dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added some files required to build OWASP release.

Browse Source 
Modified License text and format to reflect GPL license.
Reformatted most of the code.

git-svn-id: http://webgoat.googlecode.com/svn/trunk@60 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2007-01-16 14:56:40 +00:00
parent 036964495b
commit fd9b60f98e
110 changed files with 23099 additions and 17996 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Authorization.java
View File

@ -3,22 +3,53 @@ package org.owasp.webgoat.session;
import java.util.Hashtable;
import java.util.Map;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Authorization
{
Map permissions = new Hashtable();
public Authorization()
{
}
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}
Map permissions = new Hashtable();
public Authorization()
{}
public void setPermission(int userId, int functionId)
{
permissions.put(new Integer(userId), new Integer(functionId));
}
public boolean isAllowed(int userId, int functionId)
{
return (permissions.get(new Integer(userId)) != null);
}
}

879
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Course.java
View File

@ -14,435 +14,482 @@ import org.owasp.webgoat.HammerHead;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class Course
{
private List lessons = new ArrayList();
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private WebgoatProperties properties = null;
public Course()
private List lessons = new ArrayList();
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private WebgoatProperties properties = null;
public Course()
{
try
{
properties = new WebgoatProperties(PROPERTIES_FILENAME);
}
catch (IOException e)
{
System.out.println("Error loading WebGoat properties");
e.printStackTrace();
}
}
/**
* Description of the Method
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @param ext Description of the Parameter
* @return Description of the Return Value
*/
private String clean(String fileName, String path, String ext)
{
fileName = fileName.trim();
// check if file is a directory
if (fileName.endsWith("/"))
{
return fileName;
}
// check if file is a class or java file
if (!fileName.endsWith(ext))
{
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf("/WEB-INF/classes/");
if (index != -1)
{
fileName = fileName.substring(index + "/WEB-INF/classes/".length(),
fileName.length() - ext.length());
fileName = fileName.replace('/', '.');
fileName = fileName.replace('\\', '.');
}
else
{
// Strip off the leading path info
fileName = fileName.substring(path.length(), fileName.length()
- ext.length());
}
return fileName;
}
/**
* Description of the Method
* @param lesson Description of the Parameter
* @param context Description of the Parameter
* @param path Description of the Parameter
* @param courseName Description of the Parameter
* @param extension TODO
*/
private void findSourceResource(AbstractLesson lesson,
ServletContext context, String path, String className,
String extension)
{
//System.out.println("findSourceResource() looking for source files in: " + path);
//System.out.println("findSourceResource() looking for source files for class: " + className);
Set files = context.getResourcePaths(path);
Iterator fileIter = files.iterator();
String resource = null;
while (fileIter.hasNext())
{
resource = (String) fileIter.next();
//System.out.println("findSourceResource() inspecting resource: " + resource);
String lessonName = clean(resource, path, extension);
//System.out.println("findSourceResource() cleaned resource name: " + lessonName);
//if ( className != null )
//{
// System.out.println("Resource to check: " + resource);
// System.out.println("Lesson name: " + lessonName);
//}
// Not a match
if (lessonName == null)
{
continue;
}
// A subdirectory
else if ((lessonName.length() != 1) && lessonName.endsWith("/"))
{
findSourceResource(lesson, context, lessonName, className,
extension);
}
// A source file
else
{
// Course name will be the fully qualified name:
// like lesson.admin.lessonName
if (className.endsWith(lessonName))
{
int length = 0;
int index = className.indexOf("admin.");
if (index == -1)
{
index = className.indexOf("lessons.");
length = "lessons.".length();
}
else
{
length = "admin.".length();
}
className = className.substring(index + length);
//System.out.println("Resource to check: " + resource);
//System.out.println("Lesson name: " + lessonName);
//store the web path of the source file in the lesson
lesson.setSourceFileName(resource);
}
}
}
}
/**
* Description of the Method
* @param lesson Description of the Parameter
* @param context Description of the Parameter
* @param path Description of the Parameter
* @param courseName Description of the Parameter
* @param extension TODO
*/
private void findLessonPlanResource(AbstractLesson lesson,
ServletContext context, String path, String courseName,
String extension)
{
Set files = context.getResourcePaths(path);
Iterator fileIter = files.iterator();
String resource = null;
while (fileIter.hasNext())
{
resource = (String) fileIter.next();
String className = clean(resource, path, extension);
