dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Only mark Stage 1 complete when someone else views the exploit

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@257 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:48:30 +00:00
parent dd6a893f28
commit f78d70a8e7
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java
View File

@ -213,10 +213,17 @@ public class ViewProfile extends DefaultLessonAction
private void updateLessonStatus(WebSession s, Employee employee) private void updateLessonStatus(WebSession s, Employee employee)
{ {
String stage = getStage(s); String stage = getStage(s);
int userId = -1;
try {
userId = getIntSessionAttribute(s, getLessonName() + "."
+ CrossSiteScripting.USER_ID);
} catch (ParameterNotFoundException pnfe) {
}
if (CrossSiteScripting.STAGE1.equals(stage)) if (CrossSiteScripting.STAGE1.equals(stage))
{ {
String address1 = employee.getAddress1().toLowerCase(); String address1 = employee.getAddress1().toLowerCase();
if (address1.indexOf("<script>") > -1 if (userId != employee.getId()
&& address1.indexOf("<script>") > -1
&& address1.indexOf("alert") > -1 && address1.indexOf("alert") > -1
&& address1.indexOf("</script>") > -1) && address1.indexOf("</script>") > -1)
{ {