapter public static String unicodeDecode( String str ) { - // FIXME: TOTALLY EXPERIMENTAL try { - ByteBuffer bbuf = ByteBuffer.allocate( str.length() ); - bbuf.put( str.getBytes() ); - Charset charset = Charset.forName( "ISO-8859-1" ); - CharsetDecoder decoder = charset.newDecoder(); - CharBuffer cbuf = decoder.decode( bbuf ); - return ( cbuf.toString() ); } - catch ( Exception e ) { - return ( "Encoding problem" ); } - } @@ -999,27 +876,18 @@ public class Encoding extends LessonAdapter public static String unicodeEncode( String str ) { - // FIXME: TOTALLY EXPERIMENTAL - try { - Charset charset = Charset.forName( "ISO-8859-1" ); - CharsetEncoder encoder = charset.newEncoder(); - ByteBuffer bbuf = encoder.encode( CharBuffer.wrap( str ) ); - return ( new String( bbuf.array() ) ); } - catch ( Exception e ) { - return ( "Encoding problem" ); } - } @@ -1033,19 +901,14 @@ public class Encoding extends LessonAdapter public static String urlDecode( String str ) { - try { - return ( URLDecoder.decode( str, "UTF-8" ) ); } - catch ( Exception e ) { - return ( "Decoding error" ); } - } @@ -1059,19 +922,14 @@ public class Encoding extends LessonAdapter public static String urlEncode( String str ) { - try { - return ( URLEncoder.encode( str, "UTF-8" ) ); } - catch ( Exception e ) { - return ( "Encoding error" ); } - } @@ -1086,38 +944,23 @@ public class Encoding extends LessonAdapter public static synchronized char[] xor( String input, String userKey ) { - if ( ( userKey == null ) || ( userKey.trim().length() == 0 ) ) { - userKey = "Goober"; - } - char[] xorChars = userKey.toCharArray(); - int keyLen = xorChars.length; - char[] inputChars = null; - char[] outputChars = null; - if ( input != null ) { - inputChars = input.toCharArray(); - outputChars = new char[inputChars.length]; - for ( int i = 0; i < inputChars.length; i++ ) { - outputChars[i] = (char) ( inputChars[i] ^ xorChars[i % keyLen] ); - } - } - return outputChars; } @@ -1133,21 +976,15 @@ public class Encoding extends LessonAdapter public static synchronized String xorDecode( String input, String userKey ) { - try { - String decoded = base64Decode( input ); - return new String( xor( decoded, userKey ) ); } - catch ( Exception e ) { - return "String not XOR encoded."; } - } @@ -1162,24 +999,15 @@ public class Encoding extends LessonAdapter public static synchronized String xorEncode( String input, String userKey ) { - return base64Encode( xor( input, userKey ) ); } static { - for ( int i = 0; i < entities.length; ++i ) { - e2i.put( entities[i][0], entities[i][1] ); - i2e.put( entities[i][1], entities[i][0] ); - } - } - } - - diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java index d613eff39..032d22634 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java @@ -114,7 +114,7 @@ public class FailOpenAuthentication extends WeakAuthenticationCookie */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "You can force errors during the authentication process." ); hints.add( "You can change length, existance, or values of authentication parameters." ); hints.add( "Try removing a parameter ENTIRELY with WebScarab." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java index 53b65f4f5..f8e3b4be1 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java @@ -63,7 +63,7 @@ public class ForcedBrowsing extends LessonAdapter */ public List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Try to guess the URL for the config page" ); hints.add( "The config page is guessable and hackable" ); hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java index 834ea80e8..f8d40ae8b 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java @@ -147,7 +147,7 @@ public class HiddenFieldTampering extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "This application is using hidden fields to transmit price information to the server." ); hints.add( "Use a program to intercept and change the value in the hidden field." ); hints.add( "Use WebScarab to change the price of the TV from " + diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java index 76915124c..6a58ca89b 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java @@ -163,7 +163,7 @@ public class HtmlClues extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "You can view the HTML source by selecting 'view source' in the browser menu." ); hints.add( "There are lots of clues in the HTML" ); hints.add( "Search for the word HIDDEN, look at URLs, look for comments." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java index da56c90e5..dc60f94c0 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java @@ -68,7 +68,7 @@ public class HttpBasics extends LessonAdapter */ public List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Type in your name and press 'go'" ); hints.add( "Turn on Show Parameters or other features" ); hints.add( "Press the Show Lesson Plan button to view a lesson summary" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index dd9650a6a..61b5137de 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -83,14 +83,14 @@ public class HttpSplitting extends LessonAdapter { return ( ec ); } - public Category getCategory() + protected Category getDefaultCategory() { - return LessonAdapter.GENERAL; + return AbstractLesson.GENERAL; } protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Enter a language for the system to search by." ); hints.add( "Use CR (%0d) and LF (%0a) for a new line" ); hints.add( "The Content-Length: 0 will tell the server that the first request is over." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java index a7063c3cb..0b6808c7e 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java @@ -7,7 +7,6 @@ import java.util.List; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; -import org.apache.ecs.HtmlColor; import org.apache.ecs.StringElement; import org.apache.ecs.html.Center; import org.apache.ecs.html.H3; @@ -17,7 +16,6 @@ import org.apache.ecs.html.PRE; import org.apache.ecs.html.TD; import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; - import org.owasp.webgoat.session.WebSession; /** @@ -26,12 +24,12 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public abstract class LessonAdapter extends AbstractLesson { - final static IMG ASPECT_LOGO = new IMG( "images/logos/aspect.jpg" ).setAlt( "Aspect Security" ).setBorder( 0 ).setHspace( 0 ).setVspace( 0 ); + final static IMG WEBGOAT_LOGO = new IMG( "images/logos/WebGoat.jpg" ).setAlt( "WebGoat Logo" ).setBorder( 0 ).setHspace( 0 ).setVspace( 0 ); /** * Description of the Method * @@ -199,7 +197,7 @@ public abstract class LessonAdapter extends AbstractLesson */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "There are no hints defined." ); return hints; @@ -217,7 +215,14 @@ public abstract class LessonAdapter extends AbstractLesson */ public Element getCredits() { - return getCustomCredits("Sponsored by ", ASPECT_LOGO); + if (getClass().getResource("images/logos/WebGoat.jpg") != null ) + { + return getCustomCredits("Presented by ", WEBGOAT_LOGO); + } + else + { + return new StringElement(); + } } /** @@ -316,8 +321,6 @@ public abstract class LessonAdapter extends AbstractLesson */ protected Element getCustomCredits(String text, IMG logo) { - ElementContainer ec = new ElementContainer(); - Table t = new Table().setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 ).setWidth("90%").setAlign("RIGHT"); TR tr = new TR(); tr.addElement( new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%")); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java index be9a1db93..f324c9cff 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java @@ -1,22 +1,21 @@ package org.owasp.webgoat.lessons; -import java.util.ArrayList; -import java.util.List; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; +import java.util.ArrayList; +import java.util.List; import org.apache.ecs.Element; -import org.apache.ecs.StringElement; -import org.owasp.webgoat.session.ECSFactory; -import org.owasp.webgoat.session.WebSession; - import org.apache.ecs.ElementContainer; +import org.apache.ecs.HtmlColor; +import org.apache.ecs.StringElement; import org.apache.ecs.html.Input; +import org.apache.ecs.html.PRE; import org.apache.ecs.html.TD; import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; -import org.apache.ecs.html.PRE; -import org.apache.ecs.HtmlColor; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; /** * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web @@ -102,7 +101,7 @@ public class LogSpoofing extends LessonAdapter { @Override protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Try to fool the humane eye by using new lines." ); hints.add( "Use CR (%0d) and LF (%0a) for a new line." ); hints.add( "Try: fooledYa%0d%0aLogin Succeeded for username: admin" ); @@ -116,8 +115,8 @@ public class LogSpoofing extends LessonAdapter { } @Override - public Category getCategory() { - return super.A6; + protected Category getDefaultCategory() { + return AbstractLesson.A6; } } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java index d5c92da77..b3e63102e 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java @@ -11,7 +11,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class ParameterInjection extends LessonAdapter diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java index c29aaa79a..4a7cbd385 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java @@ -24,7 +24,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class PathBasedAccessControl extends LessonAdapter diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java index 7e479aae2..1544086c0 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java @@ -27,7 +27,7 @@ import org.owasp.webgoat.util.HtmlEncoder; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ @@ -188,7 +188,7 @@ public class ReflectedXSS extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "A simple script is <SCRIPT>alert('bang!');</SCRIPT>." ); hints.add( "Can you get the script to disclose the JSESSIONID cookie?" ); hints.add( "You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java index 789c8f00f..3dd9efa95 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java @@ -13,7 +13,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class RemoteAdminFlaw extends LessonAdapter @@ -61,7 +61,7 @@ public class RemoteAdminFlaw extends LessonAdapter */ public List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "WebGoat has 2 admin interfaces." ); hints.add( "WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'" ); hints.add( "WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index 18f55f8dd..634bfc64f 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -135,7 +135,7 @@ public class RoleBasedAccessControl extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Many sites attempt to restrict access to resources by role." ); hints.add( "Developers frequently make mistakes implementing this scheme." ); hints.add( "Attempt combinations of users, roles, and resources." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java index ece89d2ab..7bcb8a689 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java @@ -144,7 +144,7 @@ public class SQLInjection extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "The application is taking your input and inserting it at the end of a pre-formed SQL command." ); hints.add( "This is the code for the query being built and issued by WebGoat:

" + "\"SELECT * FROM employee WHERE userid = \" + userId + \" and password = \" + password" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java index a58be2e82..608e9f794 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java @@ -30,7 +30,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class SqlNumericInjection extends LessonAdapter diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java index 741dcf158..98b059902 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java @@ -26,7 +26,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class SqlStringInjection extends LessonAdapter diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java index 2c6055a48..899b0d9ef 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java @@ -123,7 +123,7 @@ public class StoredXss extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "You can put HTML tags in your message." ); hints.add( "Bury a SCRIPT tag in the message to attack anyone who reads it." ); hints.add( "Enter this: <script language=\"javascript\" type=\"text/javascript\">alert(\"Ha Ha Ha\");</script> in the message field." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java index f693108fd..8a49dda7f 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java @@ -104,7 +104,7 @@ public class ThreadSafetyProblem extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Web applications handle many HTTP requests at the same time." ); hints.add( "Developers use variables that are not thread safe." ); hints.add( "Show the Java source code and trace the 'currentUser' variable" ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java index 82cb1aa7d..2cafb5865 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java @@ -26,7 +26,7 @@ import org.owasp.webgoat.util.HtmlEncoder; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java index a955670a6..241d0be38 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java @@ -31,7 +31,7 @@ import org.owasp.webgoat.session.WebSession; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ @@ -179,7 +179,7 @@ public class UncheckedEmail extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "Try sending an anonymous message to yourself." ); hints.add( "Try inserting some html or javascript code in the message field" ); hints.add( "Look at the hidden fields in the HTML."); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java index 6bd2f6014..6cff26137 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java @@ -232,7 +232,7 @@ public class WeakAuthenticationCookie extends LessonAdapter */ protected List getHints() { - List hints = new ArrayList(); + List hints = new ArrayList(); hints.add( "The server skips authentication if you send the right cookie." ); hints.add( "Is the AuthCookie value guessable knowing the username and password?" ); hints.add( "Add 'AuthCookie=********;' to the Cookie: header using WebScarab." ); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java index 934bef011..e36c362ad 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java @@ -20,7 +20,7 @@ import org.owasp.webgoat.lessons.Category; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ public class Course @@ -223,7 +223,7 @@ public class Course */ public List getCategories() { - List categories = new ArrayList(); + List categories = new ArrayList(); Iterator iter = lessons.iterator(); while ( iter.hasNext() ) @@ -333,7 +333,7 @@ public class Course */ private List getLessons( Category category, List roles ) { - List lessonList = new ArrayList(); + List lessonList = new ArrayList(); Iterator iter = lessons.iterator(); while ( iter.hasNext() ) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java index 65d907df0..0d9993830 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java @@ -1,16 +1,15 @@ package org.owasp.webgoat.session; import java.io.FileInputStream; -import java.io.FileOutputStream; import java.io.FileNotFoundException; -import java.io.IOException; +import java.io.FileOutputStream; import java.util.Properties; /** * Description of the Class * - * @author Bruce Mayhew + * @author Bruce Mayhew WebGoat * @created October 29, 2003 */ public class LessonTracker diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java index 2389c979c..5428088f5 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java @@ -15,7 +15,7 @@ import org.apache.catalina.users.MemoryUserDatabase; * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * - * @author Jeff Williams Aspect Security + * @author Bruce Mayhew WebGoat * @created October 29, 2003 */ diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java index 128916076..ec0625ceb 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java @@ -337,7 +337,7 @@ public class WebSession public List getRoles() { - List roles = new ArrayList(); + List roles = new ArrayList(); roles.add(AbstractLesson.USER_ROLE); if (isAdmin()) @@ -440,7 +440,7 @@ public class WebSession public String getRestartLink() { - List parameters = new ArrayList(); + List parameters = new ArrayList(); String screenValue = request.getParameter(SCREEN); if (screenValue != null)