//if ( className != null )
//{
// System.out.println("ClassName: " + className);
// System.out.println("ResourceToCheck: " + resourceToCheck);
//}
if (className == null)
{
continue;
}
else if ((className.length() != 1) && className.endsWith("/"))
{
findLessonPlanResource(lesson, context, className, courseName,
extension);
}
else
{
// Course name will be the fully qualified name:
// like lesson.admin.lessonName
if (courseName.endsWith(className))
{
int length = 0;
int index = courseName.indexOf("admin.");
if (index == -1)
{
index = courseName.indexOf("lessons.");
length = "lessons.".length();
}
else
{
length = "admin.".length();
}
courseName = courseName.substring(index + length);
//System.out.println("ClassName: " + className);
//System.out.println("ResourceToCheck: " + resource);
//store the web path of the source file in the lesson
lesson.setLessonPlanFileName(resource);
}
}
}
}
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories()
{
List<Category> categories = new ArrayList<Category>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (!categories.contains(lesson.getCategory()))
{
categories.add(lesson.getCategory());
}
}
Collections.sort(categories);
return categories;
}
/**
* Gets the firstLesson attribute of the Course object
*
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson()
{
List roles = new ArrayList();
roles.add(AbstractLesson.USER_ROLE);
// Category 0 is the admin function. We want the first real category
// to be returned. This is noramally the General category and the Http Basics lesson
return ((AbstractLesson) getLessons((Category) getCategories().get(1),
roles).get(0));
}
/**
* Gets the lesson attribute of the Course object
*
* @param lessonId Description of the Parameter
* @param role Description of the Parameter
* @return The lesson value
*/
public AbstractLesson getLesson(WebSession s, int lessonId, List roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
//System.out.println("getLesson() with roles: " + roles);
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
//System.out.println("getLesson() at role: " + lesson.getRole());
if (lesson.getScreenId() == lessonId
&& roles.contains(lesson.getRole()))
{
return lesson;
}
}
return null;
}
public AbstractLesson getLesson(WebSession s, int lessonId, String role)
{
List roles = new Vector();
roles.add(role);
return getLesson(s, lessonId, roles);
}
public List getLessons(WebSession s, String role)
{
List roles = new Vector();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param role Description of the Parameter
* @return The lessons value
*/
public List getLessons(WebSession s, List roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List lessonList = new ArrayList();
Iterator categoryIter = getCategories().iterator();
while (categoryIter.hasNext())
{
lessonList.addAll(getLessons(s, (Category) categoryIter.next(),
roles));
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category Description of the Parameter
* @param role Description of the Parameter
* @return The lessons value
*/
private List getLessons(Category category, List roles)
{
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator iter = lessons.iterator();
while (iter.hasNext())
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if (lesson.getCategory().equals(category)
&& roles.contains(lesson.getRole()))
{
lessonList.add(lesson);
}
}
Collections.sort(lessonList);
// System.out.println(java.util.Arrays.asList(lessonList));
return lessonList;
}
public List getLessons(WebSession s, Category category, String role)
{
List roles = new Vector();
roles.add(role);
return getLessons(s, category, roles);
}
public List getLessons(WebSession s, Category category, List roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* Description of the Method
*
* @param path Description of the Parameter
* @param context Description of the Parameter
*/
public void loadCourses(boolean enterprise, ServletContext context,
String path)
{
Set files = context.getResourcePaths(path);
Iterator fileIter = files.iterator();
while (fileIter.hasNext())
{
String file = (String) fileIter.next();
String className = clean(file, path, ".class");
//if ( className != null )
//{
// System.out.println( "Checking file: " + file );
// System.out.println( " class: " + className );
//}
if (className == null)
{
continue;
}
else if ((className.length() != 1) && className.endsWith("/"))
{
loadCourses(enterprise, context, className);
}
else
{
Class lessonClass = null;
try
{
properties = new WebgoatProperties(PROPERTIES_FILENAME);
lessonClass = Class.forName(className);
Object possibleLesson = lessonClass.newInstance();
if (possibleLesson instanceof AbstractLesson)
{
AbstractLesson lesson = (AbstractLesson) possibleLesson;
// Determine if the screen is to be loaded. Look
// to see if the session parameter has been initialized.
// Look to see if the screen is an enterprise edition screen.
if (!enterprise)
{
if (lesson.isEnterprise())
{
continue;
}
}
// Do not load instructor screens. Currently, they must be manually deployed.
if (lesson.getClass().getName().indexOf("instructor") > -1)
continue;
