dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

General cleanup of warnings, fixed a few method scope issues and incorrect use of static references to categories

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@30 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64 2006-11-03 23:55:08 +00:00
parent fae3c3f047
commit e5b3b00b0f
38 changed files with 94 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
View File

@ -19,7 +19,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class LessonSource extends HammerHead

6
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -44,7 +44,7 @@ import org.owasp.webgoat.session.WebgoatProperties;
* published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
* and/or redistribute this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public abstract class AbstractLesson extends Screen implements Comparable
@ -139,7 +139,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
final static IMG previousGrey = new IMG( "images/left14.gif" ).setAlt( "Previous" ).setBorder( 0 ).setHspace( 0 )
.setVspace( 0 );
private static Vector categories = new Vector();
private static Vector<Category> categories = new Vector<Category>();
private Integer ranking;
private Category category;
private boolean hidden;
@ -275,7 +275,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
protected abstract boolean getDefaultHidden();
public void setCategory(String categoryName)
public void setCategory_DELETE_ME(String categoryName)
{
if (categoryName != null)
{

6
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
View File

@ -103,7 +103,7 @@ public class AccessControlMatrix extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Many sites attempt to restrict access to resources by role." );
hints.add( "Developers frequently make mistakes implementing this scheme." );
hints.add( "Attempt combinations of users, roles, and resources." );
@ -126,7 +126,7 @@ public class AccessControlMatrix extends LessonAdapter
private List getResources( List rl )
{
// return the resources allowed for these roles
ArrayList list = new ArrayList();
ArrayList<String> list = new ArrayList<String>();
if ( rl.contains( roles[0] ) )
{
@ -165,7 +165,7 @@ public class AccessControlMatrix extends LessonAdapter
private List getRoles( String user )
{
ArrayList list = new ArrayList();
ArrayList<String> list = new ArrayList<String>();
if ( user.equals( users[0] ) )
{

11
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
View File

@ -21,7 +21,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class BasicAuthentication extends LessonAdapter
@ -37,12 +37,6 @@ public class BasicAuthentication extends LessonAdapter
private final static String HEADER_NAME = "header";
private final static String HEADER_VALUE = "value";
/**
* Save the session so it can be used in a staged lesson
*/
private WebSession session = null;
/**
* Description of the Method
*
@ -51,7 +45,6 @@ public class BasicAuthentication extends LessonAdapter
*/
protected Element createContent( WebSession s )
{
session = s;
return super.createStagedContent(s);
}
@ -218,7 +211,7 @@ public class BasicAuthentication extends LessonAdapter
*/
public List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
// int stage = getLessonTracker(session, BASIC).getStage();
// switch ( stage )

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
View File

@ -108,7 +108,7 @@ public class BlindSqlInjection extends LessonAdapter
*
* @return The category value
*/
public Category getCategory()
protected Category getDefaultCategory()
{
return AbstractLesson.A6;
}
@ -151,7 +151,7 @@ public class BlindSqlInjection extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
if (runningOnWindows()) {
hints.add( "Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. " +
"Create a SQL statement that you can use as a true/false test and then " +

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java
View File

@ -14,7 +14,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class BufferOverflow extends LessonAdapter
@ -52,7 +52,7 @@ public class BufferOverflow extends LessonAdapter
*/
public List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Lesson Hint 1" );
hints.add( "Lesson Hint 2" );

5
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -2,13 +2,10 @@ package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import java.util.Arrays;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
@ -90,7 +87,7 @@ public class CSRF extends LessonAdapter {
@Override
protected List getHints() {
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Enter some text and try to include an image in there." );
hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");
hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );

9
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java
View File

@ -1,5 +1,14 @@
package org.owasp.webgoat.lessons;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Category implements Comparable
{

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -43,7 +43,7 @@ import org.owasp.webgoat.util.ExecResults;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Challenge2Screen extends LessonAdapter
@ -451,7 +451,7 @@ public class Challenge2Screen extends LessonAdapter
{
//<START_OMIT_SOURCE>
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "You need to gain access to the Java source code for this lesson." );
hints.add( "Seriously, no more hints -- it's a CHALLENGE!" );
hints.add( "Come on -- give it a rest!" );

