From e8b9b17107b3ec46f1027377660cdb1c0a87d6ea Mon Sep 17 00:00:00 2001 From: Doug Morato Date: Tue, 15 Sep 2015 22:24:11 -0400 Subject: [PATCH] Fix javadoc errors in order to comply with Maven OSS requirements --- .../classloader/PluginClassLoader.java | 15 + .../main/java/org/owasp/webgoat/Catcher.java | 242 +- .../java/org/owasp/webgoat/HammerHead.java | 27 +- .../java/org/owasp/webgoat/LessonSource.java | 378 +-- .../webgoat/application/Application.java | 19 + .../application/WebGoatServletListener.java | 3 + .../org/owasp/webgoat/controller/About.java | 10 + .../org/owasp/webgoat/controller/Login.java | 9 + .../org/owasp/webgoat/controller/Logout.java | 9 + .../org/owasp/webgoat/controller/Start.java | 16 + .../org/owasp/webgoat/controller/Welcome.java | 10 + .../owasp/webgoat/lessons/AbstractLesson.java | 1865 +++++++------ .../org/owasp/webgoat/lessons/Category.java | 60 +- .../owasp/webgoat/lessons/LessonAdapter.java | 514 ++-- .../webgoat/lessons/RandomLessonAdapter.java | 237 +- .../lessons/SequentialLessonAdapter.java | 350 ++- .../owasp/webgoat/lessons/WelcomeScreen.java | 306 +-- .../webgoat/lessons/admin/AdminScreen.java | 215 +- .../lessons/admin/ProductsAdminScreen.java | 247 +- .../lessons/admin/RefreshDBScreen.java | 319 +-- .../lessons/admin/ReportCardScreen.java | 591 ++--- .../admin/SummaryReportCardScreen.java | 642 ++--- .../lessons/admin/UserAdminScreen.java | 247 +- .../webgoat/lessons/admin/ViewDatabase.java | 329 +-- .../lessons/admin/WelcomeAdminScreen.java | 178 +- .../org/owasp/webgoat/lessons/model/Hint.java | 14 + .../lessons/model/HttpBasicsModel.java | 107 +- .../webgoat/lessons/model/LessonMenuItem.java | 36 + .../lessons/model/LessonMenuItemType.java | 2 + .../lessons/model/RequestParameter.java | 145 +- .../webgoat/lessons/model/SourceListing.java | 68 +- .../owasp/webgoat/plugins/LegacyLoader.java | 518 ++-- .../org/owasp/webgoat/plugins/Plugin.java | 55 + .../plugins/PluginBackgroundLoader.java | 7 + .../webgoat/plugins/PluginExtractor.java | 27 + .../webgoat/plugins/PluginFileUtils.java | 64 + .../webgoat/plugins/PluginLoadingFailure.java | 11 + .../owasp/webgoat/plugins/PluginsLoader.java | 19 + .../webgoat/service/ApplicationService.java | 6 +- .../owasp/webgoat/service/BaseService.java | 21 + .../owasp/webgoat/service/CookieService.java | 10 +- .../owasp/webgoat/service/DummyService.java | 7 + .../owasp/webgoat/service/ExceptionInfo.java | 130 +- .../owasp/webgoat/service/HintService.java | 12 +- .../webgoat/service/LessonMenuService.java | 6 +- .../webgoat/service/LessonPlanService.java | 6 +- .../webgoat/service/LessonTitleService.java | 11 +- .../webgoat/service/ParameterService.java | 6 +- .../webgoat/service/RestartLessonService.java | 6 +- .../owasp/webgoat/service/SessionService.java | 7 +- .../webgoat/service/SolutionService.java | 12 +- .../owasp/webgoat/service/SourceService.java | 6 +- .../owasp/webgoat/servlets/Controller.java | 73 +- .../owasp/webgoat/session/Authorization.java | 125 +- .../org/owasp/webgoat/session/Course.java | 105 +- .../org/owasp/webgoat/session/CreateDB.java | 2078 +++++++-------- .../webgoat/session/DatabaseUtilities.java | 370 +-- .../org/owasp/webgoat/session/ECSFactory.java | 1486 ++++++----- .../org/owasp/webgoat/session/Employee.java | 646 +++-- .../owasp/webgoat/session/EmployeeStub.java | 202 +- .../owasp/webgoat/session/ErrorScreen.java | 549 ++-- .../owasp/webgoat/session/LessonSession.java | 148 +- .../owasp/webgoat/session/LessonTracker.java | 831 +++--- .../org/owasp/webgoat/session/Parameter.java | 193 +- .../session/ParameterNotFoundException.java | 120 +- .../webgoat/session/ParameterParser.java | 1884 ++++++------- .../webgoat/session/RandomLessonTracker.java | 281 +- .../java/org/owasp/webgoat/session/Role.java | 17 +- .../org/owasp/webgoat/session/Screen.java | 45 +- .../session/SequentialLessonTracker.java | 98 +- .../session/UnauthenticatedException.java | 81 +- .../session/UnauthorizedException.java | 81 +- .../java/org/owasp/webgoat/session/User.java | 27 +- .../owasp/webgoat/session/UserDatabase.java | 45 +- .../owasp/webgoat/session/UserTracker.java | 558 ++-- .../webgoat/session/ValidationException.java | 107 +- .../org/owasp/webgoat/session/WebSession.java | 2319 +++++++++-------- .../owasp/webgoat/session/WebgoatContext.java | 528 ++-- .../webgoat/session/WebgoatProperties.java | 265 +- .../org/owasp/webgoat/util/BeanProvider.java | 131 +- .../java/org/owasp/webgoat/util/Exec.java | 1056 ++++---- .../org/owasp/webgoat/util/ExecResults.java | 708 ++--- .../webgoat/util/ExecutionException.java | 120 +- .../org/owasp/webgoat/util/HtmlEncoder.java | 455 ++-- .../org/owasp/webgoat/util/Interceptor.java | 292 ++- .../org/owasp/webgoat/util/LabelManager.java | 96 +- .../owasp/webgoat/util/LabelManagerImpl.java | 149 +- .../org/owasp/webgoat/util/LabelProvider.java | 223 +- .../org/owasp/webgoat/util/ThreadWatcher.java | 208 +- .../org/owasp/webgoat/util/WebGoatI18N.java | 158 +- 90 files changed, 13590 insertions(+), 11425 deletions(-) diff --git a/webgoat-classloader/src/main/java/org/owasp/webgoat/classloader/PluginClassLoader.java b/webgoat-classloader/src/main/java/org/owasp/webgoat/classloader/PluginClassLoader.java index 6f7d4d683..4be6fefda 100644 --- a/webgoat-classloader/src/main/java/org/owasp/webgoat/classloader/PluginClassLoader.java +++ b/webgoat-classloader/src/main/java/org/owasp/webgoat/classloader/PluginClassLoader.java @@ -14,15 +14,30 @@ import java.util.List; * * With this loader we can add jars we load during the plugin loading and the jsp will pick it up because this is * the same classloader. + * + * @version $Id: $Id */ public class PluginClassLoader extends WebappClassLoader { + /** + *

Constructor for PluginClassLoader.

+ */ public PluginClassLoader() { } + /** + *

Constructor for PluginClassLoader.

+ * + * @param parent a {@link java.lang.ClassLoader} object. + */ public PluginClassLoader(ClassLoader parent) { super(parent); } + /** + *

addURL.

+ * + * @param urls a {@link java.util.List} object. + */ public void addURL(List urls) { for (URL url : urls) { super.addURL(url); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java b/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java index ed26d25d6..6f70157b1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java @@ -1,120 +1,122 @@ - -package org.owasp.webgoat; - -import java.io.IOException; -import java.util.Enumeration; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.session.Course; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created March 13, 2007 - */ -public class Catcher extends HammerHead -{ - - /** - * - */ - private static final long serialVersionUID = 7441856110845727651L; - - /** - * Description of the Field - */ - public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; - - public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; - - public static final String PROPERTY = "PROPERTY"; - - public static final String EMPTY_STRING = ""; - - /** - * Description of the Method - * - * @param request - * Description of the Parameter - * @param response - * Description of the Parameter - * @exception IOException - * Description of the Exception - * @exception ServletException - * Description of the Exception - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException - { - try - { - // System.out.println( "Entering doPost: " ); - // System.out.println( " - request " + request); - // System.out.println( " - principle: " + request.getUserPrincipal() ); - // setCacheHeaders(response, 0); - WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); - session.update(request, response, this.getServletName()); // FIXME: Too much in this - // call. - - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - - log(request, lesson.getClass().getName() + " | " + session.getParser().toString()); - - String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING)); - - // if the PROPERTY parameter is available - write all the parameters to the - // property file. No other control parameters are supported at this time. - if (!property.equals(EMPTY_STRING)) - { - Enumeration e = session.getParser().getParameterNames(); - - while (e.hasMoreElements()) - { - String name = (String) e.nextElement(); - String value = session.getParser().getParameterValues(name)[0]; - lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value); - } - } - lesson.getLessonTracker(session).store(session, lesson); - - // BDM MC -// WEB-173 - removed for testing, as plugin architecture would not allow this -// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();} - - } catch (Throwable t) - { - t.printStackTrace(); - log("ERROR: " + t); - } - } -} + +package org.owasp.webgoat; + +import java.io.IOException; +import java.util.Enumeration; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.session.Course; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since March 13, 2007 + * @version $Id: $Id + */ +public class Catcher extends HammerHead +{ + + /** + * + */ + private static final long serialVersionUID = 7441856110845727651L; + + /** + * Description of the Field + */ + public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; + + /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */ + public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; + + /** Constant PROPERTY="PROPERTY" */ + public static final String PROPERTY = "PROPERTY"; + + /** Constant EMPTY_STRING="" */ + public static final String EMPTY_STRING = ""; + + /** + * {@inheritDoc} + * + * Description of the Method + * @exception IOException + * Description of the Exception + * @exception ServletException + * Description of the Exception + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException + { + try + { + // System.out.println( "Entering doPost: " ); + // System.out.println( " - request " + request); + // System.out.println( " - principle: " + request.getUserPrincipal() ); + // setCacheHeaders(response, 0); + WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); + session.update(request, response, this.getServletName()); // FIXME: Too much in this + // call. + + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + + log(request, lesson.getClass().getName() + " | " + session.getParser().toString()); + + String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING)); + + // if the PROPERTY parameter is available - write all the parameters to the + // property file. No other control parameters are supported at this time. + if (!property.equals(EMPTY_STRING)) + { + Enumeration e = session.getParser().getParameterNames(); + + while (e.hasMoreElements()) + { + String name = (String) e.nextElement(); + String value = session.getParser().getParameterValues(name)[0]; + lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value); + } + } + lesson.getLessonTracker(session).store(session, lesson); + + // BDM MC +// WEB-173 - removed for testing, as plugin architecture would not allow this +// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();} + + } catch (Throwable t) + { + t.printStackTrace(); + log("ERROR: " + t); + } + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java index 98b25c131..ab48aa74c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java @@ -55,11 +55,11 @@ import java.util.TimeZone; * * For details, please see http://webgoat.github.io * - * * @author Jeff Williams Aspect * Security * @author Bruce Mayhew WebGoat - * @created October 28, 2003 + * @since October 28, 2003 + * @version $Id: $Id */ public class HammerHead extends HttpServlet { @@ -95,10 +95,9 @@ public class HammerHead extends HttpServlet { private WebgoatContext webgoatContext = null; /** - * Description of the Method + * {@inheritDoc} * - * @param request Description of the Parameter - * @param response Description of the Parameter + * Description of the Method * @exception IOException Description of the Exception * @exception ServletException Description of the Exception */ @@ -108,10 +107,9 @@ public class HammerHead extends HttpServlet { } /** - * Description of the Method + * {@inheritDoc} * - * @param request Description of the Parameter - * @param response Description of the Parameter + * Description of the Method * @exception IOException Description of the Exception * @exception ServletException Description of the Exception */ @@ -227,9 +225,9 @@ public class HammerHead extends HttpServlet { } /** - * Return information about this servlet + * {@inheritDoc} * - * @return The servletInfo value + * Return information about this servlet */ @Override public String getServletInfo() { @@ -237,9 +235,9 @@ public class HammerHead extends HttpServlet { } /** - * Return properties path + * {@inheritDoc} * - * @throws javax.servlet.ServletException + * Return properties path */ @Override public void init() throws ServletException { @@ -371,7 +369,7 @@ public class HammerHead extends HttpServlet { * @param response Description of the Parameter * @param context Description of the Parameter * @return Description of the Return Value - * @throws java.io.IOException + * @throws java.io.IOException if any. */ protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context) throws IOException { @@ -415,9 +413,10 @@ public class HammerHead extends HttpServlet { * Description of the Method * * @param s Description of the Parameter - * @param screen + * @param screen a {@link org.owasp.webgoat.session.Screen} object. * @param response Description of the Parameter * @exception IOException Description of the Exception + * @throws java.io.IOException if any. */ protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException { response.setContentType("text/html"); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java b/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java index 8223d5142..d7e00c9f8 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/LessonSource.java @@ -1,185 +1,193 @@ -package org.owasp.webgoat; - -import java.io.IOException; -import java.io.PrintWriter; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.session.Course; -import org.owasp.webgoat.session.WebSession; - -/** - * ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - * - * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public class LessonSource extends HammerHead { - - /** - * - */ - private static final long serialVersionUID = 2588430536196446145L; - - /** - * Description of the Field - */ - public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; - - public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; - - /** - * Description of the Method - * - * @param request Description of the Parameter - * @param response Description of the Parameter - * @exception IOException Description of the Exception - * @exception ServletException Description of the Exception - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - String source = null; - - try { - // System.out.println( "Entering doPost: " ); - // System.out.println( " - request " + request); - // System.out.println( " - principle: " + request.getUserPrincipal() - // ); - // setCacheHeaders(response, 0); - WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); - // FIXME: Too much in this call. - session.update(request, response, this.getServletName()); - - boolean showSolution = session.getParser().getBooleanParameter("solution", false); - boolean showSource = session.getParser().getBooleanParameter("source", false); - if (showSolution) { - - // Get the Java solution of the lesson. - source = getSolution(session); - - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSolution(true); - - } else if (showSource) { - - // Get the Java source of the lesson. FIXME: Not needed - source = getSource(session); - - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSource(true); - } - } catch (Throwable t) { - t.printStackTrace(); - log("ERROR: " + t); - } finally { - try { - this.writeSource(source, response); - } catch (Throwable thr) { - thr.printStackTrace(); - log(request, "Could not write error screen: " + thr.getMessage()); - } - // System.out.println( "Leaving doPost: " ); - - } - } - - /** - * Description of the Method - * - * @param s Description of the Parameter - * @return Description of the Return Value - */ - protected String getSource(WebSession s) { - - String source = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); - - if (s.isUser() || s.isChallenge()) { - - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - - if (lesson != null) { - source = lesson.getSource(s); - } - } - if (source == null) { - return "Source code is not available. Contact " - + s.getWebgoatContext().getFeedbackAddressHTML(); - } - return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, - "Code Section Deliberately Omitted")); - } - - protected String getSolution(WebSession s) { - - String source = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); - - if (s.isUser() || s.isChallenge()) { - - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - - if (lesson != null) { - source = lesson.getSolution(s); - } - } - if (source == null) { - return "Solution is not available. Contact " - + s.getWebgoatContext().getFeedbackAddressHTML(); - } - return (source); - } - - /** - * Description of the Method - * - * @param s Description of the Parameter - * @param response Description of the Parameter - * @exception IOException Description of the Exception - */ - protected void writeSource(String s, HttpServletResponse response) throws IOException { - response.setContentType("text/html"); - - PrintWriter out = response.getWriter(); - - if (s == null) { - s = new String(); - } - - out.print(s); - out.close(); - } -} +package org.owasp.webgoat; + +import java.io.IOException; +import java.io.PrintWriter; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.session.Course; +import org.owasp.webgoat.session.WebSession; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public class LessonSource extends HammerHead { + + /** + * + */ + private static final long serialVersionUID = 2588430536196446145L; + + /** + * Description of the Field + */ + public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; + + /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */ + public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; + + /** + * {@inheritDoc} + * + * Description of the Method + * @exception IOException Description of the Exception + * @exception ServletException Description of the Exception + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { + String source = null; + + try { + // System.out.println( "Entering doPost: " ); + // System.out.println( " - request " + request); + // System.out.println( " - principle: " + request.getUserPrincipal() + // ); + // setCacheHeaders(response, 0); + WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); + // FIXME: Too much in this call. + session.update(request, response, this.getServletName()); + + boolean showSolution = session.getParser().getBooleanParameter("solution", false); + boolean showSource = session.getParser().getBooleanParameter("source", false); + if (showSolution) { + + // Get the Java solution of the lesson. + source = getSolution(session); + + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSolution(true); + + } else if (showSource) { + + // Get the Java source of the lesson. FIXME: Not needed + source = getSource(session); + + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSource(true); + } + } catch (Throwable t) { + t.printStackTrace(); + log("ERROR: " + t); + } finally { + try { + this.writeSource(source, response); + } catch (Throwable thr) { + thr.printStackTrace(); + log(request, "Could not write error screen: " + thr.getMessage()); + } + // System.out.println( "Leaving doPost: " ); + + } + } + + /** + * Description of the Method + * + * @param s Description of the Parameter + * @return Description of the Return Value + */ + protected String getSource(WebSession s) { + + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); + + if (s.isUser() || s.isChallenge()) { + + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + + if (lesson != null) { + source = lesson.getSource(s); + } + } + if (source == null) { + return "Source code is not available. Contact " + + s.getWebgoatContext().getFeedbackAddressHTML(); + } + return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, + "Code Section Deliberately Omitted")); + } + + /** + *

getSolution.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + protected String getSolution(WebSession s) { + + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); + + if (s.isUser() || s.isChallenge()) { + + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + + if (lesson != null) { + source = lesson.getSolution(s); + } + } + if (source == null) { + return "Solution is not available. Contact " + + s.getWebgoatContext().getFeedbackAddressHTML(); + } + return (source); + } + + /** + * Description of the Method + * + * @param s Description of the Parameter + * @param response Description of the Parameter + * @exception IOException Description of the Exception + * @throws java.io.IOException if any. + */ + protected void writeSource(String s, HttpServletResponse response) throws IOException { + response.setContentType("text/html"); + + PrintWriter out = response.getWriter(); + + if (s == null) { + s = new String(); + } + + out.print(s); + out.close(); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java b/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java index 9f7f156f4..7ad64dbb5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java @@ -12,6 +12,7 @@ import org.apache.commons.lang3.builder.ToStringBuilder; * Singleton which is created on context startup * * @author rlawson + * @version $Id: $Id */ public class Application { @@ -21,6 +22,11 @@ public class Application { } + /** + *

getInstance.

+ * + * @return a {@link org.owasp.webgoat.application.Application} object. + */ public static final Application getInstance() { return INSTANCE; } @@ -30,6 +36,8 @@ public class Application { private String name = "WebGoat"; /** + *

Getter for the field version.

+ * * @return the version */ public String getVersion() { @@ -37,6 +45,8 @@ public class Application { } /** + *

Setter for the field version.

+ * * @param version the version to set */ public void setVersion(String version) { @@ -46,6 +56,8 @@ public class Application { } /** + *

Getter for the field build.

+ * * @return the build */ public String getBuild() { @@ -53,6 +65,8 @@ public class Application { } /** + *

Setter for the field build.

+ * * @param build the build to set */ public void setBuild(String build) { @@ -62,6 +76,8 @@ public class Application { } /** + *

Getter for the field name.

+ * * @return the name */ public String getName() { @@ -69,6 +85,8 @@ public class Application { } /** + *

Setter for the field name.

+ * * @param name the name to set */ public void setName(String name) { @@ -77,6 +95,7 @@ public class Application { } } + /** {@inheritDoc} */ @Override public String toString() { return new ToStringBuilder(this). diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java index 2a0789cfc..8b770cff5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java @@ -17,9 +17,11 @@ import java.util.jar.Manifest; * Web application lifecycle listener. * * @author rlawson + * @version $Id: $Id */ public class WebGoatServletListener implements ServletContextListener { + /** {@inheritDoc} */ @Override public void contextInitialized(ServletContextEvent sce) { ServletContext context = sce.getServletContext(); @@ -27,6 +29,7 @@ public class WebGoatServletListener implements ServletContextListener { setApplicationVariables(context); } + /** {@inheritDoc} */ @Override public void contextDestroyed(ServletContextEvent sce) { ServletContext context = sce.getServletContext(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java index 479f83a74..094d9285f 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java @@ -16,8 +16,10 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; /** + *

About class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class About { @@ -25,6 +27,14 @@ public class About { final Logger logger = LoggerFactory.getLogger(About.class); private static final String WELCOMED = "welcomed"; + /** + *

welcome.

+ * + * @param request a {@link javax.servlet.http.HttpServletRequest} object. + * @param error a {@link java.lang.String} object. + * @param logout a {@link java.lang.String} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. + */ @RequestMapping(value = "about.mvc", method = RequestMethod.GET) public ModelAndView welcome(HttpServletRequest request, @RequestParam(value = "error", required = false) String error, diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java index 612c1d727..6f9021f19 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java @@ -12,12 +12,21 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; /** + *

Login class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class Login { + /** + *

login.

+ * + * @param error a {@link java.lang.String} object. + * @param logout a {@link java.lang.String} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. + */ @RequestMapping(value = "login.mvc", method = RequestMethod.GET) public ModelAndView login( @RequestParam(value = "error", required = false) String error, diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java index 2c2e39a85..92e236a1c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java @@ -14,14 +14,23 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; /** + *

Logout class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class Logout { final Logger logger = LoggerFactory.getLogger(Logout.class); + /** + *

logout.

+ * + * @param error a {@link java.lang.String} object. + * @param logout a {@link java.lang.String} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. + */ @RequestMapping(value = "logout.mvc", method = RequestMethod.GET) public ModelAndView logout( @RequestParam(value = "error", required = false) String error, diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java index efaa1ce5f..300209a9d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java @@ -24,8 +24,10 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; /** + *

Start class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class Start { @@ -37,6 +39,14 @@ public class Start { @Autowired private ServletContext servletContext; + /** + *

start.

+ * + * @param request a {@link javax.servlet.http.HttpServletRequest} object. + * @param error a {@link java.lang.String} object. + * @param logout a {@link java.lang.String} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. + */ @RequestMapping(value = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST}) public ModelAndView start(HttpServletRequest request, @RequestParam(value = "error", required = false) String error, @@ -82,6 +92,12 @@ public class Start { return role; } + /** + *

checkWebSession.

+ * + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a boolean. + */ public boolean checkWebSession(HttpSession session) { Object o = session.getAttribute(WebSession.SESSION); if (o == null) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java index 5d2f9e93b..050b0a79f 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java @@ -16,8 +16,10 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; /** + *

Welcome class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class Welcome { @@ -25,6 +27,14 @@ public class Welcome { final Logger logger = LoggerFactory.getLogger(Welcome.class); private static final String WELCOMED = "welcomed"; + /** + *

welcome.