// There are two methods instead of one because the developer was not
// smart enough to figure out the recursive return value
findSourceResource(lesson, context, "/", className,
".java");
findLessonPlanResource(lesson, context, "/", className,
".html");
// Override lesson attributes based on properties.
lesson.update(properties);
if (lesson.getHidden() == false)
lessons.add(lesson);
//System.out.println( "Found lesson: " + lesson );
}
}
catch (IOException e)
catch (Exception e)
{
System.out.println("Error loading WebGoat properties");
e.printStackTrace();
//System.out.println("Could not load lesson: " + className);
//e.printStackTrace();
}
}
}
/**
* Description of the Method
*
* @param fileName Description of the Parameter
* @param path Description of the Parameter
* @param ext Description of the Parameter
* @return Description of the Return Value
*/
private String clean( String fileName, String path, String ext )
{
fileName = fileName.trim();
// check if file is a directory
if ( fileName.endsWith( "/" ) )
{
return fileName;
}
// check if file is a class or java file
if ( !fileName.endsWith( ext ) )
{
return null;
}
// if the file is in /WEB-INF/classes strip the dir info off
int index = fileName.indexOf( "/WEB-INF/classes/" );
if ( index != -1 )
{
fileName = fileName.substring( index + "/WEB-INF/classes/".length(), fileName.length() - ext.length() );
fileName = fileName.replace( '/', '.' );
fileName = fileName.replace( '\\', '.' );
}
else
{
// Strip off the leading path info
fileName = fileName.substring( path.length(), fileName.length() - ext.length() );
}
return fileName;
}
/**
* Description of the Method
* @param lesson Description of the Parameter
* @param context Description of the Parameter
* @param path Description of the Parameter
* @param courseName Description of the Parameter
* @param extension TODO
*/
private void findSourceResource( AbstractLesson lesson, ServletContext context, String path, String className, String extension )
{
//System.out.println("findSourceResource() looking for source files in: " + path);
//System.out.println("findSourceResource() looking for source files for class: " + className);
Set files = context.getResourcePaths( path );
Iterator fileIter = files.iterator();
String resource = null;
while ( fileIter.hasNext() )
{
resource = (String) fileIter.next();
//System.out.println("findSourceResource() inspecting resource: " + resource);
String lessonName = clean( resource, path, extension );
//System.out.println("findSourceResource() cleaned resource name: " + lessonName);
//if ( className != null )
//{
// System.out.println("Resource to check: " + resource);
// System.out.println("Lesson name: " + lessonName);
//}
// Not a match
if ( lessonName == null )
{
continue;
}
// A subdirectory
else if ( ( lessonName.length() != 1 ) && lessonName.endsWith( "/" ) )
{
findSourceResource( lesson, context, lessonName, className, extension );
}
// A source file
else
{
// Course name will be the fully qualified name:
// like lesson.admin.lessonName
if ( className.endsWith( lessonName ) )
{
int length = 0;
int index = className.indexOf("admin.");
if ( index == -1 )
{
index = className.indexOf("lessons.");
length = "lessons.".length();
}
else
{
length = "admin.".length();
}
className = className.substring(index + length);
//System.out.println("Resource to check: " + resource);
//System.out.println("Lesson name: " + lessonName);
//store the web path of the source file in the lesson
lesson.setSourceFileName(resource);
}
}
}
}
/**
* Description of the Method
* @param lesson Description of the Parameter
* @param context Description of the Parameter
* @param path Description of the Parameter
* @param courseName Description of the Parameter
* @param extension TODO
*/
private void findLessonPlanResource( AbstractLesson lesson, ServletContext context, String path, String courseName, String extension )
{
Set files = context.getResourcePaths( path );
Iterator fileIter = files.iterator();
String resource = null;
while ( fileIter.hasNext() )
{
resource = (String) fileIter.next();
String className = clean( resource, path, extension );
//if ( className != null )
//{
// System.out.println("ClassName: " + className);
// System.out.println("ResourceToCheck: " + resourceToCheck);
//}
if ( className == null )
{
continue;
}
else if ( ( className.length() != 1 ) && className.endsWith( "/" ) )
{
findLessonPlanResource( lesson, context, className, courseName, extension );
}
else
{
// Course name will be the fully qualified name:
// like lesson.admin.lessonName
if ( courseName.endsWith( className ) )
{
int length = 0;
int index = courseName.indexOf("admin.");
if ( index == -1 )
{
index = courseName.indexOf("lessons.");
length = "lessons.".length();
}
else
{
length = "admin.".length();
}
courseName = courseName.substring(index + length);
//System.out.println("ClassName: " + className);
//System.out.println("ResourceToCheck: " + resource);
//store the web path of the source file in the lesson
lesson.setLessonPlanFileName(resource);
}
}
}
}
/**
* Gets the categories attribute of the Course object
*
* @return The categories value