26
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -54,19 +54,21 @@ public class CommandInjection extends LessonAdapter
{
index = helpFile.indexOf(';');
}
index = index + 1;
int helpFileLen = helpFile.length() -1; // subtract 1 for the closing quote
System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
if (( osName.indexOf( "Windows" ) != -1 &&
( helpFile.substring(index + 1).trim().toLowerCase().equals("netstat -a") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("dir") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ls") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ifconfig") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ipconfig") )) ||
(helpFile.substring(index + 1).trim().toLowerCase().equals("netstat -a #") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("dir #") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ls #") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ls -l #") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ifconfig #") ||
helpFile.substring(index + 1).trim().toLowerCase().equals("ipconfig #") ))
( helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("netstat -a") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig") )) ||
(helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("netstat -a #") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir #") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls #") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls -l #") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig #") ||
helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig #") ))
{
illegalCommand = false;
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View File

@ -140,7 +140,7 @@ public class CrossSiteScripting extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
// Stage 1
hints.add( "You can put HTML tags in form input fields." );

1
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java
View File

@ -3,7 +3,6 @@ package org.owasp.webgoat.lessons.CrossSiteScripting;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.PreparedStatement;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

174
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
View File

@ -552,14 +552,10 @@ public class Encoding extends LessonAdapter
public List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Enter a string and press 'go'" );
hints.add( "Enter 'abc' and notice the rot13 encoding is 'nop' ( increase each letter by 13 characters )." );
hints.add( "Enter 'a c' and notice the url encoding is 'a+c' ( ' ' is converted to '+' )." );
return hints;
}
@ -573,7 +569,6 @@ public class Encoding extends LessonAdapter
public String getInstructions(WebSession s)
{
return "This lesson will familiarize the user with different encoding schemes. ";
}
@ -596,7 +591,6 @@ public class Encoding extends LessonAdapter
public String getTitle()
{
return ( "Encoding Basics" );
}
@ -613,27 +607,18 @@ public class Encoding extends LessonAdapter
{
byte[] b = str.getBytes();
MessageDigest md = null;
try
{
md = MessageDigest.getInstance( "MD5" );
md.update( b );
}
catch ( NoSuchAlgorithmException e )
{
// it's got to be there
e.printStackTrace();
}
return ( base64Encode( md.digest() ) );
}
@ -648,29 +633,18 @@ public class Encoding extends LessonAdapter
public static String hashSHA( String str )
{
byte[] b = str.getBytes();
MessageDigest md = null;
try
{
md = MessageDigest.getInstance( "SHA-256" );
md.update( b );
}
catch ( NoSuchAlgorithmException e )
{
// it's got to be there
e.printStackTrace();
}
return ( base64Encode( md.digest() ) );
}
@ -685,40 +659,26 @@ public class Encoding extends LessonAdapter
public static String hexDecode( String hexString )
{
try
{
if ( ( hexString.length() % 3 ) != 0 )
{
return ( "String not comprised of Hex digit pairs." );
}
char[] chars = new char[hexString.length()];
char[] convChars = new char[hexString.length() / 3];
hexString.getChars( 0, hexString.length(), chars, 0 );
for ( int i = 1; i < hexString.length(); i += 3 )
{
String hexToken = new String( chars, i, 2 );
convChars[i / 3] = (char) Integer.parseInt( hexToken, 16 );
}
return new String( convChars );
}
catch ( NumberFormatException nfe )
{
return ( "String not comprised of Hex digits" );
}
}
@ -732,22 +692,14 @@ public class Encoding extends LessonAdapter
public static String hexEncode( String asciiString )
{
char[] ascii = new char[asciiString.length()];
asciiString.getChars( 0, asciiString.length(), ascii, 0 );
StringBuffer hexBuff = new StringBuffer();
for ( int i = 0; i < asciiString.length(); i++ )
{
hexBuff.append( "%" );
hexBuff.append( Integer.toHexString( ascii[i] ) );
}
return hexBuff.toString().toUpperCase();
}
@ -761,73 +713,40 @@ public class Encoding extends LessonAdapter
public static void main( String[] args )
{
try
{
String userInput = args[0];
String userKey = args[1];
System.out.println( "Working with: " + userInput );
System.out.print( "Base64 encoding: " );
System.out.println( base64Encode( userInput ) + " : " + base64Decode( userInput ) );
System.out.print( "Entity encoding: " );