+ * + * @param request a {@link javax.servlet.http.HttpServletRequest} object. + * @param error a {@link java.lang.String} object. + * @param logout a {@link java.lang.String} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. + */ @RequestMapping(value = "welcome.mvc", method = RequestMethod.GET) public ModelAndView welcome(HttpServletRequest request, @RequestParam(value = "error", required = false) String error, diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java index 45bfea76f..4ec41095e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java @@ -1,836 +1,1029 @@ -package org.owasp.webgoat.lessons; - -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Body; -import org.apache.ecs.html.Form; -import org.apache.ecs.html.Head; -import org.apache.ecs.html.Html; -import org.apache.ecs.html.IMG; -import org.apache.ecs.html.PRE; -import org.apache.ecs.html.Title; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.Screen; -import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.session.WebgoatContext; -import org.owasp.webgoat.session.WebgoatProperties; -import org.owasp.webgoat.util.BeanProvider; -import org.owasp.webgoat.util.LabelManager; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileNotFoundException; -import java.io.FileReader; -import java.io.InputStreamReader; -import java.io.StringReader; -import java.net.HttpURLConnection; -import java.net.URL; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; - -/** - * ************************************************************************************************* - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - *

- * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at - * https://github.com/WebGoat/WebGoat, a repository for free software projects. - *

- * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public abstract class AbstractLesson extends Screen implements Comparable { - - private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class); - - /** - * Description of the Field - */ - public final static String ADMIN_ROLE = "admin"; - - public final static String CHALLENGE_ROLE = "challenge"; - - /** - * Description of the Field - */ - public final static String HACKED_ADMIN_ROLE = "hacked_admin"; - - /** - * Description of the Field - */ - public final static String USER_ROLE = "user"; - - private static int count = 1; - - private Integer id = null; - - final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next").setBorder(0).setHspace(0).setVspace(0); - - final static IMG previousGrey = new IMG("images/left14.gif").setAlt("Previous").setBorder(0).setHspace(0) - .setVspace(0); - - private Integer ranking; - - private Category category; - - private boolean hidden; - - private String sourceFileName; - - private Map lessonPlanFileName = new HashMap(); - - private String lessonSolutionFileName; - - private WebgoatContext webgoatContext; - - private LinkedList availableLanguages = new LinkedList(); - - private String defaultLanguage = "en"; - - private LabelManager labelManager = null; - - /** - * Constructor for the Lesson object - */ - public AbstractLesson() { - id = new Integer(++count); - } - - public String getName() { - String className = getClass().getName(); - return className.substring(className.lastIndexOf('.') + 1); - } - - public void setRanking(Integer ranking) { - this.ranking = ranking; - } - - public void setHidden(boolean hidden) { - this.hidden = hidden; - } - - public void update(WebgoatProperties properties) { - String className = getClass().getName(); - className = className.substring(className.lastIndexOf(".") + 1); - setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking() - .intValue()))); - String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking"; - // System.out.println("Category ranking key: " + categoryRankingKey); - Category tempCategory = Category.getCategory(getDefaultCategory().getName()); - tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory() - .getRanking().intValue()))); - category = tempCategory; - setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden())); - // System.out.println(className + " in " + tempCategory.getName() + " - // (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking: - // " + getRanking() + ", hidden:" + hidden +")"); - } - - public boolean isCompleted(WebSession s) { - return getLessonTracker(s, this).getCompleted(); - } - - /** - * Gets the credits attribute of the AbstractLesson object - * - * @return The credits value - * @deprecated - Credits have moved to the about page - */ - public abstract Element getCredits(); - - /** - * Description of the Method - * - * @param obj Description of the Parameter - * @return Description of the Return Value - */ - public int compareTo(Object obj) { - return this.getRanking().compareTo(((AbstractLesson) obj).getRanking()); - } - - /** - * Description of the Method - * - * @param obj Description of the Parameter - * @return Description of the Return Value - */ - public boolean equals(Object obj) { - return this.getScreenId() == ((AbstractLesson) obj).getScreenId(); - } - - /** - * Gets the category attribute of the Lesson object - * - * @return The category value - */ - public Category getCategory() { - return category; - } - - protected abstract Integer getDefaultRanking(); - - protected abstract Category getDefaultCategory(); - - protected abstract boolean getDefaultHidden(); - - /** - * Gets the fileMethod attribute of the Lesson class - * - * @param reader Description of the Parameter - * @param methodName Description of the Parameter - * @param numbers Description of the Parameter - * @return The fileMethod value - */ - public static String getFileMethod(BufferedReader reader, String methodName, boolean numbers) { - int count = 0; - StringBuffer sb = new StringBuffer(); - boolean echo = false; - boolean startCount = false; - int parenCount = 0; - - try { - String line; - - while ((line = reader.readLine()) != null) { - if ((line.indexOf(methodName) != -1) - && ((line.indexOf("public") != -1) || (line.indexOf("protected") != -1) || (line - .indexOf("private") != -1))) { - echo = true; - startCount = true; - } - - if (echo && startCount) { - if (numbers) { - sb.append(pad(++count) + " "); - } - - sb.append(line + "\n"); - } - - if (echo && (line.indexOf("{") != -1)) { - parenCount++; - } - - if (echo && (line.indexOf("}") != -1)) { - parenCount--; - - if (parenCount == 0) { - startCount = false; - echo = false; - } - } - } - - reader.close(); - } catch (Exception e) { - System.out.println(e); - e.printStackTrace(); - } - - return (sb.toString()); - } - - /** - * Reads text from a file into an ElementContainer. Each line in the file is - * represented in the ElementContainer by a StringElement. Each - * StringElement is appended with a new-line character. - * - * @param reader Description of the Parameter - * @param numbers Description of the Parameter - * @return Description of the Return Value - */ - public static String readFromFile(BufferedReader reader, boolean numbers) { - return (getFileText(reader, numbers)); - } - - /** - * Gets the fileText attribute of the Screen class - * - * @param reader Description of the Parameter - * @param numbers Description of the Parameter - * @return The fileText value - */ - public static String getFileText(BufferedReader reader, boolean numbers) { - int count = 0; - StringBuffer sb = new StringBuffer(); - - try { - String line; - - while ((line = reader.readLine()) != null) { - if (numbers) { - sb.append(pad(++count) + " "); - } - sb.append(line + System.getProperty("line.separator")); - } - - reader.close(); - } catch (Exception e) { - System.out.println(e); - e.printStackTrace(); - } - - return (sb.toString()); - } - - /** - * Will this screen be included in an enterprise edition. - * - * @return The ranking value - */ - public boolean isEnterprise() { - return false; - } - - /** - * Gets the hintCount attribute of the Lesson object - * - * @param s The user's WebSession - * @return The hintCount value - */ - public int getHintCount(WebSession s) { - return getHints(s).size(); - } - - protected abstract List getHints(WebSession s); - - // @TODO we need to restrict access at the service layer - // rather than passing session object around - public List getHintsPublic(WebSession s) { - List hints = getHints(s); - return hints; - } - - /** - * Fill in a minor hint that will help people who basically get it, but are - * stuck on somthing silly. - * - * @param s The users WebSession - * @return The hint1 value - */ - public String getHint(WebSession s, int hintNumber) { - return "Hint: " + getHints(s).get(hintNumber); - } - - /** - * Gets the instructions attribute of the AbstractLesson object - * - * @return The instructions value - */ - public abstract String getInstructions(WebSession s); - - /** - * Gets the lessonPlan attribute of the Lesson object - * - * @return The lessonPlan value - */ - protected String getLessonName() { - return this.getClass().getSimpleName(); - } - - /** - * Gets the title attribute of the HelloScreen object - * - * @return The title value - */ - public abstract String getTitle(); - - /** - * Gets the content of lessonPlanURL - * - * @param s The user's WebSession - * @return The HTML content of the current lesson plan - */ - public String getLessonPlan(WebSession s) { - StringBuffer src = new StringBuffer(); - String lang = s.getCurrrentLanguage(); - - try { - // System.out.println("Loading lesson plan file: " + - // getLessonPlanFileName()); - String filename = getLessonPlanFileName(lang); - if (filename == null) { - filename = getLessonPlanFileName(getDefaultLanguage()); - - } - - src.append(readFromFile(new BufferedReader(new FileReader(filename)), false)); - - } catch (Exception e) { - // s.setMessage( "Could not find lesson plan for " + - // getLessonName()); - src = new StringBuffer("Could not find lesson plan for: " + getLessonName() + " and language " + lang); - - } - return src.toString(); - } - - /** - * Gets the ranking attribute of the Lesson object - * - * @return The ranking value - */ - public Integer getRanking() { - if (ranking != null) { - return ranking; - } else { - return getDefaultRanking(); - } - } - - /** - * Gets the hidden value of the Lesson Object - * - * @return The hidden value - */ - public boolean getHidden() { - return this.hidden; - } - - /** - * Gets the role attribute of the AbstractLesson object - * - * @return The role value - */ - public String getRole() { - // FIXME: Each lesson should have a role assigned to it. Each - // user/student - // should also have a role(s) assigned. The user would only be allowed - // to see lessons that correspond to their role. Eventually these roles - // will be stored in the internal database. The user will be able to - // hack - // into the database and change their role. This will allow the user to - // see the admin screens, once they figure out how to turn the admin - // switch on. - return USER_ROLE; - } - - /** - * Gets the uniqueID attribute of the AbstractLesson object - * - * @return The uniqueID value - */ - public int getScreenId() { - return id.intValue(); - } - - public String getHtml_DELETE_ME(WebSession s) { - String html = null; - - // FIXME: This doesn't work for the labs since they do not implement - // createContent(). - String rawHtml = createContent(s).toString(); - // System.out.println("Getting raw html content: " + - // rawHtml.substring(0, Math.min(rawHtml.length(), 100))); - html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(new StringReader(rawHtml)), true)); - // System.out.println("Getting encoded html content: " + - // html.substring(0, Math.min(html.length(), 100))); - - return html; - } - - public String getSource(WebSession s) { - String source = null; - String src = null; - - try { - // System.out.println("Loading source file: " + - // getSourceFileName()); - src = convertMetacharsJavaCode(readFromFile(new BufferedReader(new FileReader(getSourceFileName())), true)); - - // TODO: For styled line numbers and better memory efficiency, - // use a custom FilterReader - // that performs the convertMetacharsJavaCode() transform plus - // optionally adds a styled - // line number. Wouldn't color syntax be great too? - } catch (Exception e) { - s.setMessage("Could not find source file"); - src = ("Could not find the source file or source file does not exist.
" - + "Send this message to: " + s.getWebgoatContext() - .getFeedbackAddress() + ""); - } - - Html html = new Html(); - - Head head = new Head(); - head.addElement(new Title(getSourceFileName())); - - Body body = new Body(); - body.addElement(new StringElement(src)); - - html.addElement(head); - html.addElement(body); - - source = html.toString(); - - return source; - } - - public String getRawSource(WebSession s) { - String src; - - try { - logger.debug("Loading source file: " + getSourceFileName()); - src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false); - - } catch (FileNotFoundException e) { - s.setMessage("Could not find source file"); - src = ("Could not find the source file or source file does not exist.
" - + "Send this message to: " + s.getWebgoatContext() - .getFeedbackAddress() + ""); - } - - return src; - } - - public String getSolution(WebSession s) { - String src = null; - - try { - // System.out.println("Solution: " + getLessonSolutionFileName()); - src = readFromFile(new BufferedReader(new FileReader(getLessonSolutionFileName())), false); - } catch (Exception e) { - logger.error("Could not find solution for {}", getLessonSolutionFileName()); - s.setMessage("Could not find the solution file"); - src = ("Could not find the solution file or solution file does not exist.
" - + "Send this message to: " + s.getWebgoatContext() - .getFeedbackAddress() + ""); - } - - // Solutions are html files - return src; - } - - /** - *

- * Returns the default "path" portion of a lesson's URL.

- *

- *

- * Legacy webgoat lesson links are of the form - * "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of - * the url, i.e., "attack" in the string above.

- *

- *

- * Newer, Spring-Controller-based classes will override this method to - * return "*.do"-styled paths.

- */ - protected String getPath() { - return "#attack"; - } - - /** - * Get the link that can be used to request this screen. - * - * @return - */ - public String getLink() { - StringBuffer link = new StringBuffer(); - - // mvc update: - link.append(getPath()).append("/"); - link.append(getScreenId()); - link.append("/"); - link.append(getCategory().getRanking()); - - return link.toString(); - } - - /** - * Get the link to the jsp page used to render this screen. - * - * @return - */ - public String getPage(WebSession s) { - return null; - } - - /** - * Get the link to the jsp template page used to render this screen. - * - * @return - */ - public String getTemplatePage(WebSession s) { - return null; - } - - public abstract String getCurrentAction(WebSession s); - - public abstract void setCurrentAction(WebSession s, String lessonScreen); - - /** - * Override this method to implement accesss control in a lesson. - * - * @param s - * @param functionId - * @return - */ - public boolean isAuthorized(WebSession s, int employeeId, String functionId) { - return false; - } - - /** - * Override this method to implement accesss control in a lesson. - * - * @param s - * @param functionId - * @return - */ - public boolean isAuthorized(WebSession s, String role, String functionId) { - logger.info("Checking if " + role + " authorized for: " + functionId); - boolean authorized = false; - try { - String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'"; - try { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - authorized = answer_results.first(); - logger.info("authorized: " + authorized); - } catch (SQLException sqle) { - s.setMessage("Error authorizing"); - logger.error("Error authorizing", sqle); - } - } catch (Exception e) { - s.setMessage("Error authorizing"); - logger.error("Error authorizing", e); - } - return authorized; - } - - public int getUserId(WebSession s) throws ParameterNotFoundException { - return -1; - } - - public String getUserName(WebSession s) throws ParameterNotFoundException { - return null; - } - - /** - * Description of the Method - * - * @param windowName Description of the Parameter - * @return Description of the Return Value - */ - public static String makeWindowScript(String windowName) { - // FIXME: make this string static - StringBuffer script = new StringBuffer(); - script.append("\n"); - - return script.toString(); - } - - /** - * Simply reads a url into an Element for display. CAUTION: you might want - * to tinker with any non-https links (href) - * - * @param url Description of the Parameter - * @return Description of the Return Value - */ - public static Element readFromURL(String url) { - ElementContainer ec = new ElementContainer(); - - try { - URL u = new URL(url); - HttpURLConnection huc = (HttpURLConnection) u.openConnection(); - BufferedReader reader = new BufferedReader(new InputStreamReader(huc.getInputStream())); - String line; - - while ((line = reader.readLine()) != null) { - ec.addElement(new StringElement(line)); - } - - reader.close(); - } catch (Exception e) { - System.out.println(e); - e.printStackTrace(); - } - - return (ec); - } - - /** - * Description of the Method - * - * @param reader Description of the Parameter - * @param numbers Description of the Parameter - * @param methodName Description of the Parameter - * @return Description of the Return Value - */ - public static Element readMethodFromFile(BufferedReader reader, String methodName, boolean numbers) { - PRE pre = new PRE().addElement(getFileMethod(reader, methodName, numbers)); - - return (pre); - } - - /** - * Description of the Method - * - * @param s Description of the Parameter - */ - public void handleRequest(WebSession s) { - // call createContent first so messages will go somewhere - Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType(""); - form.addElement(createContent(s)); - setContent(form); - s.getRequest().getRequestURL(); - } - - public String getFormAction() { - return getLink(); - } - - /** - * Description of the Method - * - * @param s Description of the Parameter - * @return Description of the Return Value - */ - public String toString() { - return getTitle(); - } - - public String getDefaultLanguage() { - return this.defaultLanguage; - } - - public String getLessonPlanFileName(String lang) { - String ret = lessonPlanFileName.get(lang); - if (ret == null) { - ret = lessonPlanFileName.get(getDefaultLanguage()); - } - return ret; - } - - public void setLessonPlanFileName(String lang, String lessonPlanFileName) { - this.lessonPlanFileName.put(lang, lessonPlanFileName); - this.availableLanguages.add(lang); - } - - public List getAvailableLanguages() { - return this.availableLanguages; - } - - public String getLessonSolutionFileName() { - return lessonSolutionFileName; - } - - public void setLessonSolutionFileName(String lessonSolutionFileName) { - this.lessonSolutionFileName = lessonSolutionFileName; - } - - public String getSourceFileName() { - return sourceFileName; - } - - public void setSourceFileName(String sourceFileName) { - logger.debug("Setting source file of lesson " + this + " to: " + sourceFileName); - this.sourceFileName = sourceFileName; - } - - public WebgoatContext getWebgoatContext() { - return webgoatContext; - } - - public void setWebgoatContext(WebgoatContext webgoatContext) { - this.webgoatContext = webgoatContext; - } - - protected LabelManager getLabelManager() { - if (labelManager == null) { - labelManager = BeanProvider.getBean("labelManager", LabelManager.class); - } - return labelManager; - } - - /** - * A reference from an image, script and link tag must include the context path. - *

- * A reference in include directives are made from within the web application on the server. - * However, img tags (and the like) make references from the client browser. - * In such external references, the context path must be included. - */ - protected final String buildImagePath(WebSession w, String imgResourceName) { - return w.getRequest() - .getContextPath() + "/plugin_extracted/plugin/" + getLessonName() + "/images/" + imgResourceName; - } - - - protected final String buildJspPath(WebSession w, String jspResourceName, boolean includeContextPath) { - String path = includeContextPath ? w.getContext().getContextPath() : ""; - return path + "/plugin_extracted/plugin/" + getLessonName() + "/jsp/" + jspResourceName; - } - - protected final String buildJsPath(WebSession w, String jsResourceName) { - return w.getRequest() - .getContextPath() + "/plugin_extracted/plugin/" + getLessonName() + "/js/" + jsResourceName; - } - - protected final File getLessonDirectory(WebSession w) { - return new File(w.getContext().getRealPath("/plugin_extracted/plugin/" + getLessonName() + "/")); - } - -} +package org.owasp.webgoat.lessons; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.Body; +import org.apache.ecs.html.Form; +import org.apache.ecs.html.Head; +import org.apache.ecs.html.Html; +import org.apache.ecs.html.IMG; +import org.apache.ecs.html.PRE; +import org.apache.ecs.html.Title; +import org.owasp.webgoat.session.ParameterNotFoundException; +import org.owasp.webgoat.session.Screen; +import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.session.WebgoatContext; +import org.owasp.webgoat.session.WebgoatProperties; +import org.owasp.webgoat.util.BeanProvider; +import org.owasp.webgoat.util.LabelManager; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.InputStreamReader; +import java.io.StringReader; +import java.net.HttpURLConnection; +import java.net.URL; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public abstract class AbstractLesson extends Screen implements Comparable { + + private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class); + + /** + * Description of the Field + */ + public final static String ADMIN_ROLE = "admin"; + + /** Constant CHALLENGE_ROLE="challenge" */ + public final static String CHALLENGE_ROLE = "challenge"; + + /** + * Description of the Field + */ + public final static String HACKED_ADMIN_ROLE = "hacked_admin"; + + /** + * Description of the Field + */ + public final static String USER_ROLE = "user"; + + private static int count = 1; + + private Integer id = null; + + final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next").setBorder(0).setHspace(0).setVspace(0); + + final static IMG previousGrey = new IMG("images/left14.gif").setAlt("Previous").setBorder(0).setHspace(0) + .setVspace(0); + + private Integer ranking; + + private Category category; + + private boolean hidden; + + private String sourceFileName; + + private Map lessonPlanFileName = new HashMap(); + + private String lessonSolutionFileName; + + private WebgoatContext webgoatContext; + + private LinkedList availableLanguages = new LinkedList(); + + private String defaultLanguage = "en"; + + private LabelManager labelManager = null; + + /** + * Constructor for the Lesson object + */ + public AbstractLesson() { + id = new Integer(++count); + } + + /** + *

getName.

+ * + * @return a {@link java.lang.String} object. + */ + public String getName() { + String className = getClass().getName(); + return className.substring(className.lastIndexOf('.') + 1); + } + + /** + *

Setter for the field ranking.

+ * + * @param ranking a {@link java.lang.Integer} object. + */ + public void setRanking(Integer ranking) { + this.ranking = ranking; + } + + /** + *

Setter for the field hidden.

+ * + * @param hidden a boolean. + */ + public void setHidden(boolean hidden) { + this.hidden = hidden; + } + + /** + *

update.

+ * + * @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object. + */ + public void update(WebgoatProperties properties) { + String className = getClass().getName(); + className = className.substring(className.lastIndexOf(".") + 1); + setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking() + .intValue()))); + String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking"; + // System.out.println("Category ranking key: " + categoryRankingKey); + Category tempCategory = Category.getCategory(getDefaultCategory().getName()); + tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory() + .getRanking().intValue()))); + category = tempCategory; + setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden())); + // System.out.println(className + " in " + tempCategory.getName() + " + // (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking: + // " + getRanking() + ", hidden:" + hidden +")"); + } + + /** + *

isCompleted.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a boolean. + */ + public boolean isCompleted(WebSession s) { + return getLessonTracker(s, this).getCompleted(); + } + + /** + * Gets the credits attribute of the AbstractLesson object + * + * @return The credits value + * @deprecated - Credits have moved to the about page + */ + public abstract Element getCredits(); + + /** + * {@inheritDoc} + * + * Description of the Method + */ + public int compareTo(Object obj) { + return this.getRanking().compareTo(((AbstractLesson) obj).getRanking()); + } + + /** + * {@inheritDoc} + * + * Description of the Method + */ + public boolean equals(Object obj) { + return this.getScreenId() == ((AbstractLesson) obj).getScreenId(); + } + + /** + * Gets the category attribute of the Lesson object + * + * @return The category value + */ + public Category getCategory() { + return category; + } + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected abstract Integer getDefaultRanking(); + + /** + *

getDefaultCategory.

+ * + * @return a {@link org.owasp.webgoat.lessons.Category} object. + */ + protected abstract Category getDefaultCategory(); + + /** + *

getDefaultHidden.

+ * + * @return a boolean. + */ + protected abstract boolean getDefaultHidden(); + + /** + * Gets the fileMethod attribute of the Lesson class + * + * @param reader Description of the Parameter + * @param methodName Description of the Parameter + * @param numbers Description of the Parameter + * @return The fileMethod value + */ + public static String getFileMethod(BufferedReader reader, String methodName, boolean numbers) { + int count = 0; + StringBuffer sb = new StringBuffer(); + boolean echo = false; + boolean startCount = false; + int parenCount = 0; + + try { + String line; + + while ((line = reader.readLine()) != null) { + if ((line.indexOf(methodName) != -1) + && ((line.indexOf("public") != -1) || (line.indexOf("protected") != -1) || (line + .indexOf("private") != -1))) { + echo = true; + startCount = true; + } + + if (echo && startCount) { + if (numbers) { + sb.append(pad(++count) + " "); + } + + sb.append(line + "\n"); + } + + if (echo && (line.indexOf("{") != -1)) { + parenCount++; + } + + if (echo && (line.indexOf("}") != -1)) { + parenCount--; + + if (parenCount == 0) { + startCount = false; + echo = false; + } + } + } + + reader.close(); + } catch (Exception e) { + System.out.println(e); + e.printStackTrace(); + } + + return (sb.toString()); + } + + /** + * Reads text from a file into an ElementContainer. Each line in the file is + * represented in the ElementContainer by a StringElement. Each + * StringElement is appended with a new-line character. + * + * @param reader Description of the Parameter + * @param numbers Description of the Parameter + * @return Description of the Return Value + */ + public static String readFromFile(BufferedReader reader, boolean numbers) { + return (getFileText(reader, numbers)); + } + + /** + * Gets the fileText attribute of the Screen class + * + * @param reader Description of the Parameter + * @param numbers Description of the Parameter + * @return The fileText value + */ + public static String getFileText(BufferedReader reader, boolean numbers) { + int count = 0; + StringBuffer sb = new StringBuffer(); + + try { + String line; + + while ((line = reader.readLine()) != null) { + if (numbers) { + sb.append(pad(++count) + " "); + } + sb.append(line + System.getProperty("line.separator")); + } + + reader.close(); + } catch (Exception e) { + System.out.println(e); + e.printStackTrace(); + } + + return (sb.toString()); + } + + /** + * Will this screen be included in an enterprise edition. + * + * @return The ranking value + */ + public boolean isEnterprise() { + return false; + } + + /** + * Gets the hintCount attribute of the Lesson object + * + * @param s The user's WebSession + * @return The hintCount value + */ + public int getHintCount(WebSession s) { + return getHints(s).size(); + } + + /** + *

getHints.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.util.List} object. + */ + protected abstract List getHints(WebSession s); + + // @TODO we need to restrict access at the service layer + // rather than passing session object around + /** + *

getHintsPublic.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.util.List} object. + */ + public List getHintsPublic(WebSession s) { + List hints = getHints(s); + return hints; + } + + /** + * Fill in a minor hint that will help people who basically get it, but are + * stuck on somthing silly. + * + * @param s The users WebSession + * @return The hint1 value + * @param hintNumber a int. + */ + public String getHint(WebSession s, int hintNumber) { + return "Hint: " + getHints(s).get(hintNumber); + } + + /** + * Gets the instructions attribute of the AbstractLesson object + * + * @return The instructions value + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + */ + public abstract String getInstructions(WebSession s); + + /** + * Gets the lessonPlan attribute of the Lesson object + * + * @return The lessonPlan value + */ + protected String getLessonName() { + return this.getClass().getSimpleName(); + } + + /** + * Gets the title attribute of the HelloScreen object + * + * @return The title value + */ + public abstract String getTitle(); + + /** + * Gets the content of lessonPlanURL + * + * @param s The user's WebSession + * @return The HTML content of the current lesson plan + */ + public String getLessonPlan(WebSession s) { + StringBuffer src = new StringBuffer(); + String lang = s.getCurrrentLanguage(); + + try { + // System.out.println("Loading lesson plan file: " + + // getLessonPlanFileName()); + String filename = getLessonPlanFileName(lang); + if (filename == null) { + filename = getLessonPlanFileName(getDefaultLanguage()); + + } + + src.append(readFromFile(new BufferedReader(new FileReader(filename)), false)); + + } catch (Exception e) { + // s.setMessage( "Could not find lesson plan for " + + // getLessonName()); + src = new StringBuffer("Could not find lesson plan for: " + getLessonName() + " and language " + lang); + + } + return src.toString(); + } + + /** + * Gets the ranking attribute of the Lesson object + * + * @return The ranking value + */ + public Integer getRanking() { + if (ranking != null) { + return ranking; + } else { + return getDefaultRanking(); + } + } + + /** + * Gets the hidden value of the Lesson Object + * + * @return The hidden value + */ + public boolean getHidden() { + return this.hidden; + } + + /** + * Gets the role attribute of the AbstractLesson object + * + * @return The role value + */ + public String getRole() { + // FIXME: Each lesson should have a role assigned to it. Each + // user/student + // should also have a role(s) assigned. The user would only be allowed + // to see lessons that correspond to their role. Eventually these roles + // will be stored in the internal database. The user will be able to + // hack + // into the database and change their role. This will allow the user to + // see the admin screens, once they figure out how to turn the admin + // switch on. + return USER_ROLE; + } + + /** + * Gets the uniqueID attribute of the AbstractLesson object + * + * @return The uniqueID value + */ + public int getScreenId() { + return id.intValue(); + } + + /** + *

getHtml_DELETE_ME.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getHtml_DELETE_ME(WebSession s) { + String html = null; + + // FIXME: This doesn't work for the labs since they do not implement + // createContent(). + String rawHtml = createContent(s).toString(); + // System.out.println("Getting raw html content: " + + // rawHtml.substring(0, Math.min(rawHtml.length(), 100))); + html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(new StringReader(rawHtml)), true)); + // System.out.println("Getting encoded html content: " + + // html.substring(0, Math.min(html.length(), 100))); + + return html; + } + + /** + *

getSource.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getSource(WebSession s) { + String source = null; + String src = null; + + try { + // System.out.println("Loading source file: " + + // getSourceFileName()); + src = convertMetacharsJavaCode(readFromFile(new BufferedReader(new FileReader(getSourceFileName())), true)); + + // TODO: For styled line numbers and better memory efficiency, + // use a custom FilterReader + // that performs the convertMetacharsJavaCode() transform plus + // optionally adds a styled + // line number. Wouldn't color syntax be great too? + } catch (Exception e) { + s.setMessage("Could not find source file"); + src = ("Could not find the source file or source file does not exist.
" + + "Send this message to: " + s.getWebgoatContext() + .getFeedbackAddress() + ""); + } + + Html html = new Html(); + + Head head = new Head(); + head.addElement(new Title(getSourceFileName())); + + Body body = new Body(); + body.addElement(new StringElement(src)); + + html.addElement(head); + html.addElement(body); + + source = html.toString(); + + return source; + } + + /** + *

getRawSource.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getRawSource(WebSession s) { + String src; + + try { + logger.debug("Loading source file: " + getSourceFileName()); + src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false); + + } catch (FileNotFoundException e) { + s.setMessage("Could not find source file"); + src = ("Could not find the source file or source file does not exist.
" + + "Send this message to: " + s.getWebgoatContext() + .getFeedbackAddress() + ""); + } + + return src; + } + + /** + *

getSolution.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getSolution(WebSession s) { + String src = null; + + try { + // System.out.println("Solution: " + getLessonSolutionFileName()); + src = readFromFile(new BufferedReader(new FileReader(getLessonSolutionFileName())), false); + } catch (Exception e) { + logger.error("Could not find solution for {}", getLessonSolutionFileName()); + s.setMessage("Could not find the solution file"); + src = ("Could not find the solution file or solution file does not exist.
" + + "Send this message to: " + s.getWebgoatContext() + .getFeedbackAddress() + ""); + } + + // Solutions are html files + return src; + } + + /** + *

Returns the default "path" portion of a lesson's URL.