*/
public List getCategories()
{
List<Category> categories = new ArrayList<Category>();
Iterator iter = lessons.iterator();
while ( iter.hasNext() )
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if ( !categories.contains( lesson.getCategory() ) )
{
categories.add( lesson.getCategory() );
}
}
Collections.sort( categories );
return categories;
}
/**
* Gets the firstLesson attribute of the Course object
*
* @return The firstLesson value
*/
public AbstractLesson getFirstLesson()
{
List roles = new ArrayList();
roles.add( AbstractLesson.USER_ROLE );
// Category 0 is the admin function. We want the first real category
// to be returned. This is noramally the General category and the Http Basics lesson
return ((AbstractLesson)getLessons( (Category)getCategories().get(1), roles).get(0));
}
/**
* Gets the lesson attribute of the Course object
*
* @param lessonId Description of the Parameter
* @param role Description of the Parameter
* @return The lesson value
*/
public AbstractLesson getLesson( WebSession s, int lessonId, List roles )
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
//System.out.println("getLesson() with roles: " + roles);
Iterator iter = lessons.iterator();
while ( iter.hasNext() )
{
AbstractLesson lesson = (AbstractLesson) iter.next();
//System.out.println("getLesson() at role: " + lesson.getRole());
if ( lesson.getScreenId() == lessonId && roles.contains(lesson.getRole()) )
{
return lesson;
}
}
return null;
}
public AbstractLesson getLesson( WebSession s, int lessonId, String role )
{
List roles = new Vector();
roles.add(role);
return getLesson(s, lessonId, roles);
}
public List getLessons( WebSession s, String role )
{
List roles = new Vector();
roles.add(role);
return getLessons(s, roles);
}
/**
* Gets the lessons attribute of the Course object
*
* @param role Description of the Parameter
* @return The lessons value
*/
public List getLessons( WebSession s, List roles )
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
List lessonList = new ArrayList();
Iterator categoryIter = getCategories().iterator();
while ( categoryIter.hasNext() )
{
lessonList.addAll( getLessons( s, (Category) categoryIter.next(), roles ) );
}
return lessonList;
}
/**
* Gets the lessons attribute of the Course object
*
* @param category Description of the Parameter
* @param role Description of the Parameter
* @return The lessons value
*/
private List getLessons( Category category, List roles )
{
List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
Iterator iter = lessons.iterator();
while ( iter.hasNext() )
{
AbstractLesson lesson = (AbstractLesson) iter.next();
if ( lesson.getCategory().equals( category ) && roles.contains(lesson.getRole()) )
{
lessonList.add( lesson );
}
}
Collections.sort( lessonList );
// System.out.println(java.util.Arrays.asList(lessonList));
return lessonList;
}
public List getLessons( WebSession s, Category category, String role )
{
List roles = new Vector();
roles.add(role);
return getLessons(s, category, roles);
}
public List getLessons(WebSession s, Category category, List roles)
{
if (s.isHackedAdmin())
{
roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
}
return getLessons(category, roles);
}
/**
* Description of the Method
*
* @param path Description of the Parameter
* @param context Description of the Parameter
*/
public void loadCourses( boolean enterprise, ServletContext context, String path )
{
Set files = context.getResourcePaths( path );
Iterator fileIter = files.iterator();
while ( fileIter.hasNext() )
{
String file = (String) fileIter.next();
String className = clean( file, path, ".class" );
//if ( className != null )
//{
// System.out.println( "Checking file: " + file );
// System.out.println( " class: " + className );
//}
if ( className == null )
{
continue;
}
else if ( ( className.length() != 1 ) && className.endsWith( "/" ) )
{
loadCourses( enterprise, context, className );
}
else
{
Class lessonClass = null;
try
{
lessonClass = Class.forName( className );
Object possibleLesson = lessonClass.newInstance();
if ( possibleLesson instanceof AbstractLesson )
{
AbstractLesson lesson = (AbstractLesson) possibleLesson;
// Determine if the screen is to be loaded. Look
// to see if the session parameter has been initialized.
// Look to see if the screen is an enterprise edition screen.
if ( !enterprise )
{
if ( lesson.isEnterprise() )
{
continue;
}
}
// Do not load instructor screens. Currently, they must be manually deployed.
if (lesson.getClass().getName().indexOf("instructor") > -1)
continue;
// There are two methods instead of one because the developer was not
// smart enough to figure out the recursive return value
findSourceResource( lesson, context, "/", className, ".java" );
findLessonPlanResource( lesson, context, "/", className, ".html" );
// Override lesson attributes based on properties.
lesson.update(properties);
if(lesson.getHidden() == false)
lessons.add( lesson );
//System.out.println( "Found lesson: " + lesson );
}
}
catch ( Exception e )
{
//System.out.println("Could not load lesson: " + className);
//e.printStackTrace();
}
}
}
}
}

