From f2406eff5245e2b6200b7b65ea855bf94546f749 Mon Sep 17 00:00:00 2001 From: Jason White Date: Tue, 19 Aug 2014 06:49:30 -0400 Subject: [PATCH] Updated lesson content function, genral clean up of js --- .../ClientSideFiltering.java | 2 +- .../webgoat/lessons/ClientSideValidation.java | 6 ++--- java/org/owasp/webgoat/lessons/DOMXSS.java | 6 ++--- .../owasp/webgoat/lessons/DangerousEval.java | 4 +-- .../lessons/SameOriginPolicyProtection.java | 2 +- webapp/WEB-INF/pages/main_new.jsp | 2 +- webapp/js/{ => deprecated}/javascript.js | 0 webapp/js/{ => deprecated}/menu_system.js | 0 webapp/js/goat.js | 25 +++++++++++-------- webapp/js/{ => jquery}/jquery-1.10.2.min.js | 0 webapp/{js => lessonJS}/DOMXSS.js | 0 .../{js => lessonJS}/clientSideFiltering.js | 0 .../{js => lessonJS}/clientSideValidation.js | 0 webapp/{js => lessonJS}/escape.js | 0 webapp/{js => lessonJS}/eval.js | 0 webapp/{js => lessonJS}/sameOrigin.js | 0 16 files changed, 25 insertions(+), 22 deletions(-) rename webapp/js/{ => deprecated}/javascript.js (100%) rename webapp/js/{ => deprecated}/menu_system.js (100%) rename webapp/js/{ => jquery}/jquery-1.10.2.min.js (100%) rename webapp/{js => lessonJS}/DOMXSS.js (100%) rename webapp/{js => lessonJS}/clientSideFiltering.js (100%) rename webapp/{js => lessonJS}/clientSideValidation.js (100%) rename webapp/{js => lessonJS}/escape.js (100%) rename webapp/{js => lessonJS}/eval.js (100%) rename webapp/{js => lessonJS}/sameOrigin.js (100%) diff --git a/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java b/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java index 4f45424e3..267fd03cc 100644 --- a/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java +++ b/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java @@ -51,7 +51,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter try { - ec.addElement(new Script().setSrc("javascript/clientSideFiltering.js")); + ec.addElement(new Script().setSrc("lessonJS/clientSideFiltering.js")); Input input = new Input(Input.HIDDEN, "userID", 102); diff --git a/java/org/owasp/webgoat/lessons/ClientSideValidation.java b/java/org/owasp/webgoat/lessons/ClientSideValidation.java index 63537a0c1..592e6709e 100644 --- a/java/org/owasp/webgoat/lessons/ClientSideValidation.java +++ b/java/org/owasp/webgoat/lessons/ClientSideValidation.java @@ -102,7 +102,7 @@ public class ClientSideValidation extends SequentialLessonAdapter try { - ec.addElement(new Script().setSrc("javascript/clientSideValidation.js")); + ec.addElement(new Script().setSrc("lessonJS/clientSideValidation.js")); ec.addElement(new HR().setWidth("90%")); ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart"))); @@ -129,7 +129,7 @@ public class ClientSideValidation extends SequentialLessonAdapter try { - ec.addElement(new Script().setSrc("javascript/clientSideValidation.js")); + ec.addElement(new Script().setSrc("lessonJS/clientSideValidation.js")); ec.addElement(new HR().setWidth("90%")); ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart"))); @@ -323,7 +323,7 @@ public class ClientSideValidation extends SequentialLessonAdapter t.addElement(tr); tr = new TR(); - tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™")); + tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel� Centrino�")); tr.addElement(new TD() .addElement( diff --git a/java/org/owasp/webgoat/lessons/DOMXSS.java b/java/org/owasp/webgoat/lessons/DOMXSS.java index a5574dcfe..767ebdd02 100644 --- a/java/org/owasp/webgoat/lessons/DOMXSS.java +++ b/java/org/owasp/webgoat/lessons/DOMXSS.java @@ -138,7 +138,7 @@ public class DOMXSS extends SequentialLessonAdapter * * 1. If the DOMXSS.js file contains the lines "escapeHTML(name)" */ - String file = s.getWebResource("javascript/DOMXSS.js"); + String file = s.getWebResource("lessonJS/DOMXSS.js"); String content = getFileContent(file); if (content.indexOf("escapeHTML(name)") != -1) @@ -157,9 +157,9 @@ public class DOMXSS extends SequentialLessonAdapter try { - ec.addElement(new Script().setSrc("javascript/DOMXSS.js")); + ec.addElement(new Script().setSrc("lessonJS/DOMXSS.js")); - ec.addElement(new Script().setSrc("javascript/escape.js")); + ec.addElement(new Script().setSrc("lessonJS/escape.js")); ec.addElement(new H1().setID("greeting")); diff --git a/java/org/owasp/webgoat/lessons/DangerousEval.java b/java/org/owasp/webgoat/lessons/DangerousEval.java index c45e92d2b..8d6951b72 100644 --- a/java/org/owasp/webgoat/lessons/DangerousEval.java +++ b/java/org/owasp/webgoat/lessons/DangerousEval.java @@ -86,7 +86,7 @@ public class DangerousEval extends LessonAdapter float runningTotal = 0.0f; // FIXME: encode output of field2, then s.setMessage( field2 ); - ec.addElement(""); + ec.addElement(""); // ec.addElement(new HR().setWidth("90%")); ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart "))); @@ -123,7 +123,7 @@ public class DangerousEval extends LessonAdapter tr.addElement(new TD().addElement("$" + total)); t.addElement(tr); tr = new TR(); - tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™")); + tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel� Centrino�")); tr.addElement(new TD().addElement("1599.99").setAlign("right")); tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1"))).setAlign("right")); quantity = s.getParser().getFloatParameter("QTY3", 0.0f); diff --git a/java/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java b/java/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java index 5dd3a4ffb..0fda80c81 100644 --- a/java/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java +++ b/java/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java @@ -38,7 +38,7 @@ public class SameOriginPolicyProtection extends LessonAdapter try { - ec.addElement(new Script().setSrc("javascript/sameOrigin.js")); + ec.addElement(new Script().setSrc("lessonJS/sameOrigin.js")); Input hiddenWGStatus = new Input(Input.HIDDEN, "hiddenWGStatus", 0); hiddenWGStatus.setID("hiddenWGStatus"); diff --git a/webapp/WEB-INF/pages/main_new.jsp b/webapp/WEB-INF/pages/main_new.jsp index b3690b451..f887de662 100644 --- a/webapp/WEB-INF/pages/main_new.jsp +++ b/webapp/WEB-INF/pages/main_new.jsp @@ -101,7 +101,7 @@ - + diff --git a/webapp/js/javascript.js b/webapp/js/deprecated/javascript.js similarity index 100% rename from webapp/js/javascript.js rename to webapp/js/deprecated/javascript.js diff --git a/webapp/js/menu_system.js b/webapp/js/deprecated/menu_system.js similarity index 100% rename from webapp/js/menu_system.js rename to webapp/js/deprecated/menu_system.js diff --git a/webapp/js/goat.js b/webapp/js/goat.js index db7d45a59..915e69dce 100644 --- a/webapp/js/goat.js +++ b/webapp/js/goat.js @@ -15,21 +15,19 @@ goat.controller('goatMenu', function($scope, $http) { }, function(error) { // TODO - handle this some way other than an alert - alert("Error rendering menu: " + error); + console.error("Error rendering menu: " + error); } ); - $scope.lessonUrl = "hi!"; $scope.renderLesson = function(url) { console.log(url + ' was passed in'); // use jquery to render lesson content to div - jQuery.get(url, - {}, - function(reply) { - jQuery("#lesson_content").html(reply); - // hook any forms - makeFormsAjax(); - }, - "html"); + loadLessonContent(url).then( + function(reply) { + $("#lesson_content").html(reply); + // hook forms + makeFormsAjax(); + } + ); }; }) .animation('.slideDown', function() { @@ -62,9 +60,14 @@ goat.addMenuClasses = function(arr) { return arr; }; + +function loadLessonContent(_url) { + //TODO: switch to $http (angular) + return $.get(_url,{},null,"html"); +} + function loadMenuData() { return $http({method: 'GET', url: 'service/lessonmenu.mvc'}); - //return [{"name":"Introduction","type":"CATEGORY","children":[{"name":"How to work with WebGoat","type":"LESSON","children":[],"complete":true,"link":"attack?Screen=35&menu=5"},{"name":"Tomcat Configuration","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=51&menu=5"},{"name":"Useful Tools","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=8&menu=5"},{"name":"How to create a Lesson","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=45&menu=5"}],"complete":false,"link":null},{"name":"General","type":"CATEGORY","children":[{"name":"Http Basics","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=19&menu=100"},{"name":"HTTP Splitting","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=5&menu=100"},{"name":"HTTP Basics (Spring MVC)","type":"LESSON","children":[],"complete":false,"link":"httpBasics.do?Screen=7&menu=100"}],"complete":false,"link":null},{"name":"Access Control Flaws","type":"CATEGORY","children":[{"name":"Using an Access Control Matrix","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=56&menu=200"},{"name":"Bypass a Path Based Access Control Scheme","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=60&menu=200"},{"name":"LAB: Role Based Access Control","type":"LESSON","children":[{"name":"Stage 1: Bypass Business Layer Access Control","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=68&menu=200&stage=1"},{"name":"Stage 2: Add Business Layer Access Control","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=68&menu=200&stage=2"},{"name":"Stage 3: Bypass Data Layer Access Control","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=68&menu=200&stage=3"},{"name":"Stage 4: Add Data Layer Access Control","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=68&menu=200&stage=4"}],"complete":false,"link":"attack?Screen=68&menu=200"},{"name":"Remote Admin Access","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=13&menu=200"}],"complete":false,"link":null},{"name":"AJAX Security","type":"CATEGORY","children":[{"name":"Same Origin