+ * + * + * Legacy webgoat lesson links are of the form + * "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of + * the url, i.e., "attack" in the string above. + * + * Newer, Spring-Controller-based classes will override this method to + * return "*.do"-styled paths. + * + * @return a {@link java.lang.String} object. + */ + protected String getPath() { + return "#attack"; + } + + /** + * Get the link that can be used to request this screen. + * + * @return a {@link java.lang.String} object. + */ + public String getLink() { + StringBuffer link = new StringBuffer(); + + // mvc update: + link.append(getPath()).append("/"); + link.append(getScreenId()); + link.append("/"); + link.append(getCategory().getRanking()); + + return link.toString(); + } + + /** + * Get the link to the jsp page used to render this screen. + * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getPage(WebSession s) { + return null; + } + + /** + * Get the link to the jsp template page used to render this screen. + * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getTemplatePage(WebSession s) { + return null; + } + + /** + *

getCurrentAction.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public abstract String getCurrentAction(WebSession s); + + /** + *

setCurrentAction.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param lessonScreen a {@link java.lang.String} object. + */ + public abstract void setCurrentAction(WebSession s, String lessonScreen); + + /** + * Override this method to implement accesss control in a lesson. + * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param functionId a {@link java.lang.String} object. + * @param employeeId a int. + * @return a boolean. + */ + public boolean isAuthorized(WebSession s, int employeeId, String functionId) { + return false; + } + + /** + * Override this method to implement accesss control in a lesson. + * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param functionId a {@link java.lang.String} object. + * @param role a {@link java.lang.String} object. + * @return a boolean. + */ + public boolean isAuthorized(WebSession s, String role, String functionId) { + logger.info("Checking if " + role + " authorized for: " + functionId); + boolean authorized = false; + try { + String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'"; + try { + Statement answer_statement = WebSession.getConnection(s) + .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); + ResultSet answer_results = answer_statement.executeQuery(query); + authorized = answer_results.first(); + logger.info("authorized: " + authorized); + } catch (SQLException sqle) { + s.setMessage("Error authorizing"); + logger.error("Error authorizing", sqle); + } + } catch (Exception e) { + s.setMessage("Error authorizing"); + logger.error("Error authorizing", e); + } + return authorized; + } + + /** + *

getUserId.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a int. + * @throws org.owasp.webgoat.session.ParameterNotFoundException if any. + */ + public int getUserId(WebSession s) throws ParameterNotFoundException { + return -1; + } + + /** + *

getUserName.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + * @throws org.owasp.webgoat.session.ParameterNotFoundException if any. + */ + public String getUserName(WebSession s) throws ParameterNotFoundException { + return null; + } + + /** + * Description of the Method + * + * @param windowName Description of the Parameter + * @return Description of the Return Value + */ + public static String makeWindowScript(String windowName) { + // FIXME: make this string static + StringBuffer script = new StringBuffer(); + script.append("\n"); + + return script.toString(); + } + + /** + * Simply reads a url into an Element for display. CAUTION: you might want + * to tinker with any non-https links (href) + * + * @param url Description of the Parameter + * @return Description of the Return Value + */ + public static Element readFromURL(String url) { + ElementContainer ec = new ElementContainer(); + + try { + URL u = new URL(url); + HttpURLConnection huc = (HttpURLConnection) u.openConnection(); + BufferedReader reader = new BufferedReader(new InputStreamReader(huc.getInputStream())); + String line; + + while ((line = reader.readLine()) != null) { + ec.addElement(new StringElement(line)); + } + + reader.close(); + } catch (Exception e) { + System.out.println(e); + e.printStackTrace(); + } + + return (ec); + } + + /** + * Description of the Method + * + * @param reader Description of the Parameter + * @param numbers Description of the Parameter + * @param methodName Description of the Parameter + * @return Description of the Return Value + */ + public static Element readMethodFromFile(BufferedReader reader, String methodName, boolean numbers) { + PRE pre = new PRE().addElement(getFileMethod(reader, methodName, numbers)); + + return (pre); + } + + /** + * Description of the Method + * + * @param s Description of the Parameter + */ + public void handleRequest(WebSession s) { + // call createContent first so messages will go somewhere + Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType(""); + form.addElement(createContent(s)); + setContent(form); + s.getRequest().getRequestURL(); + } + + /** + *

getFormAction.

+ * + * @return a {@link java.lang.String} object. + */ + public String getFormAction() { + return getLink(); + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + public String toString() { + return getTitle(); + } + + /** + *

Getter for the field defaultLanguage.

+ * + * @return a {@link java.lang.String} object. + */ + public String getDefaultLanguage() { + return this.defaultLanguage; + } + + /** + *

Getter for the field lessonPlanFileName.

+ * + * @param lang a {@link java.lang.String} object. + * @return a {@link java.lang.String} object. + */ + public String getLessonPlanFileName(String lang) { + String ret = lessonPlanFileName.get(lang); + if (ret == null) { + ret = lessonPlanFileName.get(getDefaultLanguage()); + } + return ret; + } + + /** + *

Setter for the field lessonPlanFileName.

+ * + * @param lang a {@link java.lang.String} object. + * @param lessonPlanFileName a {@link java.lang.String} object. + */ + public void setLessonPlanFileName(String lang, String lessonPlanFileName) { + this.lessonPlanFileName.put(lang, lessonPlanFileName); + this.availableLanguages.add(lang); + } + + /** + *

Getter for the field availableLanguages.

+ * + * @return a {@link java.util.List} object. + */ + public List getAvailableLanguages() { + return this.availableLanguages; + } + + /** + *

Getter for the field lessonSolutionFileName.

+ * + * @return a {@link java.lang.String} object. + */ + public String getLessonSolutionFileName() { + return lessonSolutionFileName; + } + + /** + *

Setter for the field lessonSolutionFileName.

+ * + * @param lessonSolutionFileName a {@link java.lang.String} object. + */ + public void setLessonSolutionFileName(String lessonSolutionFileName) { + this.lessonSolutionFileName = lessonSolutionFileName; + } + + /** + *

Getter for the field sourceFileName.

+ * + * @return a {@link java.lang.String} object. + */ + public String getSourceFileName() { + return sourceFileName; + } + + /** + *

Setter for the field sourceFileName.

+ * + * @param sourceFileName a {@link java.lang.String} object. + */ + public void setSourceFileName(String sourceFileName) { + logger.debug("Setting source file of lesson " + this + " to: " + sourceFileName); + this.sourceFileName = sourceFileName; + } + + /** + *

Getter for the field webgoatContext.

+ * + * @return a {@link org.owasp.webgoat.session.WebgoatContext} object. + */ + public WebgoatContext getWebgoatContext() { + return webgoatContext; + } + + /** + *

Setter for the field webgoatContext.

+ * + * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object. + */ + public void setWebgoatContext(WebgoatContext webgoatContext) { + this.webgoatContext = webgoatContext; + } + + /** + *

Getter for the field labelManager.

+ * + * @return a {@link org.owasp.webgoat.util.LabelManager} object. + */ + protected LabelManager getLabelManager() { + if (labelManager == null) { + labelManager = BeanProvider.getBean("labelManager", LabelManager.class); + } + return labelManager; + } + + /** + * A reference from an image, script and link tag must include the context path. + *

+ * A reference in include directives are made from within the web application on the server. + * However, img tags (and the like) make references from the client browser. + * In such external references, the context path must be included. + * + * @param w a {@link org.owasp.webgoat.session.WebSession} object. + * @param imgResourceName a {@link java.lang.String} object. + * @return a {@link java.lang.String} object. + */ + protected final String buildImagePath(WebSession w, String imgResourceName) { + return w.getRequest() + .getContextPath() + "/plugin_extracted/plugin/" + getLessonName() + "/images/" + imgResourceName; + } + + + /** + *

buildJspPath.

+ * + * @param w a {@link org.owasp.webgoat.session.WebSession} object. + * @param jspResourceName a {@link java.lang.String} object. + * @param includeContextPath a boolean. + * @return a {@link java.lang.String} object. + */ + protected final String buildJspPath(WebSession w, String jspResourceName, boolean includeContextPath) { + String path = includeContextPath ? w.getContext().getContextPath() : ""; + return path + "/plugin_extracted/plugin/" + getLessonName() + "/jsp/" + jspResourceName; + } + + /** + *

buildJsPath.

+ * + * @param w a {@link org.owasp.webgoat.session.WebSession} object. + * @param jsResourceName a {@link java.lang.String} object. + * @return a {@link java.lang.String} object. + */ + protected final String buildJsPath(WebSession w, String jsResourceName) { + return w.getRequest() + .getContextPath() + "/plugin_extracted/plugin/" + getLessonName() + "/js/" + jsResourceName; + } + + /** + *

getLessonDirectory.

+ * + * @param w a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.io.File} object. + */ + protected final File getLessonDirectory(WebSession w) { + return new File(w.getContext().getRealPath("/plugin_extracted/plugin/" + getLessonName() + "/")); + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java index 2da348ff1..e79cbb032 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java @@ -35,50 +35,72 @@ import java.util.List; * For details, please see http://webgoat.github.io * * @author Bruce Mayhew WebGoat - * @created October 28, 2003 + * @since October 28, 2003 + * @version $Id: $Id */ public class Category implements Comparable { + /** Constant INTRODUCTION */ public final static Category INTRODUCTION = new Category("Introduction", new Integer(5)); + /** Constant GENERAL */ public final static Category GENERAL = new Category("General", new Integer(100)); + /** Constant ACCESS_CONTROL */ public final static Category ACCESS_CONTROL = new Category("Access Control Flaws", new Integer(200)); + /** Constant AJAX_SECURITY */ public final static Category AJAX_SECURITY = new Category("AJAX Security", new Integer(400)); + /** Constant AUTHENTICATION */ public final static Category AUTHENTICATION = new Category("Authentication Flaws", new Integer(500)); + /** Constant BUFFER_OVERFLOW */ public final static Category BUFFER_OVERFLOW = new Category("Buffer Overflows", new Integer(600)); + /** Constant CODE_QUALITY */ public final static Category CODE_QUALITY = new Category("Code Quality", new Integer(700)); + /** Constant CONCURRENCY */ public final static Category CONCURRENCY = new Category("Concurrency", new Integer(800)); + /** Constant XSS */ public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900)); + /** Constant ERROR_HANDLING */ public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000)); + /** Constant INJECTION */ public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100)); + /** Constant DOS */ public final static Category DOS = new Category("Denial of Service", new Integer(1200)); + /** Constant INSECURE_COMMUNICATION */ public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300)); + /** Constant INSECURE_CONFIGURATION */ public final static Category INSECURE_CONFIGURATION = new Category("Insecure Configuration", new Integer(1400)); + /** Constant INSECURE_STORAGE */ public final static Category INSECURE_STORAGE = new Category("Insecure Storage", new Integer(1500)); + /** Constant MALICIOUS_EXECUTION */ public final static Category MALICIOUS_EXECUTION = new Category("Malicious Execution", new Integer(1600)); + /** Constant PARAMETER_TAMPERING */ public final static Category PARAMETER_TAMPERING = new Category("Parameter Tampering", new Integer(1700)); + /** Constant SESSION_MANAGEMENT */ public final static Category SESSION_MANAGEMENT = new Category("Session Management Flaws", new Integer(1800)); + /** Constant WEB_SERVICES */ public final static Category WEB_SERVICES = new Category("Web Services", new Integer(1900)); + /** Constant ADMIN_FUNCTIONS */ public final static Category ADMIN_FUNCTIONS = new Category("Admin Functions", new Integer(2000)); + /** Constant CHALLENGE */ public final static Category CHALLENGE = new Category("Challenge", new Integer(3000)); private static final List categories = new ArrayList(); @@ -111,10 +133,21 @@ public class Category implements Comparable { categories.add(CHALLENGE); } + /** + *

addCategory.

+ * + * @param c a {@link org.owasp.webgoat.lessons.Category} object. + */ public static synchronized void addCategory(Category c) { categories.add(c); } + /** + *

Getter for the field category.

+ * + * @param name a {@link java.lang.String} object. + * @return a {@link org.owasp.webgoat.lessons.Category} object. + */ public static synchronized Category getCategory(String name) { Iterator it = categories.iterator(); while (it.hasNext()) { @@ -126,11 +159,18 @@ public class Category implements Comparable { return null; } + /** + *

Constructor for Category.

+ * + * @param category a {@link java.lang.String} object. + * @param ranking a {@link java.lang.Integer} object. + */ public Category(String category, Integer ranking) { this.category = category; this.ranking = ranking; } + /** {@inheritDoc} */ @Override public int compareTo(Object obj) { int value = 1; @@ -142,23 +182,41 @@ public class Category implements Comparable { return value; } + /** + *

Getter for the field ranking.

+ * + * @return a {@link java.lang.Integer} object. + */ public Integer getRanking() { return ranking; } + /** + *

Setter for the field ranking.

+ * + * @param ranking a {@link java.lang.Integer} object. + * @return a {@link java.lang.Integer} object. + */ public Integer setRanking(Integer ranking) { return this.ranking = ranking; } + /** + *

getName.

+ * + * @return a {@link java.lang.String} object. + */ public String getName() { return category; } + /** {@inheritDoc} */ @Override public boolean equals(Object obj) { return (obj instanceof Category) && getName().equals(((Category) obj).getName()); } + /** {@inheritDoc} */ @Override public String toString() { return getName(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java index 83258c855..e5afea907 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java @@ -1,244 +1,270 @@ -package org.owasp.webgoat.lessons; - -import com.google.common.base.Joiner; -import org.apache.commons.io.IOUtils; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Center; -import org.apache.ecs.html.H3; -import org.apache.ecs.html.P; -import org.apache.ecs.html.PRE; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.Table; -import org.owasp.webgoat.session.WebSession; - -import java.io.BufferedReader; -import java.io.FileReader; -import java.io.IOException; -import java.io.InputStream; -import java.util.ArrayList; -import java.util.List; - -/** - * ************************************************************************************************* - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - *

- * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - *

- * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public abstract class LessonAdapter extends AbstractLesson { - - /** - * Description of the Method - * - * @param s Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) { - // Mark this lesson as completed. - makeSuccess(s); - - ElementContainer ec = new ElementContainer(); - - ec.addElement(new Center().addElement(new H3().addElement(new StringElement( - "Detailed Lesson Creation Instructions.")))); - ec.addElement(new P()); - ec - .addElement(new StringElement( - "Lesson are simple to create and very little coding is required.   " - + "In fact, most lessons can be created by following the easy to use instructions in the " - + "WebGoat User Guide.  " - + "If you would prefer, send your lesson ideas to " - + getWebgoatContext().getFeedbackAddressHTML())); - - try (InputStream is = Thread.currentThread().getContextClassLoader() - .getResourceAsStream("New Lesson Instructions.txt")) { - if (is != null) { - PRE pre = new PRE(); - pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is))); - ec.addElement(pre); - } - } catch (IOException e) { - e.printStackTrace(); - } - return (ec); - } - - /** - * Gets the category attribute of the LessonAdapter object. The default - * category is "General" Only override this method if you wish to create a - * new category or if you wish this lesson to reside within a category other - * the "General" - * - * @return The category value - */ - protected Category getDefaultCategory() { - return Category.GENERAL; - } - - protected boolean getDefaultHidden() { - return false; - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() { - return DEFAULT_RANKING; - } - - /** - * Gets the hintCount attribute of the LessonAdapter object - * - * @return The hintCount value - */ - public int getHintCount(WebSession s) { - return getHints(s).size(); - } - - /** - * Fill in a minor hint that will help people who basically get it, but are - * stuck on somthing silly. Hints will be returned to the user in the order - * they appear below. The user must click on the "next hint" button before - * the hint will be displayed. - * - * @return The hint1 value - */ - protected List getHints(WebSession s) { - List hints = new ArrayList(); - hints.add("There are no hints defined."); - return hints; - } - - /** - * Gets the credits attribute of the AbstractLesson object - * - * @return The credits value - * @deprecated Credits are in the about page. This method s no - * longer called from WebGoat - */ - public Element getCredits() { - return new StringElement(); - } - - /** - * Gets the instructions attribute of the LessonAdapter object. Instructions - * will rendered as html and will appear below the control area and above - * the actual lesson area. Instructions should provide the user with the - * general setup and goal of the lesson. - * - * @return The instructions value - */ - public String getInstructions(WebSession s) { - StringBuffer buff = new StringBuffer(); - String lang = s.getCurrrentLanguage(); - try { - String fileName = getLessonPlanFileName(lang); - if (fileName != null) { - BufferedReader in = new BufferedReader(new FileReader(fileName)); - String line = null; - boolean startAppending = false; - while ((line = in.readLine()) != null) { - if (line.indexOf("") != -1) { - startAppending = true; - continue; - } - if (line.indexOf("") != -1) { - startAppending = false; - continue; - } - if (startAppending) { - buff.append(line + "\n"); - } - } - } - } catch (Exception e) { - } - - return buff.toString(); - - } - - /** - * Fill in a descriptive title for this lesson. The title of the lesson. - * This will appear above the control area at the top of the page. This - * field will be rendered as html. - * - * @return The title value - */ - public String getTitle() { - return "Untitled Lesson " + getScreenId(); - } - - public String getCurrentAction(WebSession s) { - return s.getLessonSession(this).getCurrentLessonScreen(); - } - - public void setCurrentAction(WebSession s, String lessonScreen) { - s.getLessonSession(this).setCurrentLessonScreen(lessonScreen); - } - - public Object getSessionAttribute(WebSession s, String key) { - return s.getRequest().getSession().getAttribute(key); - } - - public void setSessionAttribute(WebSession s, String key, Object value) { - s.getRequest().getSession().setAttribute(key, value); - } - - /** - * Description of the Method - * - * @param s Description of the Parameter - * @return Description of the Return Value - */ - protected Element makeSuccess(WebSession s) { - getLessonTracker(s).setCompleted(true); - - s.setMessage(getLabelManager().get("LessonCompleted")); - - return (null); - } - - /** - * Gets the credits attribute of the AbstractLesson object - * - * @return The credits value - */ - protected Element getCustomCredits(String text, Element e) { - Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT"); - TR tr = new TR(); - tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%")); - tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT")); - t.addElement(tr); - return t; - } - -} +package org.owasp.webgoat.lessons; + +import com.google.common.base.Joiner; +import org.apache.commons.io.IOUtils; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.Center; +import org.apache.ecs.html.H3; +import org.apache.ecs.html.P; +import org.apache.ecs.html.PRE; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.owasp.webgoat.session.WebSession; + +import java.io.BufferedReader; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public abstract class LessonAdapter extends AbstractLesson { + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) { + // Mark this lesson as completed. + makeSuccess(s); + + ElementContainer ec = new ElementContainer(); + + ec.addElement(new Center().addElement(new H3().addElement(new StringElement( + "Detailed Lesson Creation Instructions.")))); + ec.addElement(new P()); + ec + .addElement(new StringElement( + "Lesson are simple to create and very little coding is required.   " + + "In fact, most lessons can be created by following the easy to use instructions in the " + + "WebGoat User Guide.  " + + "If you would prefer, send your lesson ideas to " + + getWebgoatContext().getFeedbackAddressHTML())); + + try (InputStream is = Thread.currentThread().getContextClassLoader() + .getResourceAsStream("New Lesson Instructions.txt")) { + if (is != null) { + PRE pre = new PRE(); + pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is))); + ec.addElement(pre); + } + } catch (IOException e) { + e.printStackTrace(); + } + return (ec); + } + + /** + * Gets the category attribute of the LessonAdapter object. The default + * category is "General" Only override this method if you wish to create a + * new category or if you wish this lesson to reside within a category other + * the "General" + * + * @return The category value + */ + protected Category getDefaultCategory() { + return Category.GENERAL; + } + + /** + *

getDefaultHidden.

+ * + * @return a boolean. + */ + protected boolean getDefaultHidden() { + return false; + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() { + return DEFAULT_RANKING; + } + + /** + * {@inheritDoc} + * + * Gets the hintCount attribute of the LessonAdapter object + */ + public int getHintCount(WebSession s) { + return getHints(s).size(); + } + + /** + * {@inheritDoc} + * + * Fill in a minor hint that will help people who basically get it, but are + * stuck on somthing silly. Hints will be returned to the user in the order + * they appear below. The user must click on the "next hint" button before + * the hint will be displayed. + */ + protected List getHints(WebSession s) { + List hints = new ArrayList(); + hints.add("There are no hints defined."); + return hints; + } + + /** + * Gets the credits attribute of the AbstractLesson object + * + * @return The credits value + * @deprecated Credits are in the about page. This method s no + * longer called from WebGoat + */ + public Element getCredits() { + return new StringElement(); + } + + /** + * {@inheritDoc} + * + * Gets the instructions attribute of the LessonAdapter object. Instructions + * will rendered as html and will appear below the control area and above + * the actual lesson area. Instructions should provide the user with the + * general setup and goal of the lesson. + */ + public String getInstructions(WebSession s) { + StringBuffer buff = new StringBuffer(); + String lang = s.getCurrrentLanguage(); + try { + String fileName = getLessonPlanFileName(lang); + if (fileName != null) { + BufferedReader in = new BufferedReader(new FileReader(fileName)); + String line = null; + boolean startAppending = false; + while ((line = in.readLine()) != null) { + if (line.indexOf("") != -1) { + startAppending = true; + continue; + } + if (line.indexOf("") != -1) { + startAppending = false; + continue; + } + if (startAppending) { + buff.append(line + "\n"); + } + } + } + } catch (Exception e) { + } + + return buff.toString(); + + } + + /** + * Fill in a descriptive title for this lesson. The title of the lesson. + * This will appear above the control area at the top of the page. This + * field will be rendered as html. + * + * @return The title value + */ + public String getTitle() { + return "Untitled Lesson " + getScreenId(); + } + + /** {@inheritDoc} */ + public String getCurrentAction(WebSession s) { + return s.getLessonSession(this).getCurrentLessonScreen(); + } + + /** {@inheritDoc} */ + public void setCurrentAction(WebSession s, String lessonScreen) { + s.getLessonSession(this).setCurrentLessonScreen(lessonScreen); + } + + /** + *

getSessionAttribute.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param key a {@link java.lang.String} object. + * @return a {@link java.lang.Object} object. + */ + public Object getSessionAttribute(WebSession s, String key) { + return s.getRequest().getSession().getAttribute(key); + } + + /** + *

setSessionAttribute.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param key a {@link java.lang.String} object. + * @param value a {@link java.lang.Object} object. + */ + public void setSessionAttribute(WebSession s, String key, Object value) { + s.getRequest().getSession().setAttribute(key, value); + } + + /** + * Description of the Method + * + * @param s Description of the Parameter + * @return Description of the Return Value + */ + protected Element makeSuccess(WebSession s) { + getLessonTracker(s).setCompleted(true); + + s.setMessage(getLabelManager().get("LessonCompleted")); + + return (null); + } + + /** + * Gets the credits attribute of the AbstractLesson object + * + * @return The credits value + * @param text a {@link java.lang.String} object. + * @param e a {@link org.apache.ecs.Element} object. + */ + protected Element getCustomCredits(String text, Element e) { + Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT"); + TR tr = new TR(); + tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%")); + tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT")); + t.addElement(tr); + return t; + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java index 092cf0579..b72ee620c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java @@ -1,99 +1,138 @@ - -package org.owasp.webgoat.lessons; - -import java.sql.Connection; -import java.sql.SQLException; -import org.owasp.webgoat.session.CreateDB; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.LessonTracker; -import org.owasp.webgoat.session.RandomLessonTracker; -import org.owasp.webgoat.session.WebSession; - - -public abstract class RandomLessonAdapter extends LessonAdapter -{ - - public abstract String[] getStages(); - - public void setStage(WebSession s, String stage) - { - getLessonTracker(s).setStage(stage); - try - { - Connection connection = DatabaseUtilities.getConnection(s); - - CreateDB db = new CreateDB(); - db.makeDB(connection); - System.out.println("Successfully refreshed the database."); - - } catch (SQLException sqle) - { - System.out.println("Error refreshing the database!"); - sqle.printStackTrace(); - } - } - - public String getStage(WebSession s) - { - return getLessonTracker(s).getStage(); - } - - public void setStageComplete(WebSession s, String stage) - { - RandomLessonTracker lt = getLessonTracker(s); - lt.setStageComplete(stage, true); - if (lt.getCompleted()) - { - s.setMessage("Congratulations, you have completed this lab"); - } - else - { - s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + "."); - if (!stage.equals(lt.getStage())) - s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage()); - } - try - { - Connection connection = DatabaseUtilities.getConnection(s); - - CreateDB db = new CreateDB(); - db.makeDB(connection); - System.out.println("Successfully refreshed the database."); - - } catch (SQLException sqle) - { - System.out.println("Error refreshing the database!"); - sqle.printStackTrace(); - } - } - - public boolean isStageComplete(WebSession s, String stage) - { - return getLessonTracker(s).hasCompleted(stage); - } - - @Override - public RandomLessonTracker getLessonTracker(WebSession s) - { - return (RandomLessonTracker) super.getLessonTracker(s); - } - - @Override - public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) - { - return (RandomLessonTracker) super.getLessonTracker(s, lesson); - } - - @Override - public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride) - { - return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride); - } - - @Override - public LessonTracker createLessonTracker() - { - return new RandomLessonTracker(getStages()); - } - -} + +package org.owasp.webgoat.lessons; + +import java.sql.Connection; +import java.sql.SQLException; +import org.owasp.webgoat.session.CreateDB; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.LessonTracker; +import org.owasp.webgoat.session.RandomLessonTracker; +import org.owasp.webgoat.session.WebSession; + + +/** + *

Abstract RandomLessonAdapter class.

+ * + * @version $Id: $Id + */ +public abstract class RandomLessonAdapter extends LessonAdapter +{ + + /** + *

getStages.