System.out.println( HtmlEncoder.encode( userInput ) + " : " + HtmlEncoder.decode( userInput ) );
System.out.print( "Password based encryption (PBE): " );
System.out.println( encryptString( userInput, userKey ) + " : " + decryptString( userInput, userKey ) );
System.out.print( "MD5 hash: " );
System.out.println( hashMD5( userInput ) + " : " + "Cannot reverse a hash" );
System.out.print( "SHA-256 hash: " );
System.out.println( hashSHA( userInput ) + " : " + "Cannot reverse a hash" );
System.out.print( "Unicode encoding: " );
System.out.println( "Not Implemented" + " : " + "Not Implemented" );
System.out.print( "URL encoding: " );
System.out.println( urlEncode( userInput ) + " : " + urlDecode( userInput ) );
System.out.print( "Hex encoding: " );
System.out.println( hexEncode( userInput ) + " : " + hexDecode( userInput ) );
System.out.print( "Rot13 encoding: " );
System.out.println( rot13( userInput ) + " : " + rot13( userInput ) );
System.out.print( "XOR with password: " );
System.out.println( xorEncode( userInput, userKey ) + " : " + xorDecode( userInput, userKey ) );
System.out.print( "Double unicode encoding is..." );
System.out.println( "Not Implemented" + " : " + "Not Implemented" );
System.out.print( "Double URL encoding: " );
System.out.println( urlEncode( urlEncode( userInput ) ) + " : " + urlDecode( urlDecode( userInput ) ) );
}
catch ( Exception e )
{
e.printStackTrace();
}
}
@ -868,31 +787,20 @@ public class Encoding extends LessonAdapter
private TR makeTitleRow( String description, String value1, String value2 )
{
TD desc = new TD().addElement( new B().addElement( description ) );
TD val1 = new TD().addElement( new B().addElement( value1 ) );
TD val2 = new TD().addElement( new B().addElement( value2 ) );
desc.setAlign( "center" );
val1.setAlign( "center" );
val2.setAlign( "center" );
TR tr = new TR();
tr.addElement( desc );
tr.addElement( val1 );
tr.addElement( val2 );
return ( tr );
}
/**
* Description of the Method
*
@ -902,56 +810,35 @@ public class Encoding extends LessonAdapter
public static synchronized String rot13( String input )
{
StringBuffer output = new StringBuffer();
if ( input != null )
{
for ( int i = 0; i < input.length(); i++ )
{
char inChar = input.charAt( i );
if ( ( inChar >= 'A' ) & ( inChar <= 'Z' ) )
{
inChar += 13;
if ( inChar > 'Z' )
{
inChar -= 26;
}
}
if ( ( inChar >= 'a' ) & ( inChar <= 'z' ) )
{
inChar += 13;
if ( inChar > 'z' )
{
inChar -= 26;
}
}
output.append( inChar );
}
}
return output.toString();
}
/**
* Description of the Method
*
@ -961,31 +848,21 @@ public class Encoding extends LessonAdapter
public static String unicodeDecode( String str )
{
// FIXME: TOTALLY EXPERIMENTAL
try
{
ByteBuffer bbuf = ByteBuffer.allocate( str.length() );
bbuf.put( str.getBytes() );
Charset charset = Charset.forName( "ISO-8859-1" );
CharsetDecoder decoder = charset.newDecoder();
CharBuffer cbuf = decoder.decode( bbuf );
return ( cbuf.toString() );
}
catch ( Exception e )
{
return ( "Encoding problem" );
}
}
@ -999,27 +876,18 @@ public class Encoding extends LessonAdapter
public static String unicodeEncode( String str )
{
// FIXME: TOTALLY EXPERIMENTAL
try
{
Charset charset = Charset.forName( "ISO-8859-1" );
CharsetEncoder encoder = charset.newEncoder();
ByteBuffer bbuf = encoder.encode( CharBuffer.wrap( str ) );
return ( new String( bbuf.array() ) );
}
catch ( Exception e )
{
return ( "Encoding problem" );
}
}
@ -1033,19 +901,14 @@ public class Encoding extends LessonAdapter
public static String urlDecode( String str )
{
try
{
return ( URLDecoder.decode( str, "UTF-8" ) );
}
catch ( Exception e )
{
return ( "Decoding error" );
}
}
@ -1059,19 +922,14 @@ public class Encoding extends LessonAdapter
public static String urlEncode( String str )
{
try
{
return ( URLEncoder.encode( str, "UTF-8" ) );
}
catch ( Exception e )
{
return ( "Encoding error" );
}
}
@ -1086,38 +944,23 @@ public class Encoding extends LessonAdapter
public static synchronized char[] xor( String input, String userKey )
{
if ( ( userKey == null ) || ( userKey.trim().length() == 0 ) )
{
userKey = "Goober";
}
char[] xorChars = userKey.toCharArray();
int keyLen = xorChars.length;
char[] inputChars = null;
char[] outputChars = null;
if ( input != null )
{
inputChars = input.toCharArray();
outputChars = new char[inputChars.length];
for ( int i = 0; i < inputChars.length; i++ )
{
outputChars[i] = (char) ( inputChars[i] ^ xorChars[i % keyLen] );
}
}
return outputChars;
}
@ -1133,21 +976,15 @@ public class Encoding extends LessonAdapter
public static synchronized String xorDecode( String input, String userKey )
{
try
{
String decoded = base64Decode( input );
return new String( xor( decoded, userKey ) );
}
catch ( Exception e )
{
return "String not XOR encoded.";
}
}
@ -1162,24 +999,15 @@ public class Encoding extends LessonAdapter
public static synchronized String xorEncode( String input, String userKey )
{
return base64Encode( xor( input, userKey ) );
}
static
{
for ( int i = 0; i < entities.length; ++i )
{
e2i.put( entities[i][0], entities[i][1] );
i2e.put( entities[i][1], entities[i][0] );
}
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java
View File

