dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Extract the stage-related code from LessonTracker into SequentialLessonTracker

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@157 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2007-07-11 12:50:32 +00:00
parent 02560a2510
commit f5e56c7081
18 changed files with 234 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -164,13 +164,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
*/
public abstract Element getCredits();
/**
* Get the number of stages provided by this lesson
*
* @return the number of stages
*/
public abstract int getStageCount();
/**
* Description of the Method
*
@ -614,23 +607,6 @@ public abstract class AbstractLesson extends Screen implements Comparable
public abstract void setCurrentAction(WebSession s, String lessonScreen);
public void setStage(WebSession s, int stage)
{
// System.out.println("Changed to stage " + stage);
getLessonTracker(s).setStage(stage);
}
public int getStage(WebSession s)
{
int stage = getLessonTracker(s).getStage();
// System.out.println("In stage " + stage);
return stage;
}
/**
* Override this method to implement accesss control in a lesson.
*

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
View File

@ -52,7 +52,7 @@ import org.owasp.webgoat.session.WebSession;
*
* @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
*/
public class BackDoors extends LessonAdapter
public class BackDoors extends SequentialLessonAdapter
{
private static Connection connection = null;

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
View File

@ -47,7 +47,7 @@ import org.owasp.webgoat.session.WebSession;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class BasicAuthentication extends LessonAdapter
public class BasicAuthentication extends SequentialLessonAdapter
{
private static final String EMPTY_STRING = "";

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -69,7 +69,7 @@ import org.owasp.webgoat.util.ExecResults;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Challenge2Screen extends LessonAdapter
public class Challenge2Screen extends SequentialLessonAdapter
{
private static final String USER_COOKIE = "user";

15
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
View File

@ -17,6 +17,7 @@ import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
/**
/*******************************************************************************
@ -286,4 +287,18 @@ public class CrossSiteScripting extends GoatHillsFinancial
return "LAB: Cross Site Scripting (XSS)";
}
public String htmlEncode(WebSession s, String text)
{
//System.out.println("Testing for stage 4 completion in lesson " + getCurrentLesson().getName());
if (getStage(s) == 4 &&
text.indexOf("<script>") > -1 && text.indexOf("alert") > -1 && text.indexOf("</script>") > -1)
{
s.setMessage( "Welcome to stage 5 -- exploiting the data layer" );
// Set a phantom stage value to setup for the 4-5 transition
setStage(s, 1005);
}
return HtmlEncoder.encode(text);
}
}

1
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java
View File

@ -5,7 +5,6 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java
View File

@ -9,7 +9,7 @@ import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.IMG;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
@ -45,7 +45,7 @@ import org.owasp.webgoat.session.WebSession;
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class GoatHillsFinancial extends LessonAdapter
public class GoatHillsFinancial extends SequentialLessonAdapter
{
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -46,7 +46,7 @@ import org.owasp.webgoat.session.WebSession;
* @created September 30, 2006
*/
public class HttpSplitting extends LessonAdapter
public class HttpSplitting extends SequentialLessonAdapter
{
private final static String LANGUAGE = "language";

91
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -107,90 +107,6 @@ public abstract class LessonAdapter extends AbstractLesson
}
protected Element createStagedContent(WebSession s)
{
try
{
int stage = getLessonTracker(s).getStage();
//int stage = Integer.parseInt( getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
switch (stage)
{
case 1:
return (doStage1(s));
case 2:
return (doStage2(s));
case 3:
return (doStage3(s));
case 4:
return (doStage4(s));
case 5:
return (doStage5(s));
case 6:
return (doStage6(s));
default:
throw new Exception("Invalid stage");
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
System.out.println(e);
e.printStackTrace();
}
return (new StringElement(""));
}
protected Element doStage1(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 1 Stub");
return ec;
}
protected Element doStage2(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 2 Stub");
return ec;
}
protected Element doStage3(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 3 Stub");
return ec;
}
protected Element doStage4(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 4 Stub");
return ec;
}
protected Element doStage5(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 5 Stub");
return ec;
}
protected Element doStage6(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 6 Stub");
return ec;
}
/**
* Gets the category attribute of the LessonAdapter object. The default category is "General" Only
* override this method if you wish to create a new category or if you wish this lesson to reside
@ -382,11 +298,4 @@ public abstract class LessonAdapter extends AbstractLesson
return t;
}
/* By default returns 1 stage.
* (non-Javadoc)
* @see org.owasp.webgoat.lessons.AbstractLesson#getStageCount()
*/
public int getStageCount() {
return 1;
}
}

139
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SequentialLessonAdapter.java Executable file
View File