+ * + * @return an array of {@link java.lang.String} objects. + */ + public abstract String[] getStages(); + + /** + *

setStage.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param stage a {@link java.lang.String} object. + */ + public void setStage(WebSession s, String stage) + { + getLessonTracker(s).setStage(stage); + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + CreateDB db = new CreateDB(); + db.makeDB(connection); + System.out.println("Successfully refreshed the database."); + + } catch (SQLException sqle) + { + System.out.println("Error refreshing the database!"); + sqle.printStackTrace(); + } + } + + /** + *

getStage.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ + public String getStage(WebSession s) + { + return getLessonTracker(s).getStage(); + } + + /** + *

setStageComplete.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param stage a {@link java.lang.String} object. + */ + public void setStageComplete(WebSession s, String stage) + { + RandomLessonTracker lt = getLessonTracker(s); + lt.setStageComplete(stage, true); + if (lt.getCompleted()) + { + s.setMessage("Congratulations, you have completed this lab"); + } + else + { + s.setMessage("You have completed Stage " + (lt.getStageNumber(stage) + 1) + ": " + stage + "."); + if (!stage.equals(lt.getStage())) + s.setMessage(" Welcome to Stage " + (lt.getStageNumber(lt.getStage()) + 1) + ": " + lt.getStage()); + } + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + CreateDB db = new CreateDB(); + db.makeDB(connection); + System.out.println("Successfully refreshed the database."); + + } catch (SQLException sqle) + { + System.out.println("Error refreshing the database!"); + sqle.printStackTrace(); + } + } + + /** + *

isStageComplete.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param stage a {@link java.lang.String} object. + * @return a boolean. + */ + public boolean isStageComplete(WebSession s, String stage) + { + return getLessonTracker(s).hasCompleted(stage); + } + + /** {@inheritDoc} */ + @Override + public RandomLessonTracker getLessonTracker(WebSession s) + { + return (RandomLessonTracker) super.getLessonTracker(s); + } + + /** {@inheritDoc} */ + @Override + public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) + { + return (RandomLessonTracker) super.getLessonTracker(s, lesson); + } + + /** {@inheritDoc} */ + @Override + public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride) + { + return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride); + } + + /** {@inheritDoc} */ + @Override + public LessonTracker createLessonTracker() + { + return new RandomLessonTracker(getStages()); + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java index abb6ddaa4..c2932a453 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/SequentialLessonAdapter.java @@ -1,138 +1,212 @@ - -package org.owasp.webgoat.lessons; - -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.owasp.webgoat.session.LessonTracker; -import org.owasp.webgoat.session.SequentialLessonTracker; -import org.owasp.webgoat.session.WebSession; - - -public abstract class SequentialLessonAdapter extends LessonAdapter -{ - - public void setStage(WebSession s, int stage) - { - // System.out.println("Changed to stage " + stage); - getLessonTracker(s).setStage(stage); - } - - /* - * By default returns 1 stage. (non-Javadoc) - */ - public int getStageCount() - { - return 1; - } - - public int getStage(WebSession s) - { - int stage = getLessonTracker(s).getStage(); - - // System.out.println("In stage " + stage); - return stage; - } - - @Override - public SequentialLessonTracker getLessonTracker(WebSession s) - { - return (SequentialLessonTracker) super.getLessonTracker(s); - } - - @Override - public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) - { - return (SequentialLessonTracker) super.getLessonTracker(s, lesson); - } - - @Override - public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride) - { - return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride); - } - - @Override - public LessonTracker createLessonTracker() - { - return new SequentialLessonTracker(); - } - - protected Element createStagedContent(WebSession s) - { - try - { - int stage = getLessonTracker(s).getStage(); - // int stage = Integer.parseInt( - // getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1")); - - switch (stage) - { - case 1: - return (doStage1(s)); - case 2: - return (doStage2(s)); - case 3: - return (doStage3(s)); - case 4: - return (doStage4(s)); - case 5: - return (doStage5(s)); - case 6: - return (doStage6(s)); - default: - throw new Exception("Invalid stage"); - } - } catch (Exception e) - { - s.setMessage("Error generating " + this.getClass().getName()); - // System.out.println(e); - e.printStackTrace(); - } - - return (new StringElement("")); - } - - protected Element doStage1(WebSession s) throws Exception - { - ElementContainer ec = new ElementContainer(); - ec.addElement("Stage 1 Stub"); - return ec; - } - - protected Element doStage2(WebSession s) throws Exception - { - ElementContainer ec = new ElementContainer(); - ec.addElement("Stage 2 Stub"); - return ec; - } - - protected Element doStage3(WebSession s) throws Exception - { - ElementContainer ec = new ElementContainer(); - ec.addElement("Stage 3 Stub"); - return ec; - } - - protected Element doStage4(WebSession s) throws Exception - { - ElementContainer ec = new ElementContainer(); - ec.addElement("Stage 4 Stub"); - return ec; - } - - protected Element doStage5(WebSession s) throws Exception - { - ElementContainer ec = new ElementContainer(); - ec.addElement("Stage 5 Stub"); - return ec; - } - - protected Element doStage6(WebSession s) throws Exception - { - ElementContainer ec = new ElementContainer(); - ec.addElement("Stage 6 Stub"); - return ec; - } - -} + +package org.owasp.webgoat.lessons; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.owasp.webgoat.session.LessonTracker; +import org.owasp.webgoat.session.SequentialLessonTracker; +import org.owasp.webgoat.session.WebSession; + + +/** + *

Abstract SequentialLessonAdapter class.

+ * + * @version $Id: $Id + */ +public abstract class SequentialLessonAdapter extends LessonAdapter +{ + + /** + *

setStage.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param stage a int. + */ + public void setStage(WebSession s, int stage) + { + // System.out.println("Changed to stage " + stage); + getLessonTracker(s).setStage(stage); + } + + /* + * By default returns 1 stage. (non-Javadoc) + */ + /** + *

getStageCount.

+ * + * @return a int. + */ + public int getStageCount() + { + return 1; + } + + /** + *

getStage.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a int. + */ + public int getStage(WebSession s) + { + int stage = getLessonTracker(s).getStage(); + + // System.out.println("In stage " + stage); + return stage; + } + + /** {@inheritDoc} */ + @Override + public SequentialLessonTracker getLessonTracker(WebSession s) + { + return (SequentialLessonTracker) super.getLessonTracker(s); + } + + /** {@inheritDoc} */ + @Override + public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) + { + return (SequentialLessonTracker) super.getLessonTracker(s, lesson); + } + + /** {@inheritDoc} */ + @Override + public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride) + { + return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride); + } + + /** {@inheritDoc} */ + @Override + public LessonTracker createLessonTracker() + { + return new SequentialLessonTracker(); + } + + /** + *

createStagedContent.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + */ + protected Element createStagedContent(WebSession s) + { + try + { + int stage = getLessonTracker(s).getStage(); + // int stage = Integer.parseInt( + // getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1")); + + switch (stage) + { + case 1: + return (doStage1(s)); + case 2: + return (doStage2(s)); + case 3: + return (doStage3(s)); + case 4: + return (doStage4(s)); + case 5: + return (doStage5(s)); + case 6: + return (doStage6(s)); + default: + throw new Exception("Invalid stage"); + } + } catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + // System.out.println(e); + e.printStackTrace(); + } + + return (new StringElement("")); + } + + /** + *

doStage1.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + * @throws java.lang.Exception if any. + */ + protected Element doStage1(WebSession s) throws Exception + { + ElementContainer ec = new ElementContainer(); + ec.addElement("Stage 1 Stub"); + return ec; + } + + /** + *

doStage2.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + * @throws java.lang.Exception if any. + */ + protected Element doStage2(WebSession s) throws Exception + { + ElementContainer ec = new ElementContainer(); + ec.addElement("Stage 2 Stub"); + return ec; + } + + /** + *

doStage3.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + * @throws java.lang.Exception if any. + */ + protected Element doStage3(WebSession s) throws Exception + { + ElementContainer ec = new ElementContainer(); + ec.addElement("Stage 3 Stub"); + return ec; + } + + /** + *

doStage4.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + * @throws java.lang.Exception if any. + */ + protected Element doStage4(WebSession s) throws Exception + { + ElementContainer ec = new ElementContainer(); + ec.addElement("Stage 4 Stub"); + return ec; + } + + /** + *

doStage5.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + * @throws java.lang.Exception if any. + */ + protected Element doStage5(WebSession s) throws Exception + { + ElementContainer ec = new ElementContainer(); + ec.addElement("Stage 5 Stub"); + return ec; + } + + /** + *

doStage6.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + * @throws java.lang.Exception if any. + */ + protected Element doStage6(WebSession s) throws Exception + { + ElementContainer ec = new ElementContainer(); + ec.addElement("Stage 6 Stub"); + return ec; + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java index 0342dd462..61723e933 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/WelcomeScreen.java @@ -1,145 +1,161 @@ - -package org.owasp.webgoat.lessons; - -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.HtmlColor; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Center; -import org.apache.ecs.html.Form; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.Table; -import org.owasp.webgoat.session.*; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @created October 28, 2003 - */ -public class WelcomeScreen extends Screen -{ - - /** - * Constructor for the WelcomeScreen object - * - * @param s - * Description of the Parameter - */ - public WelcomeScreen(WebSession s) - { - setup(s); - } - - /** - * Constructor for the WelcomeScreen object - */ - public WelcomeScreen() - { - } - - public void setup(WebSession s) - { - // call createContent first so messages will go somewhere - - Form form = new Form("attack", Form.POST).setName("form").setEncType(""); - - form.addElement(wrapForm(s)); - - TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form); - TR row = new TR().addElement(lowerright); - Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0); - - layout.addElement(row); - - setContent(layout); - } - - protected Element wrapForm(WebSession s) - { - if (s == null) { return new StringElement("Invalid Session"); } - - Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0); - - // CreateContent can generate error messages so you MUST call it before makeMessages() - Element content = createContent(s); - container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s)))); - container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content))); - container.addElement(new TR()); - - return (container); - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - Element b = ECSFactory.makeButton("Start the Course!"); - ec.addElement(new Center(b)); - - return (ec); - } - - /** - * Gets the instructions attribute of the WelcomeScreen object - * - * @return The instructions value - */ - protected String getInstructions() - { - String instructions = "Enter your name and learn how HTTP really works!"; - - return (instructions); - } - - /** - * Gets the title attribute of the WelcomeScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Welcome to the Penetration Testing Course"); - } - - /* - * (non-Javadoc) - * @see session.Screen#getRole() - */ - public String getRole() - { - return AbstractLesson.USER_ROLE; - } -} + +package org.owasp.webgoat.lessons; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.HtmlColor; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.Center; +import org.apache.ecs.html.Form; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.owasp.webgoat.session.*; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @since October 28, 2003 + * @version $Id: $Id + */ +public class WelcomeScreen extends Screen +{ + + /** + * Constructor for the WelcomeScreen object + * + * @param s + * Description of the Parameter + */ + public WelcomeScreen(WebSession s) + { + setup(s); + } + + /** + * Constructor for the WelcomeScreen object + */ + public WelcomeScreen() + { + } + + /** + *

setup.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + */ + public void setup(WebSession s) + { + // call createContent first so messages will go somewhere + + Form form = new Form("attack", Form.POST).setName("form").setEncType(""); + + form.addElement(wrapForm(s)); + + TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form); + TR row = new TR().addElement(lowerright); + Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0); + + layout.addElement(row); + + setContent(layout); + } + + /** + *

wrapForm.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + */ + protected Element wrapForm(WebSession s) + { + if (s == null) { return new StringElement("Invalid Session"); } + + Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0); + + // CreateContent can generate error messages so you MUST call it before makeMessages() + Element content = createContent(s); + container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s)))); + container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content))); + container.addElement(new TR()); + + return (container); + } + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + Element b = ECSFactory.makeButton("Start the Course!"); + ec.addElement(new Center(b)); + + return (ec); + } + + /** + * Gets the instructions attribute of the WelcomeScreen object + * + * @return The instructions value + */ + protected String getInstructions() + { + String instructions = "Enter your name and learn how HTTP really works!"; + + return (instructions); + } + + /** + * Gets the title attribute of the WelcomeScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Welcome to the Penetration Testing Course"); + } + + /* + * (non-Javadoc) + * @see session.Screen#getRole() + */ + /** + *

getRole.

+ * + * @return a {@link java.lang.String} object. + */ + public String getRole() + { + return AbstractLesson.USER_ROLE; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java index bea43efcf..8808de8d8 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/AdminScreen.java @@ -1,104 +1,111 @@ - -package org.owasp.webgoat.lessons.admin; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.session.Screen; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @created October 28, 2003 - */ -public abstract class AdminScreen extends Screen -{ - - /** - * Description of the Field - */ - protected String query = null; - - /** - * Constructor for the AdminScreen object - * - * @param s - * Description of the Parameter - * @param q - * Description of the Parameter - */ - public AdminScreen(WebSession s, String q) - { - setQuery(q); - - // setupAdmin(s); FIXME: what was this supposed to do? - } - - /** - * Constructor for the AdminScreen object - * - * @param s - * Description of the Parameter - */ - public AdminScreen(WebSession s) - { - } - - /** - * Constructor for the AdminScreen object - */ - public AdminScreen() - { - } - - /** - * Gets the title attribute of the AdminScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Admin Information"); - } - - public String getRole() - { - return AbstractLesson.ADMIN_ROLE; - } - - /** - * Sets the query attribute of the AdminScreen object - * - * @param q - * The new query value - */ - public void setQuery(String q) - { - query = q; - } -} + +package org.owasp.webgoat.lessons.admin; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.session.Screen; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @since October 28, 2003 + * @version $Id: $Id + */ +public abstract class AdminScreen extends Screen +{ + + /** + * Description of the Field + */ + protected String query = null; + + /** + * Constructor for the AdminScreen object + * + * @param s + * Description of the Parameter + * @param q + * Description of the Parameter + */ + public AdminScreen(WebSession s, String q) + { + setQuery(q); + + // setupAdmin(s); FIXME: what was this supposed to do? + } + + /** + * Constructor for the AdminScreen object + * + * @param s + * Description of the Parameter + */ + public AdminScreen(WebSession s) + { + } + + /** + * Constructor for the AdminScreen object + */ + public AdminScreen() + { + } + + /** + * Gets the title attribute of the AdminScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Admin Information"); + } + + /** + *

getRole.

+ * + * @return a {@link java.lang.String} object. + */ + public String getRole() + { + return AbstractLesson.ADMIN_ROLE; + } + + /** + * Sets the query attribute of the AdminScreen object + * + * @param q + * The new query value + */ + public void setQuery(String q) + { + query = q; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java index e88a608ab..cd15836a5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java @@ -1,121 +1,126 @@ - -package org.owasp.webgoat.lessons.admin; - -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.ResultSetMetaData; -import java.sql.Statement; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAdapter; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @created October 28, 2003 - */ -public class ProductsAdminScreen extends LessonAdapter -{ - - private final static String QUERY = "SELECT * FROM product_system_data"; - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - try - { - Connection connection = DatabaseUtilities.getConnection(s); - - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet results = statement.executeQuery(QUERY); - - if (results != null) - { - makeSuccess(s); - ResultSetMetaData resultsMetaData = results.getMetaData(); - ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); - } - } catch (Exception e) - { - s.setMessage("Error generating " + this.getClass().getName()); - e.printStackTrace(); - } - - return (ec); - } - - /** - * Gets the category attribute of the ProductsAdminScreen object - * - * @return The category value - */ - protected Category getDefaultCategory() - { - return Category.ADMIN_FUNCTIONS; - } - - /** - * Gets the role attribute of the ProductsAdminScreen object - * - * @return The role value - */ - public String getRole() - { - return HACKED_ADMIN_ROLE; - } - - /** - * Gets the title attribute of the ProductsAdminScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Product Information"); - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } -} + +package org.owasp.webgoat.lessons.admin; + +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.Statement; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.LessonAdapter; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @since October 28, 2003 + * @version $Id: $Id + */ +public class ProductsAdminScreen extends LessonAdapter +{ + + private final static String QUERY = "SELECT * FROM product_system_data"; + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet results = statement.executeQuery(QUERY); + + if (results != null) + { + makeSuccess(s); + ResultSetMetaData resultsMetaData = results.getMetaData(); + ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); + } + } catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); + } + + /** + * Gets the category attribute of the ProductsAdminScreen object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.ADMIN_FUNCTIONS; + } + + /** + * Gets the role attribute of the ProductsAdminScreen object + * + * @return The role value + */ + public String getRole() + { + return HACKED_ADMIN_ROLE; + } + + /** + * Gets the title attribute of the ProductsAdminScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Product Information"); + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java index f9ca6ea12..db3a7e3bf 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java @@ -1,157 +1,162 @@ - -package org.owasp.webgoat.lessons.admin; - -import java.sql.Connection; -import org.owasp.webgoat.lessons.*; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.A; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.Table; -import org.owasp.webgoat.session.*; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @created October 28, 2003 - */ -public class RefreshDBScreen extends LessonAdapter -{ - - private final static String REFRESH = "Refresh"; - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - try - { - boolean refresh = s.getParser().getBooleanParameter(REFRESH, false); - - if (refresh) - { - refreshDB(s); - ec.addElement(new StringElement("Successfully refreshed the database.")); - } - else - { - Element label = new StringElement("Refresh the database? "); - A link1 = ECSFactory.makeLink("Yes", REFRESH, true); - A link2 = ECSFactory.makeLink("No", REFRESH, false); - TD td1 = new TD().addElement(label); - TD td2 = new TD().addElement(link1); - TD td3 = new TD().addElement(link2); - TR row = new TR().addElement(td1).addElement(td2).addElement(td3); - Table t = new Table().setCellSpacing(40).setWidth("50%"); - - if (s.isColor()) - { - t.setBorder(1); - } - - t.addElement(row); - ec.addElement(t); - } - } catch (Exception e) - { - s.setMessage("Error generating " + this.getClass().getName()); - e.printStackTrace(); - } - - return (ec); - } - - /** - * Gets the category attribute of the RefreshDBScreen object - * - * @return The category value - */ - protected Category getDefaultCategory() - { - return Category.ADMIN_FUNCTIONS; - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } - - /** - * Gets the role attribute of the RefreshDBScreen object - * - * @return The role value - */ - public String getRole() - { - return ADMIN_ROLE; - } - - /** - * Gets the title attribute of the RefreshDBScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Refresh Database"); - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - */ - public void refreshDB(WebSession s) - { - try - { - Connection connection = DatabaseUtilities.getConnection(s); - - CreateDB db = new CreateDB(); - db.makeDB(connection); - System.out.println("Successfully refreshed the database."); - } catch (Exception e) - { - s.setMessage("Error refreshing database " + this.getClass().getName()); - e.printStackTrace(); - } - } -} + +package org.owasp.webgoat.lessons.admin; + +import java.sql.Connection; +import org.owasp.webgoat.lessons.*; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.A; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.owasp.webgoat.session.*; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @since October 28, 2003 + * @version $Id: $Id + */ +public class RefreshDBScreen extends LessonAdapter +{ + + private final static String REFRESH = "Refresh"; + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + boolean refresh = s.getParser().getBooleanParameter(REFRESH, false); + + if (refresh) + { + refreshDB(s); + ec.addElement(new StringElement("Successfully refreshed the database.")); + } + else + { + Element label = new StringElement("Refresh the database? "); + A link1 = ECSFactory.makeLink("Yes", REFRESH, true); + A link2 = ECSFactory.makeLink("No", REFRESH, false); + TD td1 = new TD().addElement(label); + TD td2 = new TD().addElement(link1); + TD td3 = new TD().addElement(link2); + TR row = new TR().addElement(td1).addElement(td2).addElement(td3); + Table t = new Table().setCellSpacing(40).setWidth("50%"); + + if (s.isColor()) + { + t.setBorder(1); + } + + t.addElement(row); + ec.addElement(t); + } + } catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); + } + + /** + * Gets the category attribute of the RefreshDBScreen object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.ADMIN_FUNCTIONS; + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the role attribute of the RefreshDBScreen object + * + * @return The role value + */ + public String getRole() + { + return ADMIN_ROLE; + } + + /** + * Gets the title attribute of the RefreshDBScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Refresh Database"); + } + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + */ + public void refreshDB(WebSession s) + { + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + CreateDB db = new CreateDB(); + db.makeDB(connection); + System.out.println("Successfully refreshed the database."); + } catch (Exception e) + { + s.setMessage("Error refreshing database " + this.getClass().getName()); + e.printStackTrace(); + } + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java index 0cadf0067..4e090758b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ReportCardScreen.java @@ -1,294 +1,297 @@ - -package org.owasp.webgoat.lessons.admin; - -import java.util.Iterator; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.HtmlColor; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Center; -import org.apache.ecs.html.H2; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TH; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.Table; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAdapter; -import org.owasp.webgoat.session.LessonTracker; -import org.owasp.webgoat.session.Screen; -import org.owasp.webgoat.session.UserTracker; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public class ReportCardScreen extends LessonAdapter -{ - - /** - * Description of the Field - */ - protected final static String USERNAME = "Username"; - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - String user = null; - - try - { - if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN)) - { - user = s.getParser().getRawParameter(USERNAME); - } - else - { - user = s.getUserName(); - } - } catch (Exception e) - { - } - - if (user == null) - { - user = s.getUserName(); - } - - ec.addElement(makeFeedback(s)); - ec.addElement(makeReportCard(s, user)); - - return ec; - } - - private Element makeFeedback(WebSession s) - { - ElementContainer ec = new ElementContainer(); - ec.addElement(new StringElement("Comments and suggestions are welcome. " - + getWebgoatContext().getFeedbackAddressHTML() + "

")); - - return ec; - } - - /** - * Gets the category attribute of the UserAdminScreen object - * - * @return The category value - */ - protected Category getDefaultCategory() - { - return Category.ADMIN_FUNCTIONS; - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } - - /** - * Gets the role attribute of the UserAdminScreen object - * - * @return The role value - */ - public String getRole() - { - return USER_ROLE; - } - - /** - * Gets the title attribute of the UserAdminScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Report Card"); - } - - /** - * Description of the Method - * - * @param screen - * Description of the Parameter - * @param s - * Description of the Parameter - * @param user - * Description of the Parameter - * @return Description of the Return Value - */ - private TR makeLessonRow(WebSession s, String user, Screen screen) - { - LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); - TR tr = new TR(); - if (lessonTracker.getCompleted()) - { - tr.setBgColor(HtmlColor.LIGHTGREEN); - } - else if (lessonTracker.getNumVisits() == 0) - { - tr.setBgColor(HtmlColor.LIGHTBLUE); - } - else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10) - { - tr.setBgColor(HtmlColor.RED); - } - else - { - tr.setBgColor(HtmlColor.YELLOW); - } - tr.addElement(new TD().addElement(screen.getTitle())); - tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N")); - tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits()))); - tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel()))); - return tr; - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element makeMessages(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - return (ec); - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @param user - * Description of the Parameter - * @return Description of the Return Value - */ - public Element makeReportCard(WebSession s, String user) - { - ElementContainer ec = new ElementContainer(); - - ec.addElement(makeUser(s, user)); - Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1); - - if (s.isColor()) - { - t.setBorder(1); - } - TR tr = new TR(); - t.addElement(makeUserHeaderRow()); - - // These are all the user lesson - tr = new TR(); - tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons")); - t.addElement(tr); - for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter - .hasNext();) - { - Screen screen = (Screen) lessonIter.next(); - t.addElement(makeLessonRow(s, user, screen)); - } - - // The user figured out there was a hackable admin acocunt - tr = new TR(); - tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens")); - t.addElement(tr); - for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter - .hasNext();) - { - Screen screen = (Screen) lessonIter.next(); - t.addElement(makeLessonRow(s, user, screen)); - } - - // The user figured out how to actually hack the admin acocunt - tr = new TR(); - tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens")); - t.addElement(tr); - for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter - .hasNext();) - { - Screen screen = (Screen) lessonIter.next(); - t.addElement(makeLessonRow(s, user, screen)); - } - - ec.addElement(t); - return (ec); - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @param user - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element makeUser(WebSession s, String user) - { - H2 h2 = new H2(); - // FIXME: The session is the current session, not the session of the user we are reporting. - // String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? - // " [Normal User - Hacked Admin Access]" : " [Normal User]"; - String type = ""; - h2.addElement(new StringElement("Results for: " + user + type)); - return h2; - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - private TR makeUserHeaderRow() - { - TR tr = new TR(); - - tr.addElement(new TH("Lesson")); - tr.addElement(new TH("Complete")); - tr.addElement(new TH("Visits")); - tr.addElement(new TH("Hints")); - - return tr; - } -} + +package org.owasp.webgoat.lessons.admin; + +import java.util.Iterator; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.HtmlColor; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.Center; +import org.apache.ecs.html.H2; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TH; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.LessonAdapter; +import org.owasp.webgoat.session.LessonTracker; +import org.owasp.webgoat.session.Screen; +import org.owasp.webgoat.session.UserTracker; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public class ReportCardScreen extends LessonAdapter +{ + + /** + * Description of the Field + */ + protected final static String USERNAME = "Username"; + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + String user = null; + + try + { + if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN)) + { + user = s.getParser().getRawParameter(USERNAME); + } + else + { + user = s.getUserName(); + } + } catch (Exception e) + { + } + + if (user == null) + { + user = s.getUserName(); + } + + ec.addElement(makeFeedback(s)); + ec.addElement(makeReportCard(s, user)); + + return ec; + } + + private Element makeFeedback(WebSession s) + { + ElementContainer ec = new ElementContainer(); + ec.addElement(new StringElement("Comments and suggestions are welcome. " + + getWebgoatContext().getFeedbackAddressHTML() + "