1491
webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

File diff suppressed because it is too large Load Diff

186
webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
View File

@ -13,19 +13,43 @@ import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of
* the Open Web Application Security Project (http://www.owasp.org) This
* software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
* accept the LICENSE before you use, modify and/or redistribute this
* software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class DatabaseUtilities
{
public static String servletContextRealPath = null;
public static String servletContextRealPath = null;
/**
* Description of the Method
*
@ -36,49 +60,56 @@ public class DatabaseUtilities
* @exception ClassNotFoundException Description of the Exception
* @exception SQLException Description of the Exception
*/
public static Connection makeConnection(WebSession s) throws ClassNotFoundException, SQLException
public static Connection makeConnection(WebSession s)
throws ClassNotFoundException, SQLException
{
Class.forName(s.getDatabaseDriver());
return (DriverManager.getConnection(s.getDatabaseConnectionString()));
}
public static Connection makeConnection(String driverName,
String connectionString) throws ClassNotFoundException,
SQLException
{
Class.forName(driverName);
return (DriverManager.getConnection(connectionString));
}
public static Connection makeConnection()
{
try
{
Class.forName(s.getDatabaseDriver());
return (DriverManager.getConnection(s.getDatabaseConnectionString()));
// FIXME: Work around for not having a session object with the web service lessons
// This is the same "logic" in the web.xml file
// Get the path to webgoat database
String dbName = (servletContextRealPath + "database" + File.separator);
String os = System.getProperty("os.name", "Windows");
if (os.toLowerCase().indexOf("window") != -1)
{
dbName = dbName.concat("webgoat.mdb");
System.out.println("DBName: " + dbName);
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
return DriverManager
.getConnection("jdbc:odbc:;DRIVER=Microsoft Access Driver (*.mdb);DBQ="
+ dbName + ";PWD=webgoat");
}
else
{
dbName = dbName.concat("database.prp");
Class.forName("org.enhydra.instantdb.jdbc.idbDriver");
return DriverManager.getConnection("jdbc:idb:" + dbName);
}
}
public static Connection makeConnection(String driverName, String connectionString)
throws ClassNotFoundException, SQLException
catch (Exception e)
{
Class.forName(driverName);
return (DriverManager.getConnection(connectionString));
e.printStackTrace();
return null;
}
public static Connection makeConnection() {
try
{
// FIXME: Work around for not having a session object with the web service lessons
// This is the same "logic" in the web.xml file
// Get the path to webgoat database
String dbName = (servletContextRealPath + "database" + File.separator);
String os = System.getProperty("os.name","Windows");
if ( os.toLowerCase().indexOf("window") != -1 )
{
dbName = dbName.concat("webgoat.mdb");
System.out.println("DBName: " + dbName);
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
return DriverManager.getConnection("jdbc:odbc:;DRIVER=Microsoft Access Driver (*.mdb);DBQ=" + dbName + ";PWD=webgoat");
}
else
{
dbName = dbName.concat("database.prp");
Class.forName("org.enhydra.instantdb.jdbc.idbDriver");
return DriverManager.getConnection("jdbc:idb:" + dbName);
}
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
@ -93,43 +124,46 @@ public class DatabaseUtilities
* @exception IOException Description of the Exception
* @exception SQLException Description of the Exception
*/
public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException, SQLException
public static MultiPartElement writeTable(ResultSet results,
ResultSetMetaData resultsMetaData) throws IOException, SQLException
{
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
if (results.next())
{
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
if (results.next())
{
Table t = new Table(1); // 1 = with border
t.setCellPadding(1);
TR tr = new TR();
TR tr = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
for (int i = 1; i < (numColumns + 1); i++)
{
tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
}
t.addElement(tr);
results.beforeFirst();
t.addElement(tr);
results.beforeFirst();
while (results.next())
{
TR row = new TR();
while (results.next())
{
TR row = new TR();
for (int i = 1; i < (numColumns + 1); i++)
{
row.addElement(new TD(results.getString(i).replaceAll(" ", "&nbsp;")));
}
for (int i = 1; i < (numColumns + 1); i++)
{
row.addElement(new TD(results.getString(i).replaceAll(" ",
"&nbsp;")));
}
t.addElement(row);
}
t.addElement(row);
}
return (t);
}
else
{
return (new B("Query Successful; however no data was returned from this query."));
}
return (t);
}
else
{
return (new B(
"Query Successful; however no data was returned from this query."));
}
}
}