@ -0,0 +1,139 @@
package org.owasp.webgoat.lessons;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.LessonTracker;
import org.owasp.webgoat.session.SequentialLessonTracker;
import org.owasp.webgoat.session.WebSession;
public class SequentialLessonAdapter extends LessonAdapter {
public void setStage(WebSession s, int stage)
{
// System.out.println("Changed to stage " + stage);
getLessonTracker(s).setStage(stage);
}
/* By default returns 1 stage.
* (non-Javadoc)
*/
public int getStageCount() {
return 1;
}
public int getStage(WebSession s)
{
int stage = getLessonTracker(s).getStage();
// System.out.println("In stage " + stage);
return stage;
}
@Override
public SequentialLessonTracker getLessonTracker(WebSession s) {
return (SequentialLessonTracker) super.getLessonTracker(s);
}
@Override
public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
return (SequentialLessonTracker) super.getLessonTracker(s, lesson);
}
@Override
public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride) {
return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride);
}
@Override
public LessonTracker createLessonTracker() {
return new SequentialLessonTracker();
}
protected Element createStagedContent(WebSession s)
{
try
{
int stage = getLessonTracker(s).getStage();
//int stage = Integer.parseInt( getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
switch (stage)
{
case 1:
return (doStage1(s));
case 2:
return (doStage2(s));
case 3:
return (doStage3(s));
case 4:
return (doStage4(s));
case 5:
return (doStage5(s));
case 6:
return (doStage6(s));
default:
throw new Exception("Invalid stage");
}
}
catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
System.out.println(e);
e.printStackTrace();
}
return (new StringElement(""));
}
protected Element doStage1(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 1 Stub");
return ec;
}
protected Element doStage2(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 2 Stub");
return ec;
}
protected Element doStage3(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 3 Stub");
return ec;
}
protected Element doStage4(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 4 Stub");
return ec;
}
protected Element doStage5(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 5 Stub");
return ec;
}
protected Element doStage6(WebSession s) throws Exception
{
ElementContainer ec = new ElementContainer();
ec.addElement("Stage 6 Stub");
return ec;
}
}

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java
View File

@ -61,7 +61,7 @@ import org.owasp.webgoat.session.WebSession;
* TODO To change the template for this generated type comment go to
* Window - Preferences - Java - Code Style - Code Templates
*/
public class SoapRequest extends LessonAdapter
public class SoapRequest extends SequentialLessonAdapter
{
/* TEST CODE

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -55,7 +55,7 @@ import org.owasp.webgoat.session.WebSession;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class SqlNumericInjection extends LessonAdapter
public class SqlNumericInjection extends SequentialLessonAdapter
{
private final static String STATION_ID = "station";

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -51,7 +51,7 @@ import org.owasp.webgoat.session.WebSession;
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class SqlStringInjection extends LessonAdapter
public class SqlStringInjection extends SequentialLessonAdapter
{
private final static String ACCT_NAME = "account_name";

21
webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
View File

@ -42,8 +42,6 @@ public class LessonTracker
private boolean completed = false;
private int currentStage = 1;
private int maxHintLevel = 0;
private int numVisits = 0;
@ -72,18 +70,6 @@ public class LessonTracker
}
public int getStage()
{
return currentStage;
}
public void setStage(int stage)
{
currentStage = stage;
}
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
@ -175,15 +161,13 @@ public class LessonTracker
*
* @param props The new properties value
*/
private void setProperties(Properties props, Screen screen)
protected void setProperties(Properties props, Screen screen)
{
completed = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".completed"))
.booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".maxHintLevel"));
currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".currentStage"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".numVisits"));
viewedCookies = Boolean.valueOf(
@ -367,8 +351,6 @@ public class LessonTracker
//System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean
.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".currentStage",
Integer.toString(currentStage));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel",
Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer
@ -417,7 +399,6 @@ public class LessonTracker
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - currentStage:....... " + currentStage + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");

39
webgoat/main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java Executable file
View File

@ -0,0 +1,39 @@
package org.owasp.webgoat.session;
import java.util.Properties;
public class SequentialLessonTracker extends LessonTracker {
private int currentStage = 1;
public int getStage()
{
return currentStage;
}
public void setStage(int stage)
{
currentStage = stage;
}
protected void setProperties(Properties props, Screen screen)
{
super.setProperties(props, screen);
currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".currentStage"));
}
public void store(WebSession s, Screen screen, String user)
{
lessonProperties.setProperty(screen.getTitle() + ".currentStage",
Integer.toString(currentStage));
super.store(s, screen, user);
}
public String toString() {
return super.toString() + " - currentStage:....... " + currentStage + "\n";
}
}