")); + + return ec; + } + + /** + * Gets the category attribute of the UserAdminScreen object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.ADMIN_FUNCTIONS; + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the role attribute of the UserAdminScreen object + * + * @return The role value + */ + public String getRole() + { + return USER_ROLE; + } + + /** + * Gets the title attribute of the UserAdminScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Report Card"); + } + + /** + * Description of the Method + * + * @param screen + * Description of the Parameter + * @param s + * Description of the Parameter + * @param user + * Description of the Parameter + * @return Description of the Return Value + */ + private TR makeLessonRow(WebSession s, String user, Screen screen) + { + LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); + TR tr = new TR(); + if (lessonTracker.getCompleted()) + { + tr.setBgColor(HtmlColor.LIGHTGREEN); + } + else if (lessonTracker.getNumVisits() == 0) + { + tr.setBgColor(HtmlColor.LIGHTBLUE); + } + else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10) + { + tr.setBgColor(HtmlColor.RED); + } + else + { + tr.setBgColor(HtmlColor.YELLOW); + } + tr.addElement(new TD().addElement(screen.getTitle())); + tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N")); + tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits()))); + tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel()))); + return tr; + } + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element makeMessages(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + return (ec); + } + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @param user + * Description of the Parameter + * @return Description of the Return Value + */ + public Element makeReportCard(WebSession s, String user) + { + ElementContainer ec = new ElementContainer(); + + ec.addElement(makeUser(s, user)); + Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1); + + if (s.isColor()) + { + t.setBorder(1); + } + TR tr = new TR(); + t.addElement(makeUserHeaderRow()); + + // These are all the user lesson + tr = new TR(); + tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons")); + t.addElement(tr); + for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter + .hasNext();) + { + Screen screen = (Screen) lessonIter.next(); + t.addElement(makeLessonRow(s, user, screen)); + } + + // The user figured out there was a hackable admin acocunt + tr = new TR(); + tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens")); + t.addElement(tr); + for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter + .hasNext();) + { + Screen screen = (Screen) lessonIter.next(); + t.addElement(makeLessonRow(s, user, screen)); + } + + // The user figured out how to actually hack the admin acocunt + tr = new TR(); + tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens")); + t.addElement(tr); + for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter + .hasNext();) + { + Screen screen = (Screen) lessonIter.next(); + t.addElement(makeLessonRow(s, user, screen)); + } + + ec.addElement(t); + return (ec); + } + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @param user + * Description of the Parameter + * @return Description of the Return Value + */ + protected Element makeUser(WebSession s, String user) + { + H2 h2 = new H2(); + // FIXME: The session is the current session, not the session of the user we are reporting. + // String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? + // " [Normal User - Hacked Admin Access]" : " [Normal User]"; + String type = ""; + h2.addElement(new StringElement("Results for: " + user + type)); + return h2; + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + private TR makeUserHeaderRow() + { + TR tr = new TR(); + + tr.addElement(new TH("Lesson")); + tr.addElement(new TH("Complete")); + tr.addElement(new TH("Visits")); + tr.addElement(new TH("Hints")); + + return tr; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java index b9d46e41a..cf9717ac4 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java @@ -1,314 +1,328 @@ - -package org.owasp.webgoat.lessons.admin; - -import java.util.Enumeration; -import java.util.Iterator; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.HtmlColor; -import org.apache.ecs.html.Center; -import org.apache.ecs.html.Input; -import org.apache.ecs.html.P; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TH; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.Table; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAdapter; -import org.owasp.webgoat.session.LessonTracker; -import org.owasp.webgoat.session.Screen; -import org.owasp.webgoat.session.UserTracker; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Bruce mayhew WebGoat - * @created October 28, 2003 - */ -public class SummaryReportCardScreen extends LessonAdapter -{ - - private int totalUsersNormalComplete = 0; - - private int totalUsersAdminComplete = 0; - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - String selectedUser = null; - - try - { - if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN)) - { - Enumeration e = s.getParser().getParameterNames(); - - while (e.hasMoreElements()) - { - String key = (String) e.nextElement(); - if (key.startsWith("View_")) - { - selectedUser = key.substring("View_".length()); - ReportCardScreen reportCard = new ReportCardScreen(); - return reportCard.makeReportCard(s, selectedUser); - } - if (key.startsWith("Delete_")) - { - selectedUser = key.substring("Delete_".length()); - deleteUser(selectedUser); - } - } - } - } catch (Exception e) - { - e.printStackTrace(); - } - - ec.addElement(new Center().addElement(makeSummary(s))); - - ec.addElement(new P()); - - Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%"); - if (s.isColor()) - { - t.setBorder(1); - } - t.addElement(makeUserSummaryHeader()); - - for (Iterator userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter - .hasNext();) - { - - String user = userIter.next(); - t.addElement(makeUserSummaryRow(s, user)); - } - - ec.addElement(new Center().addElement(t)); - - return ec; - } - - protected Element makeSummary(WebSession s) - { - Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%"); - if (s.isColor()) - { - t.setBorder(1); - } - TR tr = new TR(); - // tr.addElement( new TH().addElement( "Summary").setColSpan(1)); - // t.addElement( tr ); - - tr = new TR(); - tr.addElement(new TD().setWidth("60%").addElement("Total number of users")); - tr.addElement(new TD().setAlign("LEFT").addElement( - Integer.toString(UserTracker.instance() - .getAllUsers(WebSession.WEBGOAT_USER).size()))); - t.addElement(tr); - - tr = new TR(); - tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons")); - tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete))); - t.addElement(tr); - - tr = new TR(); - tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons")); - tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete))); - t.addElement(tr); - return t; - } - - private void deleteUser(String user) - { - UserTracker.instance().deleteUser(user); - } - - /** - * Gets the category attribute of the UserAdminScreen object - * - * @return The category value - */ - protected Category getDefaultCategory() - { - return Category.ADMIN_FUNCTIONS; - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } - - /** - * Gets the role attribute of the UserAdminScreen object - * - * @return The role value - */ - public String getRole() - { - return ADMIN_ROLE; - } - - /** - * Gets the title attribute of the UserAdminScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Summary Report Card"); - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element makeMessages(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - return (ec); - } - - /** - * Description of the Method - * - * @return Description of the Return Value - */ - protected Element makeUserSummaryHeader() - { - TR tr = new TR(); - - tr.addElement(new TH("User Name")); - tr.addElement(new TH("Normal Complete")); - tr.addElement(new TH("Admin Complete")); - tr.addElement(new TH("View")); - tr.addElement(new TH("Delete")); - - return tr; - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @param user - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element makeUserSummaryRow(WebSession s, String user) - { - TR tr = new TR(); - - tr.addElement(new TD().setAlign("LEFT").addElement(user)); - int lessonCount = 0; - int passedCount = 0; - boolean normalComplete = false; - boolean adminComplete = false; - - for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter - .hasNext();) - { - lessonCount++; - Screen screen = (Screen) lessonIter.next(); - - LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); - if (lessonTracker.getCompleted()) - { - passedCount++; - } - } - if (lessonCount == passedCount) - { - normalComplete = true; - totalUsersNormalComplete++; - } - String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount); - tr.addElement(new TD().setAlign("CENTER").addElement(text)); - - lessonCount = 0; - passedCount = 0; - for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter - .hasNext();) - { - lessonCount++; - Screen screen = (Screen) lessonIter.next(); - - LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); - if (lessonTracker.getCompleted()) - { - passedCount++; - } - } - if (lessonCount == passedCount) - { - adminComplete = true; - totalUsersAdminComplete++; - } - text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount); - tr.addElement(new TD().setAlign("CENTER").addElement(text)); - - tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View"))); - tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete"))); - - if (normalComplete && adminComplete) - { - tr.setBgColor(HtmlColor.GREEN); - } - else if (normalComplete) - { - tr.setBgColor(HtmlColor.LIGHTGREEN); - } - else - { - tr.setBgColor(HtmlColor.LIGHTBLUE); - } - - return (tr); - } - - public boolean isEnterprise() - { - return true; - } -} + +package org.owasp.webgoat.lessons.admin; + +import java.util.Enumeration; +import java.util.Iterator; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.HtmlColor; +import org.apache.ecs.html.Center; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TH; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.LessonAdapter; +import org.owasp.webgoat.session.LessonTracker; +import org.owasp.webgoat.session.Screen; +import org.owasp.webgoat.session.UserTracker; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public class SummaryReportCardScreen extends LessonAdapter +{ + + private int totalUsersNormalComplete = 0; + + private int totalUsersAdminComplete = 0; + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + String selectedUser = null; + + try + { + if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN)) + { + Enumeration e = s.getParser().getParameterNames(); + + while (e.hasMoreElements()) + { + String key = (String) e.nextElement(); + if (key.startsWith("View_")) + { + selectedUser = key.substring("View_".length()); + ReportCardScreen reportCard = new ReportCardScreen(); + return reportCard.makeReportCard(s, selectedUser); + } + if (key.startsWith("Delete_")) + { + selectedUser = key.substring("Delete_".length()); + deleteUser(selectedUser); + } + } + } + } catch (Exception e) + { + e.printStackTrace(); + } + + ec.addElement(new Center().addElement(makeSummary(s))); + + ec.addElement(new P()); + + Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%"); + if (s.isColor()) + { + t.setBorder(1); + } + t.addElement(makeUserSummaryHeader()); + + for (Iterator userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter + .hasNext();) + { + + String user = userIter.next(); + t.addElement(makeUserSummaryRow(s, user)); + } + + ec.addElement(new Center().addElement(t)); + + return ec; + } + + /** + *

makeSummary.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link org.apache.ecs.Element} object. + */ + protected Element makeSummary(WebSession s) + { + Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%"); + if (s.isColor()) + { + t.setBorder(1); + } + TR tr = new TR(); + // tr.addElement( new TH().addElement( "Summary").setColSpan(1)); + // t.addElement( tr ); + + tr = new TR(); + tr.addElement(new TD().setWidth("60%").addElement("Total number of users")); + tr.addElement(new TD().setAlign("LEFT").addElement( + Integer.toString(UserTracker.instance() + .getAllUsers(WebSession.WEBGOAT_USER).size()))); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons")); + tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete))); + t.addElement(tr); + + tr = new TR(); + tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons")); + tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete))); + t.addElement(tr); + return t; + } + + private void deleteUser(String user) + { + UserTracker.instance().deleteUser(user); + } + + /** + * Gets the category attribute of the UserAdminScreen object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.ADMIN_FUNCTIONS; + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the role attribute of the UserAdminScreen object + * + * @return The role value + */ + public String getRole() + { + return ADMIN_ROLE; + } + + /** + * Gets the title attribute of the UserAdminScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Summary Report Card"); + } + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element makeMessages(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + return (ec); + } + + /** + * Description of the Method + * + * @return Description of the Return Value + */ + protected Element makeUserSummaryHeader() + { + TR tr = new TR(); + + tr.addElement(new TH("User Name")); + tr.addElement(new TH("Normal Complete")); + tr.addElement(new TH("Admin Complete")); + tr.addElement(new TH("View")); + tr.addElement(new TH("Delete")); + + return tr; + } + + /** + * Description of the Method + * + * @param s + * Description of the Parameter + * @param user + * Description of the Parameter + * @return Description of the Return Value + */ + protected Element makeUserSummaryRow(WebSession s, String user) + { + TR tr = new TR(); + + tr.addElement(new TD().setAlign("LEFT").addElement(user)); + int lessonCount = 0; + int passedCount = 0; + boolean normalComplete = false; + boolean adminComplete = false; + + for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter + .hasNext();) + { + lessonCount++; + Screen screen = (Screen) lessonIter.next(); + + LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); + if (lessonTracker.getCompleted()) + { + passedCount++; + } + } + if (lessonCount == passedCount) + { + normalComplete = true; + totalUsersNormalComplete++; + } + String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount); + tr.addElement(new TD().setAlign("CENTER").addElement(text)); + + lessonCount = 0; + passedCount = 0; + for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter + .hasNext();) + { + lessonCount++; + Screen screen = (Screen) lessonIter.next(); + + LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen); + if (lessonTracker.getCompleted()) + { + passedCount++; + } + } + if (lessonCount == passedCount) + { + adminComplete = true; + totalUsersAdminComplete++; + } + text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount); + tr.addElement(new TD().setAlign("CENTER").addElement(text)); + + tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View"))); + tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete"))); + + if (normalComplete && adminComplete) + { + tr.setBgColor(HtmlColor.GREEN); + } + else if (normalComplete) + { + tr.setBgColor(HtmlColor.LIGHTGREEN); + } + else + { + tr.setBgColor(HtmlColor.LIGHTBLUE); + } + + return (tr); + } + + /** + *

isEnterprise.

+ * + * @return a boolean. + */ + public boolean isEnterprise() + { + return true; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java index 25af040ea..17e4e8d09 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/UserAdminScreen.java @@ -1,121 +1,126 @@ - -package org.owasp.webgoat.lessons.admin; - -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.ResultSetMetaData; -import java.sql.Statement; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAdapter; -import org.owasp.webgoat.session.DatabaseUtilities; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public class UserAdminScreen extends LessonAdapter -{ - - private final static String QUERY = "SELECT * FROM user_system_data"; - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - try - { - Connection connection = DatabaseUtilities.getConnection(s); - - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet results = statement.executeQuery(QUERY); - - if (results != null) - { - makeSuccess(s); - ResultSetMetaData resultsMetaData = results.getMetaData(); - ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); - } - } catch (Exception e) - { - s.setMessage("Error generating " + this.getClass().getName()); - e.printStackTrace(); - } - - return (ec); - } - - /** - * Gets the category attribute of the UserAdminScreen object - * - * @return The category value - */ - protected Category getDefaultCategory() - { - return Category.ADMIN_FUNCTIONS; - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } - - /** - * Gets the role attribute of the UserAdminScreen object - * - * @return The role value - */ - public String getRole() - { - return HACKED_ADMIN_ROLE; - } - - /** - * Gets the title attribute of the UserAdminScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("User Information"); - } -} + +package org.owasp.webgoat.lessons.admin; + +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.Statement; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.LessonAdapter; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public class UserAdminScreen extends LessonAdapter +{ + + private final static String QUERY = "SELECT * FROM user_system_data"; + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + Connection connection = DatabaseUtilities.getConnection(s); + + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet results = statement.executeQuery(QUERY); + + if (results != null) + { + makeSuccess(s); + ResultSetMetaData resultsMetaData = results.getMetaData(); + ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); + } + } catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); + } + + /** + * Gets the category attribute of the UserAdminScreen object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.ADMIN_FUNCTIONS; + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * Gets the role attribute of the UserAdminScreen object + * + * @return The role value + */ + public String getRole() + { + return HACKED_ADMIN_ROLE; + } + + /** + * Gets the title attribute of the UserAdminScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("User Information"); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java index 5d1c40703..feabca8da 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/ViewDatabase.java @@ -1,162 +1,167 @@ - -package org.owasp.webgoat.lessons.admin; - -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.ResultSetMetaData; -import java.sql.Statement; -import java.util.ArrayList; -import java.util.List; -import org.owasp.webgoat.lessons.*; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Input; -import org.owasp.webgoat.session.*; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @created October 28, 2003 - */ -public class ViewDatabase extends LessonAdapter -{ - - private final static String SQL = "sql"; - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - try - { - ec.addElement(new StringElement("Enter a SQL statement: ")); - - StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, "")); - Input input = new Input(Input.TEXT, SQL, sqlStatement.toString()); - ec.addElement(input); - - Element b = ECSFactory.makeButton("Go!"); - ec.addElement(b); - - Connection connection = DatabaseUtilities.getConnection(s); - - if (sqlStatement.length() > 0) - { - - Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet results = statement.executeQuery(sqlStatement.toString()); - - if ((results != null) && (results.first() == true)) - { - makeSuccess(s); - ResultSetMetaData resultsMetaData = results.getMetaData(); - ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); - } - - } - } catch (Exception e) - { - s.setMessage("Error generating " + this.getClass().getName()); - e.printStackTrace(); - } - - return (ec); - } - - /** - * Gets the category attribute of the DatabaseScreen object - * - * @return The category value - */ - protected Category getDefaultCategory() - { - return Category.ADMIN_FUNCTIONS; - } - - private final static Integer DEFAULT_RANKING = new Integer(1000); - - protected Integer getDefaultRanking() - { - return DEFAULT_RANKING; - } - - /** - * Gets the hints attribute of the DatabaseScreen object - * - * @return The hints value - */ - protected List getHints(WebSession s) - { - List hints = new ArrayList(); - hints.add("There are no hints defined"); - - return hints; - } - - /** - * Gets the instructions attribute of the ViewDatabase object - * - * @return The instructions value - */ - public String getInstructions(WebSession s) - { - String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read."; - - return (instructions); - } - - /** - * Gets the role attribute of the ViewDatabase object - * - * @return The role value - */ - public String getRole() - { - return HACKED_ADMIN_ROLE; - } - - /** - * Gets the title attribute of the DatabaseScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Adhoc Query"); - } -} + +package org.owasp.webgoat.lessons.admin; + +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.List; +import org.owasp.webgoat.lessons.*; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.Input; +import org.owasp.webgoat.session.*; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @since October 28, 2003 + * @version $Id: $Id + */ +public class ViewDatabase extends LessonAdapter +{ + + private final static String SQL = "sql"; + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + try + { + ec.addElement(new StringElement("Enter a SQL statement: ")); + + StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, "")); + Input input = new Input(Input.TEXT, SQL, sqlStatement.toString()); + ec.addElement(input); + + Element b = ECSFactory.makeButton("Go!"); + ec.addElement(b); + + Connection connection = DatabaseUtilities.getConnection(s); + + if (sqlStatement.length() > 0) + { + + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + ResultSet results = statement.executeQuery(sqlStatement.toString()); + + if ((results != null) && (results.first() == true)) + { + makeSuccess(s); + ResultSetMetaData resultsMetaData = results.getMetaData(); + ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData)); + } + + } + } catch (Exception e) + { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + + return (ec); + } + + /** + * Gets the category attribute of the DatabaseScreen object + * + * @return The category value + */ + protected Category getDefaultCategory() + { + return Category.ADMIN_FUNCTIONS; + } + + private final static Integer DEFAULT_RANKING = new Integer(1000); + + /** + *

getDefaultRanking.

+ * + * @return a {@link java.lang.Integer} object. + */ + protected Integer getDefaultRanking() + { + return DEFAULT_RANKING; + } + + /** + * {@inheritDoc} + * + * Gets the hints attribute of the DatabaseScreen object + */ + protected List getHints(WebSession s) + { + List hints = new ArrayList(); + hints.add("There are no hints defined"); + + return hints; + } + + /** + * {@inheritDoc} + * + * Gets the instructions attribute of the ViewDatabase object + */ + public String getInstructions(WebSession s) + { + String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read."; + + return (instructions); + } + + /** + * Gets the role attribute of the ViewDatabase object + * + * @return The role value + */ + public String getRole() + { + return HACKED_ADMIN_ROLE; + } + + /** + * Gets the title attribute of the DatabaseScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Adhoc Query"); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java index 3295c01d4..4b86cd26d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java @@ -1,89 +1,89 @@ - -package org.owasp.webgoat.lessons.admin; - -import org.owasp.webgoat.lessons.WelcomeScreen; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.html.Center; -import org.apache.ecs.html.H1; -import org.owasp.webgoat.session.WebSession; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - * @created October 28, 2003 - */ -public class WelcomeAdminScreen extends WelcomeScreen -{ - - /** - * Constructor for the WelcomeAdminScreen object - * - * @param s - * Description of the Parameter - */ - public WelcomeAdminScreen(WebSession s) - { - super(s); - } - - /** - * Constructor for the WelcomeAdminScreen object - */ - public WelcomeAdminScreen() - { - } - - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected Element createContent(WebSession s) - { - ElementContainer ec = new ElementContainer(); - - ec.addElement(new Center(new H1("You are logged on as an administrator"))); - ec.addElement(super.createContent(s)); - - return (ec); - } - - /** - * Gets the title attribute of the WelcomeAdminScreen object - * - * @return The title value - */ - public String getTitle() - { - return ("Admin Welcome"); - } -} + +package org.owasp.webgoat.lessons.admin; + +import org.owasp.webgoat.lessons.WelcomeScreen; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.html.Center; +import org.apache.ecs.html.H1; +import org.owasp.webgoat.session.WebSession; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @since October 28, 2003 + * @version $Id: $Id + */ +public class WelcomeAdminScreen extends WelcomeScreen +{ + + /** + * Constructor for the WelcomeAdminScreen object + * + * @param s + * Description of the Parameter + */ + public WelcomeAdminScreen(WebSession s) + { + super(s); + } + + /** + * Constructor for the WelcomeAdminScreen object + */ + public WelcomeAdminScreen() + { + } + + /** + * {@inheritDoc} + * + * Description of the Method + */ + protected Element createContent(WebSession s) + { + ElementContainer ec = new ElementContainer(); + + ec.addElement(new Center(new H1("You are logged on as an administrator"))); + ec.addElement(super.createContent(s)); + + return (ec); + } + + /** + * Gets the title attribute of the WelcomeAdminScreen object + * + * @return The title value + */ + public String getTitle() + { + return ("Admin Welcome"); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/Hint.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/Hint.java index 81f6ccbd2..41abb5532 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/Hint.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/Hint.java @@ -28,8 +28,10 @@ package org.owasp.webgoat.lessons.model; /** + *

Hint class.

* * @author rlawson + * @version $Id: $Id */ public class Hint { @@ -38,6 +40,8 @@ public class Hint { private int number; /** + *

Getter for the field hint.

+ * * @return the hint */ public String getHint() { @@ -45,6 +49,8 @@ public class Hint { } /** + *

Setter for the field hint.

+ * * @param hint the hint to set */ public void setHint(String hint) { @@ -52,6 +58,8 @@ public class Hint { } /** + *

Getter for the field lesson.

+ * * @return the lesson */ public String getLesson() { @@ -59,6 +67,8 @@ public class Hint { } /** + *

Setter for the field lesson.

+ * * @param lesson the lesson to set */ public void setLesson(String lesson) { @@ -66,6 +76,8 @@ public class Hint { } /** + *

Getter for the field number.

+ * * @return the number */ public int getNumber() { @@ -73,6 +85,8 @@ public class Hint { } /** + *

Setter for the field number.

+ * * @param number the number to set */ public void setNumber(int number) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java index 83e5d1b51..e5eec8968 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java @@ -1,48 +1,59 @@ -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - */ -package org.owasp.webgoat.lessons.model; - -/** - * Model component for the Http Basics lesson. Using a model - * for that simple lesson is architectural overkill. We do it anyway - * for illustrative purposes - to demonstrate the pattern that we will - * use for more complex lessons. - * - */ -public class HttpBasicsModel { - - private String personName; - - public String getPersonName() { - return personName; - } - - public void setPersonName(String personName) { - this.personName = personName; - } -} +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + */ +package org.owasp.webgoat.lessons.model; + +/** + * Model component for the Http Basics lesson. Using a model + * for that simple lesson is architectural overkill. We do it anyway + * for illustrative purposes - to demonstrate the pattern that we will + * use for more complex lessons. + * + * @version $Id: $Id + */ +public class HttpBasicsModel { + + private String personName; + + /** + *

Getter for the field personName.

+ * + * @return a {@link java.lang.String} object. + */ + public String getPersonName() { + return personName; + } + + /** + *

Setter for the field personName.

+ * + * @param personName a {@link java.lang.String} object. + */ + public void setPersonName(String personName) { + this.personName = personName; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java index 6fe0be737..f45df8ead 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItem.java @@ -34,8 +34,10 @@ import java.util.ArrayList; import java.util.List; /** + *

LessonMenuItem class.

* * @author rlawson + * @version $Id: $Id */ public class LessonMenuItem { @@ -48,6 +50,8 @@ public class LessonMenuItem { private boolean showHints = true; /** + *

Getter for the field name.

+ * * @return the name */ public String getName() { @@ -55,6 +59,8 @@ public class LessonMenuItem { } /** + *

Setter for the field name.

+ * * @param name the name to set */ public void setName(String name) { @@ -62,6 +68,8 @@ public class LessonMenuItem { } /** + *

Getter for the field children.

+ * * @return the children */ public List getChildren() { @@ -69,6 +77,8 @@ public class LessonMenuItem { } /** + *

Setter for the field children.

+ * * @param children the children to set */ public void setChildren(List children) { @@ -76,6 +86,8 @@ public class LessonMenuItem { } /** + *

Getter for the field type.

+ * * @return the type */ public LessonMenuItemType getType() { @@ -83,16 +95,24 @@ public class LessonMenuItem { } /** + *

Setter for the field type.

+ * * @param type the type to set */ public void setType(LessonMenuItemType type) { this.type = type; } + /** + *

addChild.

+ * + * @param child a {@link org.owasp.webgoat.lessons.model.LessonMenuItem} object. + */ public void addChild(LessonMenuItem child) { children.add(child); } + /** {@inheritDoc} */ @Override public String toString() { StringBuilder bldr = new StringBuilder(); @@ -102,6 +122,8 @@ public class LessonMenuItem { } /** + *

isComplete.

+ * * @return the complete */ public boolean isComplete() { @@ -109,6 +131,8 @@ public class LessonMenuItem { } /** + *

Setter for the field complete.

+ * * @param complete the complete to set */ public void setComplete(boolean complete) { @@ -116,6 +140,8 @@ public class LessonMenuItem { } /** + *

Getter for the field link.

+ * * @return the link */ public String getLink() { @@ -123,6 +149,8 @@ public class LessonMenuItem { } /** + *

Setter for the field link.

+ * * @param link the link to set */ public void setLink(String link) { @@ -130,6 +158,8 @@ public class LessonMenuItem { } /** + *

isShowSource.

+ * * @return the showSource */ public boolean isShowSource() { @@ -137,6 +167,8 @@ public class LessonMenuItem { } /** + *

Setter for the field showSource.

+ * * @param showSource the showSource to set */ public void setShowSource(boolean showSource) { @@ -144,6 +176,8 @@ public class LessonMenuItem { } /** + *

isShowHints.

+ * * @return the showHints */ public boolean isShowHints() { @@ -151,6 +185,8 @@ public class LessonMenuItem { } /** + *

Setter for the field showHints.

+ * * @param showHints the showHints to set */ public void setShowHints(boolean showHints) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java index c639c659f..e73368cec 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonMenuItemType.java @@ -29,8 +29,10 @@ package org.owasp.webgoat.lessons.model; /** + *

LessonMenuItemType class.

* * @author rlawson + * @version $Id: $Id */ public enum LessonMenuItemType { CATEGORY, diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/RequestParameter.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/RequestParameter.java index 3b7b4775a..0d720285a 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/RequestParameter.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/RequestParameter.java @@ -1,66 +1,79 @@ -/** - * ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - * - * For details, please see http://webgoat.github.io - */ -package org.owasp.webgoat.lessons.model; - -/** - * - * @author rlawson - */ -public class RequestParameter implements Comparable { - - private final String name; - private final String value; - - public RequestParameter(String name, String value) { - this.name = name; - this.value = value; - } - - /** - * @return the name - */ - public String getName() { - return name; - } - - /** - * @return the values - */ - public String getValue() { - return value; - } - - @Override - public int compareTo(RequestParameter o) { - return this.name.compareTo(o.getName()); - } - -} +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + */ +package org.owasp.webgoat.lessons.model; + +/** + *

RequestParameter class.

+ * + * @author rlawson + * @version $Id: $Id + */ +public class RequestParameter implements Comparable { + + private final String name; + private final String value; + + /** + *

Constructor for RequestParameter.

+ * + * @param name a {@link java.lang.String} object. + * @param value a {@link java.lang.String} object. + */ + public RequestParameter(String name, String value) { + this.name = name; + this.value = value; + } + + /** + *

Getter for the field name.

+ * + * @return the name + */ + public String getName() { + return name; + } + + /** + *

Getter for the field value.

+ * + * @return the values + */ + public String getValue() { + return value; + } + + /** {@inheritDoc} */ + @Override + public int compareTo(RequestParameter o) { + return this.name.compareTo(o.getName()); + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java index 7833d2776..0e7e3272c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java @@ -1,31 +1,37 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. - */ - -package org.owasp.webgoat.lessons.model; - -/** - * - * @author rlawson - */ -public class SourceListing { - - private String source; - - /** - * @return the source - */ - public String getSource() { - return source; - } - - /** - * @param source the source to set - */ - public void setSource(String source) { - this.source = source; - } - -} +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ + +package org.owasp.webgoat.lessons.model; + +/** + *

SourceListing class.

+ * + * @author rlawson + * @version $Id: $Id + */ +public class SourceListing { + + private String source; + + /** + *

Getter for the field source.

+ * + * @return the source + */ + public String getSource() { + return source; + } + + /** + *

Setter for the field source.