1181
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
View File

File diff suppressed because it is too large Load Diff

404
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Employee.java
View File

@ -2,217 +2,265 @@ package org.owasp.webgoat.session;
import java.io.Serializable;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Employee implements Serializable
{
public final static String EMPLOYEE_ROLE = "employee";
public final static String MANAGER_ROLE = "manager";
public final static String HR_ROLE = "hr";
private int id;
private String firstName;
public final static String EMPLOYEE_ROLE = "employee";
private String lastName;
private String title;
public final static String MANAGER_ROLE = "manager";
private String ssn;
public final static String HR_ROLE = "hr";
private String phone;
private int id;
private String address1;
private String firstName;
private String address2;
private int manager;
private String lastName;
private String startDate;
private String title;
private int salary;
private String ssn;
private String ccn;
private String phone;
private int ccnLimit;
private String disciplinaryActionDate;
private String disciplinaryActionNotes;
private String personalDescription;
private String address1;
// FIXME: To be deleted
public Employee()
{
}
public Employee(
int id,
String firstName,
String lastName,
String ssn,
String title,
String phone,
String address1,
String address2,
int manager,
String startDate,
int salary,
String ccn,
int ccnLimit,
String disciplinaryActionDate,
String disciplinaryActionNotes,
String personalDescription)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.ssn = ssn;
this.title = title;
this.phone = phone;
this.address1 = address1;
this.address2 = address2;
this.manager = manager;
this.startDate = startDate;
this.salary = salary;
this.ccn = ccn;
this.ccnLimit = ccnLimit;
this.disciplinaryActionDate = disciplinaryActionDate;
this.disciplinaryActionNotes = disciplinaryActionNotes;
this.personalDescription = personalDescription;
}
private String address2;
public String getAddress1()
{
return address1;
}
private int manager;
public void setAddress1(String address1)
{
this.address1 = address1;
}
private String startDate;
public String getAddress2()
{
return address2;
}
private int salary;
public void setAddress2(String address2)
{
this.address2 = address2;
}
private String ccn;
public String getCcn()
{
return ccn;
}
private int ccnLimit;
public void setCcn(String ccn)
{
this.ccn = ccn;
}
private String disciplinaryActionDate;
public int getCcnLimit()
{
return ccnLimit;
}
private String disciplinaryActionNotes;
public void setCcnLimit(int ccnLimit)
{
this.ccnLimit = ccnLimit;
}
private String personalDescription;
public String getFirstName()
{
return firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
// FIXME: To be deleted
public Employee()
{}
public String getLastName()
{
return lastName;
}
public void setLastName(String lastName)
{
this.lastName = lastName;
}
public Employee(int id, String firstName, String lastName, String ssn,
String title, String phone, String address1, String address2,
int manager, String startDate, int salary, String ccn,
int ccnLimit, String disciplinaryActionDate,
String disciplinaryActionNotes, String personalDescription)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.ssn = ssn;
this.title = title;
this.phone = phone;
this.address1 = address1;
this.address2 = address2;
this.manager = manager;
this.startDate = startDate;
this.salary = salary;
this.ccn = ccn;
this.ccnLimit = ccnLimit;
this.disciplinaryActionDate = disciplinaryActionDate;
this.disciplinaryActionNotes = disciplinaryActionNotes;
this.personalDescription = personalDescription;
}
public String getPhoneNumber()
{
return phone;
}
public void setPhoneNumber(String phone)
{
this.phone = phone;
}
public String getAddress1()
{
return address1;
}
public int getSalary()
{
return salary;
}
public void setSalary(int salary)
{
this.salary = salary;