@ -114,7 +114,7 @@ public class FailOpenAuthentication extends WeakAuthenticationCookie
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "You can force errors during the authentication process." );
hints.add( "You can change length, existance, or values of authentication parameters." );
hints.add( "Try removing a parameter ENTIRELY with <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>." );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
View File

@ -63,7 +63,7 @@ public class ForcedBrowsing extends LessonAdapter
*/
public List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Try to guess the URL for the config page" );
hints.add( "The config page is guessable and hackable" );
hints.add( "Play with the URL and try to guess what the can you replace 'attack' with." );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
View File

@ -147,7 +147,7 @@ public class HiddenFieldTampering extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "This application is using hidden fields to transmit price information to the server." );
hints.add( "Use a program to intercept and change the value in the hidden field." );
hints.add( "Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from " +

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
View File

@ -163,7 +163,7 @@ public class HtmlClues extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "You can view the HTML source by selecting 'view source' in the browser menu." );
hints.add( "There are lots of clues in the HTML" );
hints.add( "Search for the word HIDDEN, look at URLs, look for comments." );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
View File

@ -68,7 +68,7 @@ public class HttpBasics extends LessonAdapter
*/
public List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Type in your name and press 'go'" );
hints.add( "Turn on Show Parameters or other features" );
hints.add( "Press the Show Lesson Plan button to view a lesson summary" );

6
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -83,14 +83,14 @@ public class HttpSplitting extends LessonAdapter {
return ( ec );
}
public Category getCategory()
protected Category getDefaultCategory()
{
return LessonAdapter.GENERAL;
return AbstractLesson.GENERAL;
}
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Enter a language for the system to search by." );
hints.add( "Use CR (%0d) and LF (%0a) for a new line" );
hints.add( "The Content-Length: 0 will tell the server that the first request is over." );

19
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -7,7 +7,6 @@ import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H3;
@ -17,7 +16,6 @@ import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
/**
@ -26,12 +24,12 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public abstract class LessonAdapter extends AbstractLesson
{
final static IMG ASPECT_LOGO = new IMG( "images/logos/aspect.jpg" ).setAlt( "Aspect Security" ).setBorder( 0 ).setHspace( 0 ).setVspace( 0 );
final static IMG WEBGOAT_LOGO = new IMG( "images/logos/WebGoat.jpg" ).setAlt( "WebGoat Logo" ).setBorder( 0 ).setHspace( 0 ).setVspace( 0 );
/**
* Description of the Method
*
@ -199,7 +197,7 @@ public abstract class LessonAdapter extends AbstractLesson
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "There are no hints defined." );
return hints;
@ -217,7 +215,14 @@ public abstract class LessonAdapter extends AbstractLesson
*/
public Element getCredits()
{
return getCustomCredits("Sponsored by&nbsp;", ASPECT_LOGO);
if (getClass().getResource("images/logos/WebGoat.jpg") != null )
{
return getCustomCredits("Presented by&nbsp;", WEBGOAT_LOGO);
}
else
{
return new StringElement();
}
}
/**
@ -316,8 +321,6 @@ public abstract class LessonAdapter extends AbstractLesson
*/
protected Element getCustomCredits(String text, IMG logo)
{
ElementContainer ec = new ElementContainer();
Table t = new Table().setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 ).setWidth("90%").setAlign("RIGHT");
TR tr = new TR();
tr.addElement( new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%"));

21
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
View File

@ -1,22 +1,21 @@
package org.owasp.webgoat.lessons;
import java.util.ArrayList;
import java.util.List;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.HtmlColor;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.PRE;
import org.apache.ecs.HtmlColor;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
@ -102,7 +101,7 @@ public class LogSpoofing extends LessonAdapter {
@Override
protected List getHints() {
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Try to fool the humane eye by using new lines." );
hints.add( "Use CR (%0d) and LF (%0a) for a new line." );
hints.add( "Try: fooledYa%0d%0aLogin Succeeded for username: admin" );
@ -116,8 +115,8 @@ public class LogSpoofing extends LessonAdapter {
}
@Override
public Category getCategory() {
return super.A6;
protected Category getDefaultCategory() {
return AbstractLesson.A6;
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ParameterInjection.java
View File