+ * + * @param source the source to set + */ + public void setSource(String source) { + this.source = source; + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java index d946eacb4..bdd3dd273 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java @@ -1,256 +1,262 @@ -package org.owasp.webgoat.plugins; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.session.WebgoatContext; -import org.owasp.webgoat.session.WebgoatProperties; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.servlet.ServletContext; -import java.io.File; -import java.util.Iterator; -import java.util.LinkedList; -import java.util.List; -import java.util.Set; - -/** - * ************************************************************************************************* - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - *

- * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - *

- * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - *

- * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - *

- * For details, please see http://webgoat.github.io - * - * @author Bruce Mayhew WebGoat - * @created October 28, 2003 - */ -public class LegacyLoader { - - final Logger logger = LoggerFactory.getLogger(LegacyLoader.class); - - private final List files = new LinkedList(); - - public LegacyLoader() { - } - - /** - * Take an absolute file and return the filename. - *

- * Ex. /etc/password becomes password - * - * @param s - * @return the file name - */ - private static String getFileName(String s) { - String fileName = new File(s).getName(); - - if (fileName.contains("/")) { - fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length()); - } - - if (fileName.contains(".")) { - fileName = fileName.substring(0, fileName.indexOf(".")); - } - - return fileName; - } - - /** - * Take a class name and return the equivalent file name - *

- * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java - * - * @param className - * @return - */ - private static String getSourceFile(String className) { - StringBuilder sb = new StringBuilder(); - - sb.append(className.replace(".", "/")); - sb.append(".java"); - - return sb.toString(); - } - - /** - * Takes a file name and builds the class file name - * - * @param fileName Description of the Parameter - * @param path Description of the Parameter - * @return Description of the Return Value - */ - private static String getClassFile(String fileName, String path) { - String ext = ".class"; - fileName = fileName.trim(); - - /** - * We do not handle directories. We do not handle files with different - * extensions - */ - if (fileName.endsWith("/") || !fileName.endsWith(ext)) { - return null; - } - - // skip over plugins and/or extracted plugins - if ( fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) { - return null; - } - - // if the file is in /WEB-INF/classes strip the dir info off - int index = fileName.indexOf("/WEB-INF/classes/"); - if (index != -1) { - fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length()); - fileName = fileName.replace('/', '.'); - fileName = fileName.replace('\\', '.'); - } else { - // Strip off the leading path info - fileName = fileName.substring(path.length(), fileName.length() - ext.length()); - } - - return fileName; - } - - - - /** - * Load all of the filenames into a temporary cache - * - * @param context - * @param path - */ - public void loadFiles(ServletContext context, String path) { - logger.debug("Loading files into cache, path: " + path); - Set resourcePaths = context.getResourcePaths(path); - if (resourcePaths == null) { - logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue"); - return; - } - Iterator itr = resourcePaths.iterator(); - - while (itr.hasNext()) { - String file = (String) itr.next(); - - if (file.length() != 1 && file.endsWith("/")) { - loadFiles(context, file); - } else { - files.add(file); - } - } - } - - /** - * Instantiate all the lesson objects into a cache - * - * @param path - * @param context - */ - public List loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties ) { - - loadFiles(context, path); - - List lessons = new LinkedList(); - - for (String file : files) { - String className = getClassFile(file, path); - - if (className != null && !className.endsWith("_i") && className.startsWith("org.owasp.webgoat.lessons.admin")) { - try { - Class c = Class.forName(className); - Object o = c.newInstance(); - - if (o instanceof AbstractLesson) { - AbstractLesson lesson = (AbstractLesson) o; - lesson.setWebgoatContext(webgoatContext); - - lesson.update(properties); - - if (lesson.getHidden() == false) { - lessons.add(lesson); - } - } - } catch (Exception e) { - // Bruce says: - // I don't think we want to log the exception here. We could - // be potentially showing a lot of exceptions that don't matter. - // We would only care if the lesson extended AbstractLesson and we - // can't tell that because it threw the exception. Catch 22 - // logger.error("Error in loadLessons: ", e); - } - } - } - loadResources(lessons); - return lessons; - } - - private String getLanguageFromFileName(String first, String absoluteFile) { - int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1); - int p2 = absoluteFile.indexOf("/", p1 + 1); - String langStr = absoluteFile.substring(p1 + 1, p2); - - return langStr; - } - - /** - * For each lesson, set the source file and lesson file - * @param lessons - */ - public void loadResources(List lessons ) { - for (AbstractLesson lesson : lessons) { - logger.info("Loading resources for lesson -> " + lesson.getName()); - String className = lesson.getClass().getName(); - String classFile = getSourceFile(className); - logger.info("Lesson classname: " + className); - logger.info("Lesson java file: " + classFile); - - for (String absoluteFile : files) { - String fileName = getFileName(absoluteFile); - //logger.debug("Course: looking at file: " + absoluteFile); - - if (absoluteFile.endsWith(classFile)) { - logger.info("Set source file for " + classFile); - lesson.setSourceFileName(absoluteFile); - } - - if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") - && className.endsWith(fileName)) { - logger.info("setting lesson plan file " + absoluteFile + " for lesson " - + lesson.getClass().getName()); - logger.info("fileName: " + fileName + " == className: " + className); - String language = getLanguageFromFileName("/lesson_plans", absoluteFile); - lesson.setLessonPlanFileName(language, absoluteFile); - } - if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") - && className.endsWith(fileName)) { - logger.info("setting lesson solution file " + absoluteFile + " for lesson " - + lesson.getClass().getName()); - logger.info("fileName: " + fileName + " == className: " + className); - lesson.setLessonSolutionFileName(absoluteFile); - } - } - } - } - - -} +package org.owasp.webgoat.plugins; + +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.session.WebgoatContext; +import org.owasp.webgoat.session.WebgoatProperties; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.servlet.ServletContext; +import java.io.File; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Set; + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @since October 28, 2003 + * @version $Id: $Id + */ +public class LegacyLoader { + + final Logger logger = LoggerFactory.getLogger(LegacyLoader.class); + + private final List files = new LinkedList(); + + /** + *

Constructor for LegacyLoader.

+ */ + public LegacyLoader() { + } + + /** + * Take an absolute file and return the filename. + * + * Ex. /etc/password becomes password + * + * @param s + * @return the file name + */ + private static String getFileName(String s) { + String fileName = new File(s).getName(); + + if (fileName.contains("/")) { + fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length()); + } + + if (fileName.contains(".")) { + fileName = fileName.substring(0, fileName.indexOf(".")); + } + + return fileName; + } + + /** + * Take a class name and return the equivalent file name + * + * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java + * + * @param className + * @return + */ + private static String getSourceFile(String className) { + StringBuilder sb = new StringBuilder(); + + sb.append(className.replace(".", "/")); + sb.append(".java"); + + return sb.toString(); + } + + /** + * Takes a file name and builds the class file name + * + * @param fileName Description of the Parameter + * @param path Description of the Parameter + * @return Description of the Return Value + */ + private static String getClassFile(String fileName, String path) { + String ext = ".class"; + fileName = fileName.trim(); + + /** + * We do not handle directories. We do not handle files with different + * extensions + */ + if (fileName.endsWith("/") || !fileName.endsWith(ext)) { + return null; + } + + // skip over plugins and/or extracted plugins + if ( fileName.indexOf("lessons/plugin") >= 0 || fileName.indexOf("plugin_extracted") >= 0) { + return null; + } + + // if the file is in /WEB-INF/classes strip the dir info off + int index = fileName.indexOf("/WEB-INF/classes/"); + if (index != -1) { + fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length()); + fileName = fileName.replace('/', '.'); + fileName = fileName.replace('\\', '.'); + } else { + // Strip off the leading path info + fileName = fileName.substring(path.length(), fileName.length() - ext.length()); + } + + return fileName; + } + + + + /** + * Load all of the filenames into a temporary cache + * + * @param context a {@link javax.servlet.ServletContext} object. + * @param path a {@link java.lang.String} object. + */ + public void loadFiles(ServletContext context, String path) { + logger.debug("Loading files into cache, path: " + path); + Set resourcePaths = context.getResourcePaths(path); + if (resourcePaths == null) { + logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue"); + return; + } + Iterator itr = resourcePaths.iterator(); + + while (itr.hasNext()) { + String file = (String) itr.next(); + + if (file.length() != 1 && file.endsWith("/")) { + loadFiles(context, file); + } else { + files.add(file); + } + } + } + + /** + * Instantiate all the lesson objects into a cache + * + * @param path a {@link java.lang.String} object. + * @param context a {@link javax.servlet.ServletContext} object. + * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object. + * @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object. + * @return a {@link java.util.List} object. + */ + public List loadLessons(WebgoatContext webgoatContext, ServletContext context, String path, WebgoatProperties properties ) { + + loadFiles(context, path); + + List lessons = new LinkedList(); + + for (String file : files) { + String className = getClassFile(file, path); + + if (className != null && !className.endsWith("_i") && className.startsWith("org.owasp.webgoat.lessons.admin")) { + try { + Class c = Class.forName(className); + Object o = c.newInstance(); + + if (o instanceof AbstractLesson) { + AbstractLesson lesson = (AbstractLesson) o; + lesson.setWebgoatContext(webgoatContext); + + lesson.update(properties); + + if (lesson.getHidden() == false) { + lessons.add(lesson); + } + } + } catch (Exception e) { + // Bruce says: + // I don't think we want to log the exception here. We could + // be potentially showing a lot of exceptions that don't matter. + // We would only care if the lesson extended AbstractLesson and we + // can't tell that because it threw the exception. Catch 22 + // logger.error("Error in loadLessons: ", e); + } + } + } + loadResources(lessons); + return lessons; + } + + private String getLanguageFromFileName(String first, String absoluteFile) { + int p1 = absoluteFile.indexOf("/", absoluteFile.indexOf(first) + 1); + int p2 = absoluteFile.indexOf("/", p1 + 1); + String langStr = absoluteFile.substring(p1 + 1, p2); + + return langStr; + } + + /** + * For each lesson, set the source file and lesson file + * + * @param lessons a {@link java.util.List} object. + */ + public void loadResources(List lessons ) { + for (AbstractLesson lesson : lessons) { + logger.info("Loading resources for lesson -> " + lesson.getName()); + String className = lesson.getClass().getName(); + String classFile = getSourceFile(className); + logger.info("Lesson classname: " + className); + logger.info("Lesson java file: " + classFile); + + for (String absoluteFile : files) { + String fileName = getFileName(absoluteFile); + //logger.debug("Course: looking at file: " + absoluteFile); + + if (absoluteFile.endsWith(classFile)) { + logger.info("Set source file for " + classFile); + lesson.setSourceFileName(absoluteFile); + } + + if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") + && className.endsWith(fileName)) { + logger.info("setting lesson plan file " + absoluteFile + " for lesson " + + lesson.getClass().getName()); + logger.info("fileName: " + fileName + " == className: " + className); + String language = getLanguageFromFileName("/lesson_plans", absoluteFile); + lesson.setLessonPlanFileName(language, absoluteFile); + } + if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") + && className.endsWith(fileName)) { + logger.info("setting lesson solution file " + absoluteFile + " for lesson " + + lesson.getClass().getName()); + logger.info("fileName: " + fileName + " == className: " + className); + lesson.setLessonSolutionFileName(absoluteFile); + } + } + } + } + + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java index 39cf58235..5d501541e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java @@ -20,6 +20,11 @@ import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith; import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName; import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles; +/** + *

Plugin class.

+ * + * @version $Id: $Id + */ public class Plugin { private static final String NAME_LESSON_SOLUTION_DIRECTORY = "lessonSolutions"; @@ -32,12 +37,23 @@ public class Plugin { private List pluginFiles = Lists.newArrayList(); private File lessonSourceFile; + /** + *

Constructor for Plugin.

+ * + * @param pluginDirectory a {@link java.nio.file.Path} object. + */ public Plugin(Path pluginDirectory) { Preconditions.checkNotNull(pluginDirectory, "plugin directory cannot be null"); Preconditions.checkArgument(Files.exists(pluginDirectory), "directory %s does not exists", pluginDirectory); this.pluginDirectory = pluginDirectory; } + /** + *

Constructor for Plugin.

+ * + * @param pluginDirectory a {@link java.nio.file.Path} object. + * @param classes a {@link java.util.List} object. + */ public Plugin(Path pluginDirectory, List classes) { this(pluginDirectory); findLesson(classes); @@ -65,6 +81,11 @@ public class Plugin { } } + /** + *

loadProperties.

+ * + * @param properties a {@link java.util.List} object. + */ public void loadProperties(List properties) { for (Path propertyFile : properties) { LabelProvider.updatePluginResources(propertyFile); @@ -72,6 +93,12 @@ public class Plugin { } } + /** + *

loadFiles.

+ * + * @param files a {@link java.util.List} object. + * @param reload a boolean. + */ public void loadFiles(List files, boolean reload) { for (Path file : files) { if (fileEndsWith(file, ".html") && hasParentDirectoryWithName(file, NAME_LESSON_SOLUTION_DIRECTORY)) { @@ -90,6 +117,11 @@ public class Plugin { } } + /** + *

rewritePaths.

+ * + * @param pluginTarget a {@link java.nio.file.Path} object. + */ public void rewritePaths(Path pluginTarget) { try { replaceInFiles(this.lesson.getSimpleName() + "_files", @@ -125,6 +157,8 @@ public class Plugin { /** * Lesson is optional, it is also possible that the supplied jar contains only helper classes. + * + * @return a {@link com.google.common.base.Optional} object. */ public Optional getLesson() { try { @@ -137,18 +171,39 @@ public class Plugin { return Optional.absent(); } + /** + *

getLessonSolution.

+ * + * @param language a {@link java.lang.String} object. + * @return a {@link com.google.common.base.Optional} object. + */ public Optional getLessonSolution(String language) { return Optional.fromNullable(this.solutionLanguageFiles.get(language)); } + /** + *

getLessonSolutions.

+ * + * @return a {@link java.util.Map} object. + */ public Map getLessonSolutions() { return this.solutionLanguageFiles; } + /** + *

getLessonSource.

+ * + * @return a {@link com.google.common.base.Optional} object. + */ public Optional getLessonSource() { return Optional.fromNullable(lessonSourceFile); } + /** + *

getLessonPlans.

+ * + * @return a {@link java.util.Map} object. + */ public Map getLessonPlans() { return this.lessonPlansLanguageFiles; } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginBackgroundLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginBackgroundLoader.java index 675370605..5b9c03c14 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginBackgroundLoader.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginBackgroundLoader.java @@ -9,10 +9,16 @@ import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; @WebListener +/** + *

PluginBackgroundLoader class.

+ * + * @version $Id: $Id + */ public class PluginBackgroundLoader implements ServletContextListener { private ScheduledExecutorService scheduler; + /** {@inheritDoc} */ @Override public void contextInitialized(ServletContextEvent event) { String pluginPath = event.getServletContext().getRealPath("plugin_lessons"); @@ -22,6 +28,7 @@ public class PluginBackgroundLoader implements ServletContextListener { scheduler.scheduleAtFixedRate(new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)), 0, 5, TimeUnit.MINUTES); } + /** {@inheritDoc} */ @Override public void contextDestroyed(ServletContextEvent event) { scheduler.shutdownNow(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java index e955610e2..0cd62840d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java @@ -25,6 +25,8 @@ import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithNa /** * Extract the jar file and place them in the system temp directory in the folder webgoat and collect the files * and classes. + * + * @version $Id: $Id */ public class PluginExtractor { @@ -34,10 +36,20 @@ public class PluginExtractor { private final List files = new ArrayList<>(); private final List properties = new ArrayList<>(); + /** + *

Constructor for PluginExtractor.

+ * + * @param pluginArchive a {@link java.nio.file.Path} object. + */ public PluginExtractor(Path pluginArchive) { this.pluginArchive = pluginArchive; } + /** + *

extract.

+ * + * @param target a {@link java.nio.file.Path} object. + */ public void extract(final Path target) { try (FileSystem zip = createZipFileSystem()) { final Path root = zip.getPath("/"); @@ -63,14 +75,29 @@ public class PluginExtractor { } } + /** + *

Getter for the field classes.

+ * + * @return a {@link java.util.List} object. + */ public List getClasses() { return this.classes; } + /** + *

Getter for the field files.

+ * + * @return a {@link java.util.List} object. + */ public List getFiles() { return this.files; } + /** + *

Getter for the field properties.

+ * + * @return a {@link java.util.List} object. + */ public List getProperties() { return this.properties; } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java index e4ae25c35..798fd7af0 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginFileUtils.java @@ -14,12 +14,31 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +/** + *

PluginFileUtils class.

+ * + * @version $Id: $Id + */ public class PluginFileUtils { + /** + *

fileEndsWith.

+ * + * @param p a {@link java.nio.file.Path} object. + * @param s a {@link java.lang.String} object. + * @return a boolean. + */ public static boolean fileEndsWith(Path p, String s) { return p.getFileName().toString().endsWith(s); } + /** + *

fileEndsWith.

+ * + * @param p a {@link java.nio.file.Path} object. + * @param suffixes a {@link java.lang.String} object. + * @return a boolean. + */ public static boolean fileEndsWith(Path p, String... suffixes) { for (String suffix : suffixes) { if (fileEndsWith(p, suffix)) { @@ -29,6 +48,13 @@ public class PluginFileUtils { return false; } + /** + *

hasParentDirectoryWithName.

+ * + * @param p a {@link java.nio.file.Path} object. + * @param s a {@link java.lang.String} object. + * @return a boolean. + */ public static boolean hasParentDirectoryWithName(Path p, String s) { if (p == null || p.getParent() == null || p.getParent().equals(p.getRoot())) { return false; @@ -39,6 +65,13 @@ public class PluginFileUtils { return hasParentDirectoryWithName(p.getParent(), s); } + /** + *

createDirsIfNotExists.

+ * + * @param p a {@link java.nio.file.Path} object. + * @return a {@link java.nio.file.Path} object. + * @throws java.io.IOException if any. + */ public static Path createDirsIfNotExists(Path p) throws IOException { if (Files.notExists(p)) { Files.createDirectories(p); @@ -46,6 +79,13 @@ public class PluginFileUtils { return p; } + /** + *

getFilesInDirectory.

+ * + * @param directory a {@link java.nio.file.Path} object. + * @return a {@link java.util.List} object. + * @throws java.io.IOException if any. + */ public static List getFilesInDirectory(Path directory) throws IOException { List files = new ArrayList<>(); DirectoryStream dirStream; @@ -57,6 +97,14 @@ public class PluginFileUtils { return files; } + /** + *

replaceInFiles.

+ * + * @param replace a {@link java.lang.String} object. + * @param with a {@link java.lang.String} object. + * @param files a {@link java.util.Collection} object. + * @throws java.io.IOException if any. + */ public static void replaceInFiles(String replace, String with, Collection files) throws IOException { Preconditions.checkNotNull(replace); Preconditions.checkNotNull(with); @@ -67,6 +115,14 @@ public class PluginFileUtils { } } + /** + *

replaceInFile.

+ * + * @param replace a {@link java.lang.String} object. + * @param with a {@link java.lang.String} object. + * @param file a {@link java.nio.file.Path} object. + * @throws java.io.IOException if any. + */ public static void replaceInFile(String replace, String with, Path file) throws IOException { Preconditions.checkNotNull(replace); Preconditions.checkNotNull(with); @@ -78,6 +134,14 @@ public class PluginFileUtils { Files.write(file, fileAsString.getBytes()); } + /** + *

writeFile.

+ * + * @param targetFile a {@link java.nio.file.Path} object. + * @param bytes an array of byte. + * @param options a {@link java.nio.file.OpenOption} object. + * @throws java.io.IOException if any. + */ public static void writeFile(Path targetFile, byte[] bytes, OpenOption... options) throws IOException { createDirsIfNotExists(targetFile.getParent()); if (!Files.exists(targetFile)) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java index b3099e8a4..c47edf4dd 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java @@ -1,7 +1,18 @@ package org.owasp.webgoat.plugins; +/** + *

PluginLoadingFailure class.

+ * + * @version $Id: $Id + */ public class PluginLoadingFailure extends RuntimeException { + /** + *

Constructor for PluginLoadingFailure.

+ * + * @param message a {@link java.lang.String} object. + * @param e a {@link java.lang.Exception} object. + */ public PluginLoadingFailure(String message, Exception e) { super(message, e); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java index 5093b291d..9f6519f58 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java @@ -22,14 +22,26 @@ import java.util.concurrent.ExecutorCompletionService; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; +/** + *

PluginsLoader class.

+ * + * @version $Id: $Id + */ public class PluginsLoader implements Runnable { + /** Constant WEBGOAT_PLUGIN_EXTENSION="jar" */ protected static final String WEBGOAT_PLUGIN_EXTENSION = "jar"; private final Logger logger = LoggerFactory.getLogger(this.getClass()); private final Path pluginSource; private Path pluginTarget; + /** + *

Constructor for PluginsLoader.

+ * + * @param pluginSource a {@link java.nio.file.Path} object. + * @param pluginTarget a {@link java.nio.file.Path} object. + */ public PluginsLoader(Path pluginSource, Path pluginTarget) { Preconditions.checkNotNull(pluginSource, "plugin source cannot be null"); Preconditions.checkNotNull(pluginTarget, "plugin target cannot be null"); @@ -38,6 +50,12 @@ public class PluginsLoader implements Runnable { this.pluginTarget = pluginTarget; } + /** + *

loadPlugins.

+ * + * @param reload a boolean. + * @return a {@link java.util.List} object. + */ public List loadPlugins(final boolean reload) { final PluginClassLoader cl = (PluginClassLoader) Thread.currentThread().getContextClassLoader(); List plugins = Lists.newArrayList(); @@ -109,6 +127,7 @@ public class PluginsLoader implements Runnable { return extractorCallables; } + /** {@inheritDoc} */ @Override public void run() { loadPlugins(true); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java index 188620c24..90094f45f 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java @@ -37,8 +37,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

ApplicationService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class ApplicationService extends BaseService { @@ -46,8 +48,8 @@ public class ApplicationService extends BaseService { /** * Returns global application info * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link org.owasp.webgoat.application.Application} object. */ @RequestMapping(value = "/application.mvc", produces = "application/json") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java index 1232e57b8..e85fadebc 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/BaseService.java @@ -44,14 +44,23 @@ import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseStatus; /** + *

Abstract BaseService class.

* * @author rlawson + * @version $Id: $Id */ @RequestMapping("/service") public abstract class BaseService { private static final Logger logger = LoggerFactory.getLogger(BaseService.class); + /** + *

handleException.

+ * + * @param request a {@link javax.servlet.http.HttpServletRequest} object. + * @param ex a {@link java.lang.Exception} object. + * @return a {@link org.owasp.webgoat.service.ExceptionInfo} object. + */ @ExceptionHandler(Exception.class) @ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT) public @ResponseBody @@ -66,6 +75,12 @@ public abstract class BaseService { return response; } + /** + *

getWebSession.

+ * + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link org.owasp.webgoat.session.WebSession} object. + */ public WebSession getWebSession(HttpSession session) { WebSession ws; Object o = session.getAttribute(WebSession.SESSION); @@ -79,6 +94,12 @@ public abstract class BaseService { return ws; } + /** + *

getStringStackTrace.

+ * + * @param t a {@link java.lang.Throwable} object. + * @return a {@link java.lang.String} object. + */ public String getStringStackTrace(Throwable t){ StringWriter sw = new StringWriter(); PrintWriter pw = new PrintWriter(sw); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java index f780e6bca..402fde5d6 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java @@ -42,8 +42,10 @@ import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.servlet.ModelAndView; /** + *

CookieService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class CookieService extends BaseService { @@ -51,8 +53,8 @@ public class CookieService extends BaseService { /** * Returns cookies for last attack * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.util.List} object. */ @RequestMapping(value = "/cookie.mvc", produces = "application/json") public @ResponseBody @@ -65,8 +67,8 @@ public class CookieService extends BaseService { /** * Returns cookies and params for current lesson * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. */ @RequestMapping(value = "/cookies_widget.mvc", produces = "text/html") public ModelAndView showCookiesAndParamsAsHtml(HttpSession session) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/DummyService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/DummyService.java index b57e8c1ae..5291d5848 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/DummyService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/DummyService.java @@ -34,12 +34,19 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

DummyService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class DummyService extends BaseService{ + /** + *

firstNames.

+ * + * @return a {@link java.util.List} object. + */ @RequestMapping(value = "/first.mvc", produces = "application/json") public @ResponseBody List firstNames() { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java index 04479ccd3..ac661fd1b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ExceptionInfo.java @@ -1,54 +1,76 @@ -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - */ -package org.owasp.webgoat.service; - -/** - * - * @author rlawson - */ -public class ExceptionInfo { - - private String url; - private String message; - - public String getUrl() { - return url; - } - - public void setUrl(String url) { - this.url = url; - } - - public String getMessage() { - return message; - } - - public void setMessage(String message) { - this.message = message; - } -} +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + */ +package org.owasp.webgoat.service; + +/** + *

ExceptionInfo class.

+ * + * @author rlawson + * @version $Id: $Id + */ +public class ExceptionInfo { + + private String url; + private String message; + + /** + *

Getter for the field url.

+ * + * @return a {@link java.lang.String} object. + */ + public String getUrl() { + return url; + } + + /** + *

Setter for the field url.

+ * + * @param url a {@link java.lang.String} object. + */ + public void setUrl(String url) { + this.url = url; + } + + /** + *

Getter for the field message.

+ * + * @return a {@link java.lang.String} object. + */ + public String getMessage() { + return message; + } + + /** + *

Setter for the field message.

+ * + * @param message a {@link java.lang.String} object. + */ + public void setMessage(String message) { + this.message = message; + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java index 84869fca8..76793ad65 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java @@ -17,8 +17,10 @@ import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.servlet.ModelAndView; /** + *

HintService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class HintService extends BaseService { @@ -26,8 +28,8 @@ public class HintService extends BaseService { /** * Returns hints for current lesson * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.util.List} object. */ @RequestMapping(value = "/hint.mvc", produces = "application/json") public @ResponseBody @@ -55,6 +57,12 @@ public class HintService extends BaseService { return listHints; } + /** + *

showHintsAsHtml.

+ * + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link org.springframework.web.servlet.ModelAndView} object. + */ @RequestMapping(value = "/hint_widget.mvc", produces = "text/html") public ModelAndView showHintsAsHtml(HttpSession session) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java index 562feb20e..d981716ad 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java @@ -47,8 +47,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

LessonMenuService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class LessonMenuService extends BaseService { @@ -58,8 +60,8 @@ public class LessonMenuService extends BaseService { /** * Returns the lesson menu which is used to build the left nav * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.util.List} object. */ @RequestMapping(value = "/lessonmenu.mvc", produces = "application/json") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java index 7f48f3b4b..bf4d85eb6 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java @@ -42,8 +42,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

LessonPlanService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class LessonPlanService extends BaseService { @@ -51,8 +53,8 @@ public class LessonPlanService extends BaseService { /** * Returns source for current attack * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.lang.String} object. */ @RequestMapping(value = "/lessonplan.mvc", produces = "application/html") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java index 938a06850..67508fed5 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java @@ -10,13 +10,18 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; @Controller +/** + *

LessonTitleService class.