Policy Protection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=44&menu=400"},{"name":"LAB: DOM-Based cross-site scripting","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=52&menu=400"},{"name":"LAB: Client Side Filtering","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=58&menu=400"},{"name":"DOM Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=77&menu=400"},{"name":"XML Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=62&menu=400"},{"name":"JSON Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=47&menu=400"},{"name":"Silent Transactions Attacks","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=71&menu=400"},{"name":"Dangerous Use of Eval","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=25&menu=400"},{"name":"Insecure Client Storage","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=46&menu=400"}],"complete":false,"link":null},{"name":"Authentication Flaws","type":"CATEGORY","children":[{"name":"Password Strength","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=69&menu=500"},{"name":"Forgot Password","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=67&menu=500"},{"name":"Basic Authentication","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=38&menu=500"},{"name":"Multi Level Login 2","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=36&menu=500"},{"name":"Multi Level Login 1","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=64&menu=500"}],"complete":false,"link":null},{"name":"Buffer Overflows","type":"CATEGORY","children":[{"name":"Off-by-One Overflows","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=53&menu=600"}],"complete":false,"link":null},{"name":"Code Quality","type":"CATEGORY","children":[{"name":"Discover Clues in the HTML","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=43&menu=700"}],"complete":false,"link":null},{"name":"Concurrency","type":"CATEGORY","children":[{"name":"Thread Safety Problems","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=72&menu=800"},{"name":"Shopping Cart Concurrency Flaw","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=18&menu=800"}],"complete":false,"link":null},{"name":"Cross-Site Scripting (XSS)","type":"CATEGORY","children":[{"name":"Phishing with XSS","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=57&menu=900"},{"name":"LAB: Cross Site Scripting","type":"LESSON","children":[{"name":"Stage 1: Stored XSS","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=23&menu=900&stage=1"},{"name":"Stage 2: Block Stored XSS using Input Validation","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=23&menu=900&stage=2"},{"name":"Stage 3: Stored XSS Revisited","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=23&menu=900&stage=3"},{"name":"Stage 4: Block Stored XSS using Output Encoding","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=23&menu=900&stage=4"},{"name":"Stage 5: Reflected XSS","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=23&menu=900&stage=5"},{"name":"Stage 6: Block Reflected XSS","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=23&menu=900&stage=6"}],"complete":false,"link":"attack?Screen=23&menu=900"},{"name":"Stored XSS Attacks","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=73&menu=900"},{"name":"Reflected XSS Attacks","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=34&menu=900"},{"name":"Cross Site Request Forgery (CSRF)","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=55&menu=900"},{"name":"CSRF Prompt By-Pass","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=48&menu=900"},{"name":"CSRF Token By-Pass","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=4&menu=900"},{"name":"HTTPOnly Test","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=11&menu=900"},{"name":"Cross Site Tracing (XST) Attacks","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=78&menu=900"}],"complete":false,"link":null},{"name":"Improper Error Handling","type":"CATEGORY","children":[{"name":"Fail Open Authentication Scheme","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=42&menu=1000"}],"complete":false,"link":null},{"name":"Injection Flaws","type":"CATEGORY","children":[{"name":"Command Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=14&menu=1100"},{"name":"Numeric SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=80&menu=1100"},{"name":"Log Spoofing","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=79&menu=1100"},{"name":"XPATH Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=49&menu=1100"},{"name":"String SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=39&menu=1100"},{"name":"LAB: SQL Injection","type":"LESSON","children":[{"name":"Stage 1: String SQL Injection","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=74&menu=1100&stage=1"},{"name":"Stage 2: Parameterized Query #1","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=74&menu=1100&stage=2"},{"name":"Stage 3: Numeric SQL Injection","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=74&menu=1100&stage=3"},{"name":"Stage 4: Parameterized Query #2","type":"STAGE","children":[],"complete":false,"link":"attack?Screen=74&menu=1100&stage=4"}],"complete":false,"link":"attack?Screen=74&menu=1100"},{"name":"Modify Data with SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=41&menu=1100"},{"name":"Add Data with SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=9&menu=1100"},{"name":"Database Backdoors ","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=15&menu=1100"},{"name":"Blind Numeric SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=6&menu=1100"},{"name":"Blind String SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=16&menu=1100"}],"complete":false,"link":null},{"name":"Denial of Service","type":"CATEGORY","children":[{"name":"Denial of Service from Multiple Logins","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=66&menu=1200"}],"complete":false,"link":null},{"name":"Insecure Communication","type":"CATEGORY","children":[{"name":"Insecure Login","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=70&menu=1300"}],"complete":false,"link":null},{"name":"Insecure Configuration","type":"CATEGORY","children":[{"name":"Forced Browsing","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=40&menu=1400"}],"complete":false,"link":null},{"name":"Insecure Storage","type":"CATEGORY","children":[{"name":"Encoding Basics","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=65&menu=1500"}],"complete":false,"link":null},{"name":"Malicious Execution","type":"CATEGORY","children":[{"name":"Malicious File Execution","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=21&menu=1600"}],"complete":false,"link":null},{"name":"Parameter Tampering","type":"CATEGORY","children":[{"name":"Bypass HTML Field Restrictions","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=54&menu=1700"},{"name":"Exploit Hidden Fields","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=37&menu=1700"},{"name":"Exploit Unchecked Email","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=50&menu=1700"},{"name":"Bypass Client Side JavaScript Validation","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=20&menu=1700"}],"complete":false,"link":null},{"name":"Session Management Flaws","type":"CATEGORY","children":[{"name":"Hijack a Session","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=75&menu=1800"},{"name":"Spoof an Authentication Cookie","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=76&menu=1800"},{"name":"Session Fixation","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=59&menu=1800"}],"complete":false,"link":null},{"name":"Web Services","type":"CATEGORY","children":[{"name":"Create a SOAP Request","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=22&menu=1900"},{"name":"WSDL Scanning","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=26&menu=1900"},{"name":"Web Service SAX Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=10&menu=1900"},{"name":"Web Service SQL Injection","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=63&menu=1900"}],"complete":false,"link":null},{"name":"Admin Functions","type":"CATEGORY","children":[{"name":"Report Card","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=28&menu=2000"}],"complete":false,"link":null},{"name":"Challenge","type":"CATEGORY","children":[{"name":"The CHALLENGE!","type":"LESSON","children":[],"complete":false,"link":"attack?Screen=12&menu=3000"}],"complete":false,"link":null}]; } diff --git a/webapp/js/jquery-1.10.2.min.js b/webapp/js/jquery/jquery-1.10.2.min.js similarity index 100% rename from webapp/js/jquery-1.10.2.min.js rename to webapp/js/jquery/jquery-1.10.2.min.js diff --git a/webapp/js/DOMXSS.js b/webapp/lessonJS/DOMXSS.js similarity index 100% rename from webapp/js/DOMXSS.js rename to webapp/lessonJS/DOMXSS.js diff --git a/webapp/js/clientSideFiltering.js b/webapp/lessonJS/clientSideFiltering.js similarity index 100% rename from webapp/js/clientSideFiltering.js rename to webapp/lessonJS/clientSideFiltering.js diff --git a/webapp/js/clientSideValidation.js b/webapp/lessonJS/clientSideValidation.js similarity index 100% rename from webapp/js/clientSideValidation.js rename to webapp/lessonJS/clientSideValidation.js diff --git a/webapp/js/escape.js b/webapp/lessonJS/escape.js similarity index 100% rename from webapp/js/escape.js rename to webapp/lessonJS/escape.js diff --git a/webapp/js/eval.js b/webapp/lessonJS/eval.js similarity index 100% rename from webapp/js/eval.js rename to webapp/lessonJS/eval.js diff --git a/webapp/js/sameOrigin.js b/webapp/lessonJS/sameOrigin.js similarity index 100% rename from webapp/js/sameOrigin.js rename to webapp/lessonJS/sameOrigin.js