@ -11,7 +11,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class ParameterInjection extends LessonAdapter

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
View File

@ -24,7 +24,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class PathBasedAccessControl extends LessonAdapter

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
View File

@ -27,7 +27,7 @@ import org.owasp.webgoat.util.HtmlEncoder;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@ -188,7 +188,7 @@ public class ReflectedXSS extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;." );
hints.add( "Can you get the script to disclose the JSESSIONID cookie?" );
hints.add( "You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie" );

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
View File

@ -13,7 +13,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class RemoteAdminFlaw extends LessonAdapter
@ -61,7 +61,7 @@ public class RemoteAdminFlaw extends LessonAdapter
*/
public List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "WebGoat has 2 admin interfaces." );
hints.add( "WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'" );
hints.add( "WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'" );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
View File

@ -135,7 +135,7 @@ public class RoleBasedAccessControl extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Many sites attempt to restrict access to resources by role." );
hints.add( "Developers frequently make mistakes implementing this scheme." );
hints.add( "Attempt combinations of users, roles, and resources." );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
View File

@ -144,7 +144,7 @@ public class SQLInjection extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "The application is taking your input and inserting it at the end of a pre-formed SQL command." );
hints.add( "This is the code for the query being built and issued by WebGoat:<br><br> " +
"\"SELECT * FROM employee WHERE userid = \" + userId + \" and password = \" + password" );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -30,7 +30,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class SqlNumericInjection extends LessonAdapter

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -26,7 +26,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class SqlStringInjection extends LessonAdapter

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -123,7 +123,7 @@ public class StoredXss extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "You can put HTML tags in your message." );
hints.add( "Bury a SCRIPT tag in the message to attack anyone who reads it." );
hints.add( "Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field." );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java
View File

@ -104,7 +104,7 @@ public class ThreadSafetyProblem extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Web applications handle many HTTP requests at the same time." );
hints.add( "Developers use variables that are not thread safe." );
hints.add( "Show the Java source code and trace the 'currentUser' variable" );

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
View File

@ -26,7 +26,7 @@ import org.owasp.webgoat.util.HtmlEncoder;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
View File

@ -31,7 +31,7 @@ import org.owasp.webgoat.session.WebSession;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@ -179,7 +179,7 @@ public class UncheckedEmail extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "Try sending an anonymous message to yourself." );
hints.add( "Try inserting some html or javascript code in the message field" );
hints.add( "Look at the hidden fields in the HTML.");

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
View File

@ -232,7 +232,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
*/
protected List getHints()
{
List hints = new ArrayList();
List<String> hints = new ArrayList<String>();
hints.add( "The server skips authentication if you send the right cookie." );
hints.add( "Is the AuthCookie value guessable knowing the username and password?" );
hints.add( "Add 'AuthCookie=********;' to the Cookie: header using <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>." );

6
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -20,7 +20,7 @@ import org.owasp.webgoat.lessons.Category;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Course
@ -223,7 +223,7 @@ public class Course
*/
public List getCategories()
{
List categories = new ArrayList();
List<Category> categories = new ArrayList<Category>();
Iterator iter = lessons.iterator();
while ( iter.hasNext() )
@ -333,7 +333,7 @@ public class Course
*/
private List getLessons( Category category, List roles )
{
List lessonList = new ArrayList();
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator iter = lessons.iterator();
while ( iter.hasNext() )

5
webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
View File

@ -1,16 +1,15 @@
package org.owasp.webgoat.session;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.FileOutputStream;
import java.util.Properties;
/**
* Description of the Class
*
* @author Bruce Mayhew
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/
public class LessonTracker

2
webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
View File

@ -15,7 +15,7 @@ import org.apache.catalina.users.MemoryUserDatabase;
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/

4
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -337,7 +337,7 @@ public class WebSession
public List getRoles()
{
List roles = new ArrayList();
List<String> roles = new ArrayList<String>();
roles.add(AbstractLesson.USER_ROLE);
if (isAdmin())
@ -440,7 +440,7 @@ public class WebSession
public String getRestartLink()
{
List parameters = new ArrayList();
List<String> parameters = new ArrayList<String>();
String screenValue = request.getParameter(SCREEN);
if (screenValue != null)