+ * + * @version $Id: $Id + */ public class LessonTitleService extends BaseService { - /** + /** * Returns the title for the current attack * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.lang.String} object. */ @RequestMapping(value = "/lessontitle.mvc", produces = "application/html") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java index 506b89c36..84c1229b3 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java @@ -43,8 +43,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

ParameterService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class ParameterService extends BaseService { @@ -54,8 +56,8 @@ public class ParameterService extends BaseService { /** * Returns request parameters for last attack * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.util.List} object. */ @RequestMapping(value = "/parameter.mvc", produces = "application/json") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java index 1f0c994ed..ba5ab3099 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java @@ -34,8 +34,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

RestartLessonService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class RestartLessonService extends BaseService { @@ -43,8 +45,8 @@ public class RestartLessonService extends BaseService { /** * Returns current lesson * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.lang.String} object. */ @RequestMapping(value = "/restartlesson.mvc", produces = "text/text") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java index 6d5810e5b..caec4f34d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java @@ -17,8 +17,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

SessionService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class SessionService extends BaseService { @@ -26,8 +28,9 @@ public class SessionService extends BaseService { /** * Returns hints for current lesson * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @param request a {@link javax.servlet.http.HttpServletRequest} object. + * @return a {@link java.lang.String} object. */ @RequestMapping(value = "/session.mvc", produces = "application/json") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java index d9db4c626..04a3bf3f7 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java @@ -39,8 +39,10 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** + *

SolutionService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class SolutionService extends BaseService { @@ -48,8 +50,8 @@ public class SolutionService extends BaseService { /** * Returns solution for current attack * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.lang.String} object. */ @RequestMapping(value = "/solution.mvc", produces = "text/html") public @ResponseBody @@ -59,6 +61,12 @@ public class SolutionService extends BaseService { return source; } + /** + *

getSolution.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.lang.String} object. + */ protected String getSolution(WebSession s) { String source = null; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java index daf2e922d..5f010423f 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java @@ -44,8 +44,10 @@ import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; /** + *

SourceService class.

* * @author rlawson + * @version $Id: $Id */ @Controller public class SourceService extends BaseService { @@ -53,8 +55,8 @@ public class SourceService extends BaseService { /** * Returns source for current attack * - * @param session - * @return + * @param session a {@link javax.servlet.http.HttpSession} object. + * @return a {@link java.lang.String} object. */ @RequestMapping(value = "/source.mvc", produces = "application/text") public @ResponseBody diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java b/webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java index 002140196..9c694b4cf 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/servlets/Controller.java @@ -1 +1,72 @@ -package org.owasp.webgoat.servlets; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * ************************************************************************************************* * * * This file is part of WebGoat, an Open Web Application Security Project * utility. For details, please see http://www.owasp.org/ * * Copyright (c) 2002 - 20014 Bruce Mayhew * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) any later * version. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place - Suite 330, Boston, MA 02111-1307, USA. * * Getting Source ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * for free software projects. * * For details, please see http://webgoat.github.io */ public class Controller extends HttpServlet { private static final long serialVersionUID = 1L; protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String userAgent = request.getHeader("user-agent"); String clientBrowser = "Not known!"; if (userAgent != null) { clientBrowser = userAgent; } request.setAttribute("client.browser", clientBrowser); request.getRequestDispatcher("/view.jsp").forward(request, response); } } \ No newline at end of file +package org.owasp.webgoat.servlets; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + * + * @version $Id: $Id + */ +public class Controller extends HttpServlet { + + private static final long serialVersionUID = 1L; + + /** {@inheritDoc} */ + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + doPost(request, response); + + } + + /** {@inheritDoc} */ + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, + IOException { + + String userAgent = request.getHeader("user-agent"); + + String clientBrowser = "Not known!"; + + if (userAgent != null) { + + clientBrowser = userAgent; + + } + + request.setAttribute("client.browser", clientBrowser); + + request.getRequestDispatcher("/view.jsp").forward(request, response); + + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java index cb17ee4af..46df247b1 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/Authorization.java @@ -1,53 +1,72 @@ - -package org.owasp.webgoat.session; - -import java.util.Hashtable; -import java.util.Map; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - */ -public class Authorization -{ - - Map permissions = new Hashtable(); - - public Authorization() - { - } - - public void setPermission(int userId, int functionId) - { - permissions.put(new Integer(userId), new Integer(functionId)); - } - - public boolean isAllowed(int userId, int functionId) - { - return (permissions.get(new Integer(userId)) != null); - } -} + +package org.owasp.webgoat.session; + +import java.util.Hashtable; +import java.util.Map; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * * @version $Id: $Id + */ +public class Authorization +{ + + Map permissions = new Hashtable(); + + /** + *

Constructor for Authorization.

+ */ + public Authorization() + { + } + + /** + *

setPermission.

+ * + * @param userId a int. + * @param functionId a int. + */ + public void setPermission(int userId, int functionId) + { + permissions.put(new Integer(userId), new Integer(functionId)); + } + + /** + *

isAllowed.

+ * + * @param userId a int. + * @param functionId a int. + * @return a boolean. + */ + public boolean isAllowed(int userId, int functionId) + { + return (permissions.get(new Integer(userId)) != null); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java index b381ba71c..cb3c1a188 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java @@ -30,37 +30,36 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * ************************************************************************************************* - *

- *

- * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - *

+ ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * * Copyright (c) 2002 - 20014 Bruce Mayhew - *

- * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - *

- * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - *

- * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - *

+ * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * * Getting Source ============== - *

- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository - * for free software projects. - *

+ * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * * For details, please see http://webgoat.github.io * * @author Bruce Mayhew WebGoat - * @created October 28, 2003 + * @since October 28, 2003 + * @version $Id: $Id */ public class Course { @@ -76,6 +75,9 @@ public class Course { private WebgoatContext webgoatContext; + /** + *

Constructor for Course.

+ */ public Course() { try { properties = new WebgoatProperties(PROPERTIES_FILENAME); @@ -86,7 +88,7 @@ public class Course { /** * Take an absolute file and return the filename. - *

+ * * Ex. /etc/password becomes password * * @param s @@ -108,7 +110,7 @@ public class Course { /** * Take a class name and return the equivalent file name - *

+ * * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java * * @param className @@ -190,9 +192,9 @@ public class Course { /** * Gets the lesson attribute of the Course object * - * @param s + * @param s a {@link org.owasp.webgoat.session.WebSession} object. * @param lessonId Description of the Parameter - * @param roles + * @param roles a {@link java.util.List} object. * @return The lesson value */ public AbstractLesson getLesson(WebSession s, int lessonId, List roles) { @@ -214,12 +216,27 @@ public class Course { return null; } + /** + *

getLesson.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param lessonId a int. + * @param role a {@link java.lang.String} object. + * @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object. + */ public AbstractLesson getLesson(WebSession s, int lessonId, String role) { List roles = new ArrayList(); roles.add(role); return getLesson(s, lessonId, roles); } + /** + *

Getter for the field lessons.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param role a {@link java.lang.String} object. + * @return a {@link java.util.List} object. + */ public List getLessons(WebSession s, String role) { List roles = new ArrayList(); roles.add(role); @@ -229,8 +246,8 @@ public class Course { /** * Gets the lessons attribute of the Course object * - * @param s - * @param roles + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param roles a {@link java.util.List} object. * @return The lessons value */ public List getLessons(WebSession s, List roles) { @@ -266,12 +283,28 @@ public class Course { return lessonList; } + /** + *

Getter for the field lessons.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param category a {@link org.owasp.webgoat.lessons.Category} object. + * @param role a {@link java.lang.String} object. + * @return a {@link java.util.List} object. + */ public List getLessons(WebSession s, Category category, String role) { List roles = new ArrayList(); roles.add(role); return getLessons(s, category, roles); } + /** + *

Getter for the field lessons.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @param category a {@link org.owasp.webgoat.lessons.Category} object. + * @param roles a {@link java.util.List} object. + * @return a {@link java.util.List} object. + */ public List getLessons(WebSession s, Category category, List roles) { if (s.isHackedAdmin()) { roles.add(AbstractLesson.HACKED_ADMIN_ROLE); @@ -279,6 +312,12 @@ public class Course { return getLessons(category, roles); } + /** + *

getLesson.

+ * + * @param lessonId a int. + * @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object. + */ public AbstractLesson getLesson(int lessonId) { for (AbstractLesson l : lessons) { if (l.getScreenId() == lessonId) { @@ -326,7 +365,7 @@ public class Course { /** * Description of the Method * - * @param webgoatContext + * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object. * @param path Description of the Parameter * @param context Description of the Parameter */ diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java index 0e04b2033..0d6ceef2f 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java @@ -1,1038 +1,1040 @@ - -package org.owasp.webgoat.session; - -import java.sql.Connection; -import java.sql.SQLException; -import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - */ -public class CreateDB -{ - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createMessageTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop admin user table - try - { - String dropTable = "DROP TABLE messages"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop message database"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," - + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating message database " + e.getLocalizedMessage()); - } - } - - /** - * Description of the Method - * - * @param connection Description of the Parameter - * - * @exception SQLException Description of the Exception - */ - private void createMFEImagesTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop mfe_images table - try - { - String dropTable = "DROP TABLE mfe_images"; - statement.executeUpdate(dropTable); - } - catch (SQLException e) - { - System.out.println("Info - Could not drop mfe_images table from database"); - } - - // Create the new mfe_images table - try - { - String createTableStatement = "CREATE TABLE mfe_images (" - + "user_name varchar(50) not null, " - + "image_relative_url varchar(50) not null" - + ")"; - statement.executeUpdate(createTableStatement); - } - catch (SQLException e) - { - System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage()); - } - - } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createProductTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop admin user table - try - { - String dropTable = "DROP TABLE product_system_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop product table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE product_system_data (" - + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating product table " + e.getLocalizedMessage()); - } - - // Populate - String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')"; - String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')"; - String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')"; - String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')"; - String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createUserAdminTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Drop admin user table - try - { - String dropTable = "DROP TABLE user_system_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user admin table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," - + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user admin table " + e.getLocalizedMessage()); - } - - // Populate - String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; - String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; - String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; - String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; - String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createUserDataTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE user_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_data (" + "userid int not null," - + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," - + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)"; - String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)"; - String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)"; - String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)"; - String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)"; - String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)"; - String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)"; - String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)"; - String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0)"; - String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0)"; - String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)"; - String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)"; - String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - statement.executeUpdate(insertData13); - - } - - private void createLoginTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE user_login"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user_login table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5)," - + "webgoat_user varchar(20)" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user_login table " + e.getLocalizedMessage()); - } - - } - - // creates the table pins which is used in the blind sql injection lesson - private void createBlindSQLLessonTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE pins"; - statement.executeUpdate(dropTable); - } - catch (SQLException e) - { - System.out.println("Info - Could not drop pins table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE pins (" - + "cc_number varchar(30)," - + "pin int," - + "name varchar(20)" - + ")"; - statement.executeUpdate(createTableStatement); - } - catch (SQLException e) - { - System.out.println("Error creating pins table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO pins VALUES ('987654321098765', 1234, 'Joe')"; - String insertData2 = "INSERT INTO pins VALUES ('1234567890123456', 4567, 'Jack')"; - String insertData3 = "INSERT INTO pins VALUES ('4321432143214321', 4321, 'Jill')"; - String insertData4 = "INSERT INTO pins VALUES ('1111111111111111', 7777, 'Jim')"; - String insertData5 = "INSERT INTO pins VALUES ('1111222233334444', 2364, 'John')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - - } - - // creates the table salaries which is used in the lessons - // which add or modify data using sql injection - private void createModifyWithSQLLessonTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE salaries"; - statement.executeUpdate(dropTable); - } - catch (SQLException e) - { - System.out.println("Info - Could not drop salaries table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE salaries (" - + "userid varchar(50)," - + "salary int" - + ")"; - statement.executeUpdate(createTableStatement); - } - catch (SQLException e) - { - System.out.println("Error creating salaries table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)"; - String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)"; - String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)"; - String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)"; - String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - - } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - private void createWeatherDataTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE weather_data"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop weather table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE weather_data (" + "station int not null," - + "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null," - + "max_temp int not null" + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating weather table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)"; - String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)"; - String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)"; - String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)"; - String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)"; - String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)"; - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - } - - /** - * Create users with tans - * - * @param connection - * @throws SQLException - */ - private void createTanUserDataTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE user_data_tan"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop user_data_tan table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null," - + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," - + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating user_data_tan table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana')"; - String insertData2 = "INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan')"; - String insertData3 = "INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - } - - /** - * Create the Table for the tans - * - * @param connection - * @throws SQLException - */ - private void createTanTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - // Delete table if there is one - try - { - String dropTable = "DROP TABLE tan"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop tan table"); - } - - // Create the new table - try - { - String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int" - + ")"; - statement.executeUpdate(createTableStatement); - } catch (SQLException e) - { - System.out.println("Error creating tan table " + e.getLocalizedMessage()); - } - - // Populate it - String insertData1 = "INSERT INTO tan VALUES (101,1,15161)"; - String insertData2 = "INSERT INTO tan VALUES (101,2,4894)"; - String insertData3 = "INSERT INTO tan VALUES (101,3,18794)"; - String insertData4 = "INSERT INTO tan VALUES (101,4,1564)"; - String insertData5 = "INSERT INTO tan VALUES (101,5,45751)"; - - String insertData6 = "INSERT INTO tan VALUES (102,1,15648)"; - String insertData7 = "INSERT INTO tan VALUES (102,2,92156)"; - String insertData8 = "INSERT INTO tan VALUES (102,3,4879)"; - String insertData9 = "INSERT INTO tan VALUES (102,4,9458)"; - String insertData10 = "INSERT INTO tan VALUES (102,5,4879)"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - - } - - // -------------------------------------------------------------------------- - // -------------------------------------------------------------------------- - // - // The tables below are for WebGoat Financials - // - // DO NOT MODIFY THESE TABLES - unless you change the org chart - // and access control matrix documents - // - // -------------------------------------------------------------------------- - // -------------------------------------------------------------------------- - - private void createEmployeeTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - try - { - String dropTable = "DROP TABLE employee"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop employee table"); - } - - // Create Table - try - { - String createTable = "CREATE TABLE employee (" - // + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY," - + "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20)," - + "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13)," - + "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8)," - + "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason - // for the recent write-up - + "disciplined_date CHAR(8)," // date of write up, NA otherwise - + "disciplined_notes VARCHAR(60)," // reason for the recent write-up - + "personal_description VARCHAR(60)" // We can be rude here - // + ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)" - + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create employee table " + e.getLocalizedMessage()); - } - - String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry'," - + "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547'," - + "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')"; - - String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe'," - + "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, " - + "'Hit Curly over head', 'Very dominating over Larry and Curly')"; - - String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly'," - + "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, " - + "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')"; - - String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric'," - + "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, " - + "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')"; - - String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom'," - + "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, " - + "'NA', 'Co-Owner.')"; - - String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry'," - + "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, " - + "'NA', 'Co-Owner.')"; - - String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david'," - + "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, " - + "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')"; - - String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce'," - + "'Engineer','610-282-1103', '8899 FreeBSD Drive ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, " - + "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')"; - - String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean'," - + "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, " - + "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')"; - - String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne'," - + "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, " - + "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')"; - - String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john'," - + "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, " - + "'', '')"; - String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks'," - + "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, " - + "'', '')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - - } - - private void createRolesTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - try - { - String dropTable = "DROP TABLE roles"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop roles table"); - } - - try - { - String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL," - + "PRIMARY KEY (userid, role)" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: Unable to create role table: " + e.getLocalizedMessage()); - } - - String insertData1 = "INSERT INTO roles VALUES (101, 'employee')"; - String insertData2 = "INSERT INTO roles VALUES (102, 'manager')"; - String insertData3 = "INSERT INTO roles VALUES (103, 'employee')"; - String insertData4 = "INSERT INTO roles VALUES (104, 'employee')"; - String insertData5 = "INSERT INTO roles VALUES (105, 'employee')"; - String insertData6 = "INSERT INTO roles VALUES (106, 'hr')"; - String insertData7 = "INSERT INTO roles VALUES (107, 'manager')"; - String insertData8 = "INSERT INTO roles VALUES (108, 'employee')"; - String insertData9 = "INSERT INTO roles VALUES (109, 'employee')"; - String insertData10 = "INSERT INTO roles VALUES (110, 'hr')"; - String insertData11 = "INSERT INTO roles VALUES (111, 'admin')"; - String insertData12 = "INSERT INTO roles VALUES (112, 'admin')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData8); - statement.executeUpdate(insertData9); - statement.executeUpdate(insertData10); - statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - } - - private void createAuthTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - try - { - String dropTable = "DROP TABLE auth"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop auth table"); - } - - try - { - String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL," - + "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create auth table: " + e.getLocalizedMessage()); - } - - String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')"; - String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')"; - String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')"; - String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')"; - String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')"; - String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')"; - String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')"; - String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')"; - String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')"; - String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')"; - String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')"; - // String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')"; - // String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')"; - // String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')"; - // String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')"; - String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')"; - String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')"; - String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')"; - String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')"; - String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')"; - String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')"; - String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')"; - String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')"; - String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')"; - String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')"; - String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')"; - String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')"; - String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')"; - String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')"; - String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')"; - String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')"; - String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')"; - String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')"; - - // Add a permission for the webgoat role to see the source. - // The challenge(s) will change the default role to "challenge" - String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE - + "')"; - String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS - + "')"; - // Add a permission for the webgoat role to see the solution. - // The challenge(s) will change the default role to "challenge" - String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION - + "')"; - - statement.executeUpdate(insertData1); - statement.executeUpdate(insertData2); - statement.executeUpdate(insertData3); - statement.executeUpdate(insertData4); - statement.executeUpdate(insertData4_1); - statement.executeUpdate(insertData4_2); - statement.executeUpdate(insertData5); - statement.executeUpdate(insertData6); - statement.executeUpdate(insertData7); - statement.executeUpdate(insertData7_1); - statement.executeUpdate(insertData7_2); - // statement.executeUpdate(insertData8); - // statement.executeUpdate(insertData9); - // statement.executeUpdate(insertData10); - // statement.executeUpdate(insertData11); - statement.executeUpdate(insertData12); - statement.executeUpdate(insertData13); - statement.executeUpdate(insertData14); - statement.executeUpdate(insertData15); - statement.executeUpdate(insertData16); - statement.executeUpdate(insertData17); - statement.executeUpdate(insertData18); - statement.executeUpdate(insertData18_1); - statement.executeUpdate(insertData18_2); - statement.executeUpdate(insertData19); - statement.executeUpdate(insertData20); - statement.executeUpdate(insertData21); - statement.executeUpdate(insertData22); - statement.executeUpdate(insertData23); - statement.executeUpdate(insertData24); - statement.executeUpdate(insertData25); - statement.executeUpdate(insertData25_1); - statement.executeUpdate(insertData25_2); - statement.executeUpdate(insertData26); - statement.executeUpdate(insertData27); - statement.executeUpdate(insertData28); - } - - private void createOwnershipTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - try - { - String dropTable = "DROP TABLE ownership"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop ownership table"); - } - - try - { - String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL," - + "PRIMARY KEY (employee_id, employer_id)" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create ownership table: " + e.getLocalizedMessage()); - } - - String inputData = "INSERT INTO ownership VALUES (112, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 111)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (112, 112)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (102, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (102, 111)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (111, 101)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 102)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 103)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 107)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 110)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (111, 111)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (106, 105)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 106)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (106, 110)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (101, 101)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (103, 103)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (107, 104)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 108)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 109)"; - statement.executeUpdate(inputData); - inputData = "INSERT INTO ownership VALUES (107, 107)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (105, 105)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (110, 110)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (104, 104)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (108, 108)"; - statement.executeUpdate(inputData); - - inputData = "INSERT INTO ownership VALUES (109, 109)"; - statement.executeUpdate(inputData); - - } - - // -------------------------------------------------------------------------- - // - // End of WebGoat Financials - // - // -------------------------------------------------------------------------- - - /** - * Start creation of data for WebServices labs - */ - - private void createTransactionTable(Connection connection) throws SQLException - { - Statement statement = connection.createStatement(); - - try - { - String dropTable = "DROP TABLE transactions"; - statement.executeUpdate(dropTable); - } catch (SQLException e) - { - System.out.println("Info - Could not drop transactions table"); - } - - try - { - String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, " - + "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, " - + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, " - + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")"; - - statement.executeUpdate(createTable); - } catch (SQLException e) - { - System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); - throw e; - } - - String[] data = new String[] { - "'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'", - "'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'", - "'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'", - "'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'", - "'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'", - "'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'", - "'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'", - "'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'", - "'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'", }; - try - { - for (int i = 0; i < data.length; i++) - { - statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); - } - } catch (SQLException sqle) - { - System.out.println("Error: Unable to insert transactions: " + sqle.getLocalizedMessage()); - int errorCode = sqle.getErrorCode(); - System.out.println("Error Code: " + errorCode); - // ignore exceptions for Oracle and SQL Server - if (errorCode != 911 && errorCode != 273) { throw sqle; } - } - } - - /** - * Description of the Method - * - * @param connection - * Description of the Parameter - * - * @exception SQLException - * Description of the Exception - */ - public void makeDB(Connection connection) throws SQLException - { - System.out.println("Successful connection to database"); - createUserDataTable(connection); - createLoginTable(connection); - createBlindSQLLessonTable(connection); - createUserAdminTable(connection); - createProductTable(connection); - createMessageTable(connection); - createEmployeeTable(connection); - createRolesTable(connection); - createAuthTable(connection); - createOwnershipTable(connection); - createWeatherDataTable(connection); - createTransactionTable(connection); - createTanUserDataTable(connection); - createTanTable(connection); - createMFEImagesTable(connection); - createModifyWithSQLLessonTable(connection); - System.out.println("Success: creating tables."); - } -} + +package org.owasp.webgoat.session; + +import java.sql.Connection; +import java.sql.SQLException; +import java.sql.Statement; +import org.owasp.webgoat.lessons.AbstractLesson; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @version $Id: $Id + */ +public class CreateDB +{ + + /** + * Description of the Method + * + * @param connection + * Description of the Parameter + * + * @exception SQLException + * Description of the Exception + */ + private void createMessageTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Drop admin user table + try + { + String dropTable = "DROP TABLE messages"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop message database"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50)," + + "message varchar(200)," + "user_name varchar(50) not null, " + "lesson_type varchar(50) not null" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating message database " + e.getLocalizedMessage()); + } + } + + /** + * Description of the Method + * + * @param connection Description of the Parameter + * + * @exception SQLException Description of the Exception + */ + private void createMFEImagesTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Drop mfe_images table + try + { + String dropTable = "DROP TABLE mfe_images"; + statement.executeUpdate(dropTable); + } + catch (SQLException e) + { + System.out.println("Info - Could not drop mfe_images table from database"); + } + + // Create the new mfe_images table + try + { + String createTableStatement = "CREATE TABLE mfe_images (" + + "user_name varchar(50) not null, " + + "image_relative_url varchar(50) not null" + + ")"; + statement.executeUpdate(createTableStatement); + } + catch (SQLException e) + { + System.out.println("Error creating mfe_images table in database " + e.getLocalizedMessage()); + } + + } + + /** + * Description of the Method + * + * @param connection + * Description of the Parameter + * + * @exception SQLException + * Description of the Exception + */ + private void createProductTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Drop admin user table + try + { + String dropTable = "DROP TABLE product_system_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop product table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE product_system_data (" + + "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating product table " + e.getLocalizedMessage()); + } + + // Populate + String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')"; + String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')"; + String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')"; + String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')"; + String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + } + + /** + * Description of the Method + * + * @param connection + * Description of the Parameter + * + * @exception SQLException + * Description of the Exception + */ + private void createUserAdminTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Drop admin user table + try + { + String dropTable = "DROP TABLE user_system_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop user admin table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," + + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating user admin table " + e.getLocalizedMessage()); + } + + // Populate + String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; + String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; + String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; + String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; + String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + } + + /** + * Description of the Method + * + * @param connection + * Description of the Parameter + * + * @exception SQLException + * Description of the Exception + */ + private void createUserDataTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE user_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop user table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE user_data (" + "userid int not null," + + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," + + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating user table " + e.getLocalizedMessage()); + } + + // Populate it + String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)"; + String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)"; + String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)"; + String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)"; + String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)"; + String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)"; + String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)"; + String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)"; + String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0)"; + String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0)"; + String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)"; + String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)"; + String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + statement.executeUpdate(insertData13); + + } + + private void createLoginTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE user_login"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop user_login table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5)," + + "webgoat_user varchar(20)" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating user_login table " + e.getLocalizedMessage()); + } + + } + + // creates the table pins which is used in the blind sql injection lesson + private void createBlindSQLLessonTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE pins"; + statement.executeUpdate(dropTable); + } + catch (SQLException e) + { + System.out.println("Info - Could not drop pins table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE pins (" + + "cc_number varchar(30)," + + "pin int," + + "name varchar(20)" + + ")"; + statement.executeUpdate(createTableStatement); + } + catch (SQLException e) + { + System.out.println("Error creating pins table " + e.getLocalizedMessage()); + } + + // Populate it + String insertData1 = "INSERT INTO pins VALUES ('987654321098765', 1234, 'Joe')"; + String insertData2 = "INSERT INTO pins VALUES ('1234567890123456', 4567, 'Jack')"; + String insertData3 = "INSERT INTO pins VALUES ('4321432143214321', 4321, 'Jill')"; + String insertData4 = "INSERT INTO pins VALUES ('1111111111111111', 7777, 'Jim')"; + String insertData5 = "INSERT INTO pins VALUES ('1111222233334444', 2364, 'John')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + + } + + // creates the table salaries which is used in the lessons + // which add or modify data using sql injection + private void createModifyWithSQLLessonTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE salaries"; + statement.executeUpdate(dropTable); + } + catch (SQLException e) + { + System.out.println("Info - Could not drop salaries table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE salaries (" + + "userid varchar(50)," + + "salary int" + + ")"; + statement.executeUpdate(createTableStatement); + } + catch (SQLException e) + { + System.out.println("Error creating salaries table " + e.getLocalizedMessage()); + } + + // Populate it + String insertData1 = "INSERT INTO salaries VALUES ('jsmith', 20000)"; + String insertData2 = "INSERT INTO salaries VALUES ('lsmith', 45000)"; + String insertData3 = "INSERT INTO salaries VALUES ('wgoat', 100000)"; + String insertData4 = "INSERT INTO salaries VALUES ('rjones', 777777)"; + String insertData5 = "INSERT INTO salaries VALUES ('manderson', 65000)"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + + } + + /** + * Description of the Method + * + * @param connection + * Description of the Parameter + * + * @exception SQLException + * Description of the Exception + */ + private void createWeatherDataTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE weather_data"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop weather table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE weather_data (" + "station int not null," + + "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null," + + "max_temp int not null" + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating weather table " + e.getLocalizedMessage()); + } + + // Populate it + String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)"; + String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)"; + String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)"; + String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)"; + String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)"; + String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)"; + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + } + + /** + * Create users with tans + * + * @param connection + * @throws SQLException + */ + private void createTanUserDataTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE user_data_tan"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop user_data_tan table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE user_data_tan (" + "userid int not null," + + "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30)," + + "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int," + "password varchar(20)" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating user_data_tan table " + e.getLocalizedMessage()); + } + + // Populate it + String insertData1 = "INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana')"; + String insertData2 = "INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan')"; + String insertData3 = "INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + } + + /** + * Create the Table for the tans + * + * @param connection + * @throws SQLException + */ + private void createTanTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + // Delete table if there is one + try + { + String dropTable = "DROP TABLE tan"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop tan table"); + } + + // Create the new table + try + { + String createTableStatement = "CREATE TABLE tan (" + "userid int not null," + "tanNr int," + "tanValue int" + + ")"; + statement.executeUpdate(createTableStatement); + } catch (SQLException e) + { + System.out.println("Error creating tan table " + e.getLocalizedMessage()); + } + + // Populate it + String insertData1 = "INSERT INTO tan VALUES (101,1,15161)"; + String insertData2 = "INSERT INTO tan VALUES (101,2,4894)"; + String insertData3 = "INSERT INTO tan VALUES (101,3,18794)"; + String insertData4 = "INSERT INTO tan VALUES (101,4,1564)"; + String insertData5 = "INSERT INTO tan VALUES (101,5,45751)"; + + String insertData6 = "INSERT INTO tan VALUES (102,1,15648)"; + String insertData7 = "INSERT INTO tan VALUES (102,2,92156)"; + String insertData8 = "INSERT INTO tan VALUES (102,3,4879)"; + String insertData9 = "INSERT INTO tan VALUES (102,4,9458)"; + String insertData10 = "INSERT INTO tan VALUES (102,5,4879)"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + + } + + // -------------------------------------------------------------------------- + // -------------------------------------------------------------------------- + // + // The tables below are for WebGoat Financials + // + // DO NOT MODIFY THESE TABLES - unless you change the org chart + // and access control matrix documents + // + // -------------------------------------------------------------------------- + // -------------------------------------------------------------------------- + + private void createEmployeeTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + try + { + String dropTable = "DROP TABLE employee"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop employee table"); + } + + // Create Table + try + { + String createTable = "CREATE TABLE employee (" + // + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY," + + "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20)," + + "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13)," + + "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8)," + + "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason + // for the recent write-up + + "disciplined_date CHAR(8)," // date of write up, NA otherwise + + "disciplined_notes VARCHAR(60)," // reason for the recent write-up + + "personal_description VARCHAR(60)" // We can be rude here + // + ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)" + + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) + { + System.out.println("Error: unable to create employee table " + e.getLocalizedMessage()); + } + + String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry'," + + "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547'," + + "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')"; + + String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe'," + + "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, " + + "'Hit Curly over head', 'Very dominating over Larry and Curly')"; + + String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly'," + + "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, " + + "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')"; + + String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric'," + + "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, " + + "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')"; + + String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom'," + + "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, " + + "'NA', 'Co-Owner.')"; + + String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry'," + + "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, " + + "'NA', 'Co-Owner.')"; + + String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david'," + + "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, " + + "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')"; + + String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce'," + + "'Engineer','610-282-1103', '8899 FreeBSD Drive ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, " + + "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')"; + + String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean'," + + "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, " + + "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')"; + + String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne'," + + "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, " + + "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')"; + + String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john'," + + "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, " + + "'', '')"; + String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks'," + + "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, " + + "'', '')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + + } + + private void createRolesTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + try + { + String dropTable = "DROP TABLE roles"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop roles table"); + } + + try + { + String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL," + + "PRIMARY KEY (userid, role)" + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) + { + System.out.println("Error: Unable to create role table: " + e.getLocalizedMessage()); + } + + String insertData1 = "INSERT INTO roles VALUES (101, 'employee')"; + String insertData2 = "INSERT INTO roles VALUES (102, 'manager')"; + String insertData3 = "INSERT INTO roles VALUES (103, 'employee')"; + String insertData4 = "INSERT INTO roles VALUES (104, 'employee')"; + String insertData5 = "INSERT INTO roles VALUES (105, 'employee')"; + String insertData6 = "INSERT INTO roles VALUES (106, 'hr')"; + String insertData7 = "INSERT INTO roles VALUES (107, 'manager')"; + String insertData8 = "INSERT INTO roles VALUES (108, 'employee')"; + String insertData9 = "INSERT INTO roles VALUES (109, 'employee')"; + String insertData10 = "INSERT INTO roles VALUES (110, 'hr')"; + String insertData11 = "INSERT INTO roles VALUES (111, 'admin')"; + String insertData12 = "INSERT INTO roles VALUES (112, 'admin')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData8); + statement.executeUpdate(insertData9); + statement.executeUpdate(insertData10); + statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + } + + private void createAuthTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + try + { + String dropTable = "DROP TABLE auth"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop auth table"); + } + + try + { + String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL," + + "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) + { + System.out.println("Error: unable to create auth table: " + e.getLocalizedMessage()); + } + + String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')"; + String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')"; + String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')"; + String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')"; + String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')"; + String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')"; + String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')"; + String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')"; + String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')"; + String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')"; + String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')"; + // String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')"; + // String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')"; + // String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')"; + // String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')"; + String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')"; + String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')"; + String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')"; + String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')"; + String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')"; + String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')"; + String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')"; + String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')"; + String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')"; + String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')"; + String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')"; + String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')"; + String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')"; + String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')"; + String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')"; + String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')"; + String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')"; + String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')"; + + // Add a permission for the webgoat role to see the source. + // The challenge(s) will change the default role to "challenge" + String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE + + "')"; + String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS + + "')"; + // Add a permission for the webgoat role to see the solution. + // The challenge(s) will change the default role to "challenge" + String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION + + "')"; + + statement.executeUpdate(insertData1); + statement.executeUpdate(insertData2); + statement.executeUpdate(insertData3); + statement.executeUpdate(insertData4); + statement.executeUpdate(insertData4_1); + statement.executeUpdate(insertData4_2); + statement.executeUpdate(insertData5); + statement.executeUpdate(insertData6); + statement.executeUpdate(insertData7); + statement.executeUpdate(insertData7_1); + statement.executeUpdate(insertData7_2); + // statement.executeUpdate(insertData8); + // statement.executeUpdate(insertData9); + // statement.executeUpdate(insertData10); + // statement.executeUpdate(insertData11); + statement.executeUpdate(insertData12); + statement.executeUpdate(insertData13); + statement.executeUpdate(insertData14); + statement.executeUpdate(insertData15); + statement.executeUpdate(insertData16); + statement.executeUpdate(insertData17); + statement.executeUpdate(insertData18); + statement.executeUpdate(insertData18_1); + statement.executeUpdate(insertData18_2); + statement.executeUpdate(insertData19); + statement.executeUpdate(insertData20); + statement.executeUpdate(insertData21); + statement.executeUpdate(insertData22); + statement.executeUpdate(insertData23); + statement.executeUpdate(insertData24); + statement.executeUpdate(insertData25); + statement.executeUpdate(insertData25_1); + statement.executeUpdate(insertData25_2); + statement.executeUpdate(insertData26); + statement.executeUpdate(insertData27); + statement.executeUpdate(insertData28); + } + + private void createOwnershipTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + try + { + String dropTable = "DROP TABLE ownership"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop ownership table"); + } + + try + { + String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL," + + "PRIMARY KEY (employee_id, employer_id)" + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) + { + System.out.println("Error: unable to create ownership table: " + e.getLocalizedMessage()); + } + + String inputData = "INSERT INTO ownership VALUES (112, 101)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 102)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 103)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 107)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 110)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 111)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (112, 112)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (102, 101)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 102)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 103)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 107)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 110)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (102, 111)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (111, 101)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 102)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 103)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 107)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 110)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (111, 111)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (106, 105)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (106, 106)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (106, 110)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (101, 101)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (103, 103)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (107, 104)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 108)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 109)"; + statement.executeUpdate(inputData); + inputData = "INSERT INTO ownership VALUES (107, 107)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (105, 105)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (110, 110)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (104, 104)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (108, 108)"; + statement.executeUpdate(inputData); + + inputData = "INSERT INTO ownership VALUES (109, 109)"; + statement.executeUpdate(inputData); + + } + + // -------------------------------------------------------------------------- + // + // End of WebGoat Financials + // + // -------------------------------------------------------------------------- + + /** + * Start creation of data for WebServices labs + */ + + private void createTransactionTable(Connection connection) throws SQLException + { + Statement statement = connection.createStatement(); + + try + { + String dropTable = "DROP TABLE transactions"; + statement.executeUpdate(dropTable); + } catch (SQLException e) + { + System.out.println("Info - Could not drop transactions table"); + } + + try + { + String createTable = "CREATE TABLE Transactions (" + "userName VARCHAR(16) NOT NULL, " + + "sequence INTEGER NOT NULL, " + "from_account VARCHAR(16) NOT NULL, " + + "to_account VARCHAR(16) NOT NULL, " + "transactionDate TIMESTAMP NOT NULL, " + + "description VARCHAR(255) NOT NULL, " + "amount INTEGER NOT NULL" + ")"; + + statement.executeUpdate(createTable); + } catch (SQLException e) + { + System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); + throw e; + } + + String[] data = new String[] { + "'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'", + "'dave', 1, '238-4723-4024', '324-7635-9867', '2008-02-12 21:41:00', 'Car', '150'", + "'dave', 2, '238-4723-4024', '324-7635-9867', '2008-02-20 21:42:00', 'School fees', '150'", + "'CEO', 3, '348-6324-9872', '345-3490-8345', '2008-02-15 21:40:00', 'Rolls Royce', '-150000'", + "'CEO', 4, '348-6324-9872', '342-5893-4503', '2008-02-25 21:41:00', 'Mansion', '-150000'", + "'CEO', 5, '348-6324-9872', '980-2344-5492', '2008-02-27 21:42:00', 'Vacation', '-150000'", + "'jeff', 6, '934-2002-3485', '783-2409-8234', '2008-02-01 21:40:00', 'Vet', '250'", + "'jeff', 7, '934-2002-3485', '634-5879-0345', '2008-02-19 21:41:00', 'Doctor', '800'", + "'jeff', 8, '934-2002-3485', '435-4325-3358', '2008-02-20 21:42:00', 'X-rays', '200'", }; + try + { + for (int i = 0; i < data.length; i++) + { + statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); + } + } catch (SQLException sqle) + { + System.out.println("Error: Unable to insert transactions: " + sqle.getLocalizedMessage()); + int errorCode = sqle.getErrorCode(); + System.out.println("Error Code: " + errorCode); + // ignore exceptions for Oracle and SQL Server + if (errorCode != 911 && errorCode != 273) { throw sqle; } + } + } + + /** + * Description of the Method + * + * @param connection + * Description of the Parameter + * @exception SQLException + * Description of the Exception + * @throws java.sql.SQLException if any. + */ + public void makeDB(Connection connection) throws SQLException + { + System.out.println("Successful connection to database"); + createUserDataTable(connection); + createLoginTable(connection); + createBlindSQLLessonTable(connection); + createUserAdminTable(connection); + createProductTable(connection); + createMessageTable(connection); + createEmployeeTable(connection); + createRolesTable(connection); + createAuthTable(connection); + createOwnershipTable(connection); + createWeatherDataTable(connection); + createTransactionTable(connection); + createTanUserDataTable(connection); + createTanTable(connection); + createMFEImagesTable(connection); + createModifyWithSQLLessonTable(connection); + System.out.println("Success: creating tables."); + } +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java index 1a9638a3b..79b56858c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java @@ -1,173 +1,197 @@ - -package org.owasp.webgoat.session; - -import java.io.IOException; -import java.sql.Connection; -import java.sql.DriverManager; -import java.sql.ResultSet; -import java.sql.ResultSetMetaData; -import java.sql.SQLException; -import java.util.HashMap; -import java.util.Map; -import org.apache.ecs.MultiPartElement; -import org.apache.ecs.html.B; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.Table; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams Aspect Security - */ -public class DatabaseUtilities -{ - - private static Map connections = new HashMap(); - private static Map dbBuilt = new HashMap(); - - public static Connection getConnection(WebSession s) throws SQLException - { - return getConnection(s.getUserName(), s.getWebgoatContext()); - } - - public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException - { - Connection conn = connections.get(user); - if (conn != null && !conn.isClosed()) return conn; - conn = makeConnection(user, context); - connections.put(user, conn); - - if (dbBuilt.get(user) == null) - { - new CreateDB().makeDB(conn); - dbBuilt.put(user, Boolean.TRUE); - } - - return conn; - } - - public static synchronized void returnConnection(String user) - { - try - { - Connection connection = connections.get(user); - if (connection == null || connection.isClosed()) return; - - if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close(); - } catch (SQLException sqle) - { - sqle.printStackTrace(); - } - } - - private static Connection makeConnection(String user, WebgoatContext context) throws SQLException - { - try - { - Class.forName(context.getDatabaseDriver()); - - if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context); - - String userPrefix = context.getDatabaseUser(); - String password = context.getDatabasePassword(); - String url = context.getDatabaseConnectionString(); - return DriverManager.getConnection(url, userPrefix + "_" + user, password); - } catch (ClassNotFoundException cnfe) - { - cnfe.printStackTrace(); - throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage()); - } - } - - private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException, - SQLException - { - String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user); - return DriverManager.getConnection(url, "sa", ""); - } - - /** - * Description of the Method - * - * @param results - * Description of the Parameter - * @param resultsMetaData - * Description of the Parameter - * - * @return Description of the Return Value - * - * @exception IOException - * Description of the Exception - * @exception SQLException - * Description of the Exception - */ - public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException, - SQLException - { - int numColumns = resultsMetaData.getColumnCount(); - results.beforeFirst(); - - if (results.next()) - { - Table t = new Table(1); // 1 = with border - t.setCellPadding(1); - - TR tr = new TR(); - - for (int i = 1; i < (numColumns + 1); i++) - { - tr.addElement(new TD(new B(resultsMetaData.getColumnName(i)))); - } - - t.addElement(tr); - results.beforeFirst(); - - while (results.next()) - { - TR row = new TR(); - - for (int i = 1; i < (numColumns + 1); i++) - { - String str = results.getString(i); - if (str == null) str = ""; - row.addElement(new TD(str.replaceAll(" ", " "))); - } - - t.addElement(row); - } - - return (t); - } - else - { - return (new B("Query Successful; however no data was returned from this query.")); - } - } - -} + +package org.owasp.webgoat.session; + +import java.io.IOException; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.ResultSet; +import java.sql.ResultSetMetaData; +import java.sql.SQLException; +import java.util.HashMap; +import java.util.Map; +import org.apache.ecs.MultiPartElement; +import org.apache.ecs.html.B; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; + + +/** + ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jeff Williams Aspect Security + * @version $Id: $Id + */ +public class DatabaseUtilities +{ + + private static Map connections = new HashMap(); + private static Map dbBuilt = new HashMap(); + + /** + *