40
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletResponse;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
/*******************************************************************************
*
@ -907,9 +908,14 @@ public class WebSession
}
else if (myParser.getRawParameter( STAGE, null ) != null)
{
int stage = myParser.getIntParameter(STAGE, getCurrentLesson().getStage(this));
if (stage > 0 && stage <= getCurrentLesson().getStageCount())
getCurrentLesson().setStage(this, stage);
AbstractLesson al = getCurrentLesson();
if (al instanceof SequentialLessonAdapter)
{
SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
if (stage > 0 && stage <= sla.getStageCount())
sla.setStage(this, stage);
}
}
// else update global variables for the current screen
else
@ -981,9 +987,14 @@ public class WebSession
private void restartLesson(int lessonId)
{
System.out.println("Restarting lesson: " + getLesson(lessonId));
getCurrentLesson().getLessonTracker( this ).setStage(1);
getCurrentLesson().getLessonTracker( this ).setCompleted(false);
AbstractLesson al = getLesson(lessonId);
System.out.println("Restarting lesson: " + al);
al.getLessonTracker( this ).setCompleted(false);
if (al instanceof SequentialLessonAdapter)
{
SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
sla.getLessonTracker( this ).setStage(1);
}
}
/**
@ -1063,23 +1074,6 @@ public class WebSession
return currentMenu;
}
public String htmlEncode(String s)
{
//System.out.println("Testing for stage 4 completion in lesson " + getCurrentLesson().getName());
if (getCurrentLesson().getName().equals("CrossSiteScripting"))
{
if (getCurrentLesson().getStage(this) == 4 &&
s.indexOf("<script>") > -1 && s.indexOf("alert") > -1 && s.indexOf("</script>") > -1)
{
setMessage( "Welcome to stage 5 -- exploiting the data layer" );
// Set a phantom stage value to setup for the 4-5 transition
getCurrentLesson().setStage(this, 1005);
}
}
return ParameterParser.htmlEncode(s);
}
public WebgoatContext getWebgoatContext() {
return webgoatContext;
}

9
webgoat/main/project/WebContent/lessons/CrossSiteScripting/ViewProfile.jsp
View File

@ -6,6 +6,7 @@ STAGE 4 FIXES Look for the <-- STAGE 4 - FIX
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
Employee employee = (Employee) session.getAttribute("CrossSiteScripting." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY);
CrossSiteScripting lesson = (CrossSiteScripting) webSession.getCurrentLesson();
// int myUserId = getIntSessionAttribute(webSession, "CrossSiteScripting." + CrossSiteScripting.USER_ID);
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
@ -83,7 +84,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
<TD>
<!-- Encode data that might contain HTML content to protect against XSS -->
<%=webSession.htmlEncode(employee.getPersonalDescription())%>
<%=lesson.htmlEncode(webSession, employee.getPersonalDescription())%>
</TD>
<TD>
Manager:
@ -112,7 +113,7 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
<tr>
<td width="50">
<%
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION))
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.LISTSTAFF_ACTION))
{
%>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
@ -161,9 +162,9 @@ WebSession webSession = ((WebSession)session.getAttribute("websession"));
<%
if (webSession.getCurrentLesson().getStage(webSession) == 1005)
if (lesson.getStage(webSession) == 1005)
{
webSession.getCurrentLesson().setStage(webSession, 5);
lesson.setStage(webSession, 5);
//System.out.println("Reloading ViewProfile.jsp for stage 5 transition");
String thisPage = webSession.getCurrentLink();
//System.out.println("Redirecting to " + thisPage);

12
webgoat/main/project/WebContent/main.jsp
View File

@ -8,6 +8,7 @@ AbstractLesson currentLesson = webSession.getCurrentLesson();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@page import="org.owasp.webgoat.lessons.SequentialLessonAdapter"%>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
@ -197,18 +198,23 @@ StringBuffer buildList = new StringBuffer();
<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
</div>
<%
if (webSession.isDebug()&& webSession.getCurrentLesson().getStageCount() > 1) {
AbstractLesson al = webSession.getCurrentLesson();
if (al instanceof SequentialLessonAdapter)
{
SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
if (webSession.isDebug()&& sla.getStageCount() > 1) {
%><form method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<select name="<%= WebSession.STAGE %>" onchange="this.form.submit();">
<%
int stages = webSession.getCurrentLesson().getStageCount();
int stage = webSession.getCurrentLesson().getStage(webSession);
int stages = sla.getStageCount();
int stage = sla.getStage(webSession);
for (int i=1; i<=stages;i++) {
%><option <% if (i == stage) out.print("selected"); %> value="<%= i %>">Stage <%= i %></option>
<%
}
%></select></form><%
}
}
%>
<div id="lessonContent"><%=webSession.getInstructions()%></div>
<div id="message" class="info"><%=webSession.getMessage()%></div>