getConnection.

+ * + * @param s a {@link org.owasp.webgoat.session.WebSession} object. + * @return a {@link java.sql.Connection} object. + * @throws java.sql.SQLException if any. + */ + public static Connection getConnection(WebSession s) throws SQLException + { + return getConnection(s.getUserName(), s.getWebgoatContext()); + } + + /** + *

getConnection.

+ * + * @param user a {@link java.lang.String} object. + * @param context a {@link org.owasp.webgoat.session.WebgoatContext} object. + * @return a {@link java.sql.Connection} object. + * @throws java.sql.SQLException if any. + */ + public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException + { + Connection conn = connections.get(user); + if (conn != null && !conn.isClosed()) return conn; + conn = makeConnection(user, context); + connections.put(user, conn); + + if (dbBuilt.get(user) == null) + { + new CreateDB().makeDB(conn); + dbBuilt.put(user, Boolean.TRUE); + } + + return conn; + } + + /** + *

returnConnection.

+ * + * @param user a {@link java.lang.String} object. + */ + public static synchronized void returnConnection(String user) + { + try + { + Connection connection = connections.get(user); + if (connection == null || connection.isClosed()) return; + + if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close(); + } catch (SQLException sqle) + { + sqle.printStackTrace(); + } + } + + private static Connection makeConnection(String user, WebgoatContext context) throws SQLException + { + try + { + Class.forName(context.getDatabaseDriver()); + + if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context); + + String userPrefix = context.getDatabaseUser(); + String password = context.getDatabasePassword(); + String url = context.getDatabaseConnectionString(); + return DriverManager.getConnection(url, userPrefix + "_" + user, password); + } catch (ClassNotFoundException cnfe) + { + cnfe.printStackTrace(); + throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage()); + } + } + + private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException, + SQLException + { + String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user); + return DriverManager.getConnection(url, "sa", ""); + } + + /** + * Description of the Method + * + * @param results + * Description of the Parameter + * @param resultsMetaData + * Description of the Parameter + * @param resultsMetaData + * Description of the Parameter + * @return Description of the Return Value + * @exception IOException + * Description of the Exception + * @exception SQLException + * Description of the Exception + * @throws java.io.IOException if any. + * @throws java.sql.SQLException if any. + */ + public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException, + SQLException + { + int numColumns = resultsMetaData.getColumnCount(); + results.beforeFirst(); + + if (results.next()) + { + Table t = new Table(1); // 1 = with border + t.setCellPadding(1); + + TR tr = new TR(); + + for (int i = 1; i < (numColumns + 1); i++) + { + tr.addElement(new TD(new B(resultsMetaData.getColumnName(i)))); + } + + t.addElement(tr); + results.beforeFirst(); + + while (results.next()) + { + TR row = new TR(); + + for (int i = 1; i < (numColumns + 1); i++) + { + String str = results.getString(i); + if (str == null) str = ""; + row.addElement(new TD(str.replaceAll(" ", " "))); + } + + t.addElement(row); + } + + return (t); + } + else + { + return (new B("Query Successful; however no data was returned from this query.")); + } + } + +} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java index f89167dbe..a08a63ac4 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/ECSFactory.java @@ -1,746 +1,740 @@ - -package org.owasp.webgoat.session; - -import java.util.Iterator; -import java.util.List; -import java.util.StringTokenizer; -import java.util.Vector; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.A; -import org.apache.ecs.html.BR; -import org.apache.ecs.html.H3; -import org.apache.ecs.html.Input; -import org.apache.ecs.html.Label; -import org.apache.ecs.html.Option; -import org.apache.ecs.html.P; -import org.apache.ecs.html.Select; -import org.apache.ecs.html.TD; -import org.apache.ecs.html.TH; -import org.apache.ecs.html.TR; -import org.apache.ecs.html.U; - - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * For details, please see http://webgoat.github.io - * - * @author Jeff Williams (jeff.williams@aspectsecurity.com) - * @created October 29, 2003 - */ - -public class ECSFactory -{ - - /** - * Description of the Field - */ - - public final static String ON = "On"; - - /** - * Description of the Field - */ - - public final static String PASSWORD = "Password"; - - /** - * Don't let anyone instantiate this class - */ - - private ECSFactory() - { - } - - /** - * Description of the Method - * - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makeBox(String name, String value) - { - - Input i = new Input(Input.CHECKBOX, name, ON); - - i.setChecked(value.equals(ON)); - - return (i); - } - - /** - * Description of the Method - * - * @param text - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makeButton(String text) - { - - Input b = new Input(); - - b.setType(Input.SUBMIT); - b.setValue(text); - b.setName(Input.SUBMIT); - - return (b); - } - - public static Element makeButton(String text, String onClickFunction) - { - - Input b = (Input) makeButton(text); - b.setOnClick(onClickFunction); - - return (b); - } - - /** - * Description of the Method - * - * @param labeltext - * Description of the Parameter - * @param value - * Description of the Parameter - * @param e - * Description of the Parameter - * @return Description of the Return Value - */ - - public static TR makeField(String labeltext, String value, Element e) - { - - TD left = new TD().setAlign("right"); - - Label label = new Label().addElement(labeltext); - - left.addElement(label); - - TD right = new TD().setAlign("left"); - - right.addElement(e); - - TR row = new TR(); - - row.addElement(left); - - row.addElement(right); - - return (row); - } - - /** - * Description of the Method - * - * @param labeltext - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @param size - * Description of the Parameter - * @return Description of the Return Value - */ - - public static TR makeField(String labeltext, String name, String value, int size) - { - - Input field = new Input().setName(name).setValue(value).setSize(size).setMaxlength(size); - - // double check in case someone means to make a * starred out password field - - if (name.equals(PASSWORD)) - { - - field.setType(Input.PASSWORD); - - } - - return (makeField(labeltext, value, field)); - } - - /** - * Description of the Method - * - * @param label - * Description of the Parameter - * @param type - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @param alignment - * Description of the Parameter - * @param selected - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makeInput(String label, String type, String name, boolean value, boolean selected, - String alignment) - { - - return makeInput(label, type, name, new Boolean(value).toString(), selected, alignment); - } - - /** - * Description of the Method - * - * @param label - * Description of the Parameter - * @param type - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makeInput(String label, String type, String name, String value) - { - - return makeInput(label, type, name, value, new Boolean(value).booleanValue(), "RIGHT"); - } - - /** - * Description of the Method - * - * @param label - * Description of the Parameter - * @param type - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @param alignment - * Description of the Parameter - * @param selected - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makeInput(String label, String type, String name, String value, boolean selected, - String alignment) - { - - ElementContainer ec = new ElementContainer(); - - if (!alignment.equalsIgnoreCase("LEFT")) - { - - ec.addElement(new StringElement(label)); - - } - - Input input = new Input(type, name, value); - - ec.addElement(input); - - if (alignment.equalsIgnoreCase("LEFT")) - { - - ec.addElement(new StringElement(label)); - - } - - if (type.equalsIgnoreCase("CHECKBOX")) - { - - input.setChecked(selected); - - } - - return (ec); - } - - /** - * Description of the Method - * - * @param text - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - - public static A makeLink(String text, String name, String value) - { - - String href = "attack?" + name; - - if (value.length() > 0) - { - - href = href + "=" + value; - - } - - A a = new A(href); - - a.addElement(new U().addElement(text)); - - a.addAttribute("style", "cursor:hand"); - - return (a); - } - - /** - * Description of the Method - * - * @param text - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - - public static A makeLink(String text, String name, int value) - { - - return (makeLink(text, name, Integer.toString(value))); - } - - /** - * Description of the Method - * - * @param text - * Description of the Parameter - * @param name - * Description of the Parameter - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - - public static A makeLink(String text, String name, boolean value) - { - - return (makeLink(text, name, new Boolean(value).toString())); - } - - /** - * Description of the Method - * - * @param text - * Description of the Parameter - * @param clickAction - * Description of the Parameter - * @param type - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Input makeOnClickInput(String text, String clickAction, String type) - { - - Input b = new Input(); - - b.setType(type); - - b.setValue(text); - - b.setOnClick(clickAction); - - return (b); - } - - /** - * Description of the Method - * - * @param labeltext - * Description of the Parameter - * @param value - * Description of the Parameter - * @param e - * Description of the Parameter - * @return Description of the Return Value - */ - - public static TR makeOption(String labeltext, String value, Element e) - { - - TD left = new TD().setAlign("left").setWidth("10%"); - - left.addElement(e); - - TD right = new TD().setAlign("right"); - - Label label = new Label().addElement(labeltext); - - right.addElement(label); - - TR row = new TR(); - - row.addElement(right); - - row.addElement(left); - - return (row); - } - - /** - * Description of the Method - * - * @param label - * Description of the Parameter - * @param value - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Option makeOption(String label, boolean value) - { - - Option option = new Option(label, new Boolean(value).toString()); - - option.setSelected(value); - - return option; - } - - /** - * Description of the Method - * - * @param line - * Description of the Parameter - * @return Description of the Return Value - */ - - private static org.apache.ecs.html.Option makeOption(String line) - { - - StringTokenizer st = new StringTokenizer(line, "|"); - - org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(); - - String token = ""; - - if (st.hasMoreTokens()) - { - - token = st.nextToken(); - - } - - o.addElement(token); - - return (o); - } - - /** - * Description of the Method - * - * @param name - * Description of the Parameter - * @param options - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makePulldown(String name, List options) - { - - Select s = new Select(name); - - s.addElement(options.toArray(new String[options.size()])); - - return (s); - } - - /** - * Description of the Method - * - * @param results - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makePulldown(String name, String results) - { - - Select select = new Select(name); - - StringTokenizer st = new StringTokenizer(results, "\n"); - - if (!st.hasMoreTokens()) { - - return (new StringElement("")); } - - while (st.hasMoreTokens()) - { - - String line = st.nextToken(); - - select.addElement(makeOption(line)); - - } - - select.addElement("-------------------------"); - - return (select); - } - - /** - * Description of the Method - * - * @param name - * Description of the Parameter - * @param list - * Description of the Parameter - * @param selected - * Description of the Parameter - * @param rowsShowing - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Select makePulldown(String name, Object[] list, String selected, int rowsShowing) - { - - Select select = new Select(name); - - for (int loop = 0; loop < list.length; loop++) - { - - String value = list[loop].toString(); - - org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value, value, value); - - if (value.equals(selected)) - { - - o.setSelected(true); - - } - - select.addElement(o); - - } - - select.setSize(rowsShowing); - - return select; - } - - /** - * Default size of 1 for rows showing in select box. - * - * @param diffNames - * Description of the Parameter - * @param select - * Description of the Parameter - * @param name - * Description of the Parameter - * @param options - * Description of the Parameter - * @param list - * Description of the Parameter - * @param selected - * Description of the Parameter - * @return Description of the Return Value - */ - - public static Element makeSelect(boolean diffNames, Select select, String name, Vector