}
public void setAddress1(String address1)
{
this.address1 = address1;
}
public String getSsn()
{
return ssn;
}
public void setSsn(String ssn)
{
this.ssn = ssn;
}
public String getAddress2()
{
return address2;
}
public String getStartDate()
{
return startDate;
}
public void setStartDate(String startDate)
{
this.startDate = startDate;
}
public void setAddress2(String address2)
{
this.address2 = address2;
}
public int getId()
{
return id;
}
public void setId(int id)
{
this.id = id;
}
public String getTitle()
{
return this.title;
}
public int getManager()
{
return this.manager;
}
public String getDisciplinaryActionDate()
{
return this.disciplinaryActionDate;
}
public String getDisciplinaryActionNotes()
{
return this.disciplinaryActionNotes;
}
public String getPersonalDescription()
{
return this.personalDescription;
}
public String getCcn()
{
return ccn;
}
public void setCcn(String ccn)
{
this.ccn = ccn;
}
public int getCcnLimit()
{
return ccnLimit;
}
public void setCcnLimit(int ccnLimit)
{
this.ccnLimit = ccnLimit;
}
public String getFirstName()
{
return firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
public String getLastName()
{
return lastName;
}
public void setLastName(String lastName)
{
this.lastName = lastName;
}
public String getPhoneNumber()
{
return phone;
}
public void setPhoneNumber(String phone)
{
this.phone = phone;
}
public int getSalary()
{
return salary;
}
public void setSalary(int salary)
{
this.salary = salary;
}
public String getSsn()
{
return ssn;
}
public void setSsn(String ssn)
{
this.ssn = ssn;
}
public String getStartDate()
{
return startDate;
}
public void setStartDate(String startDate)
{
this.startDate = startDate;
}
public int getId()
{
return id;
}
public void setId(int id)
{
this.id = id;
}
public String getTitle()
{
return this.title;
}
public int getManager()
{
return this.manager;
}
public String getDisciplinaryActionDate()
{
return this.disciplinaryActionDate;
}
public String getDisciplinaryActionNotes()
{
return this.disciplinaryActionNotes;
}
public String getPersonalDescription()
{
return this.personalDescription;
}
}

105
webgoat/main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java
View File

@ -2,43 +2,82 @@ package org.owasp.webgoat.session;
import java.io.Serializable;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class EmployeeStub implements Serializable
{
private int id;
private String firstName;
private String lastName;
private String role;
public EmployeeStub(int id, String firstName, String lastName)
{
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
}
public EmployeeStub(int id, String firstName, String lastName, String role)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.role = role;
}
private int id;
public String getFirstName()
{
return firstName;
}
private String firstName;
public int getId()
{
return id;
}
private String lastName;
public String getLastName()
{
return lastName;
}
public String getRole()
{
return role;
}
private String role;
public EmployeeStub(int id, String firstName, String lastName)
{
this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
}
public EmployeeStub(int id, String firstName, String lastName, String role)
{
this.id = id;
this.firstName = firstName;
this.lastName = lastName;
this.role = role;
}
public String getFirstName()
{
return firstName;
}
public int getId()
{
return id;
}
public String getLastName()
{
return lastName;
}
public String getRole()
{
return role;
}
}

33
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java
View File

@ -20,11 +20,34 @@ import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created November 4, 2003

83
webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java
View File

@ -1,6 +1,34 @@
package org.owasp.webgoat.session;
/**
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* Represents a virtual session for a lesson. Lesson-specific session data may
* be stored here.
*
@ -9,28 +37,33 @@ package org.owasp.webgoat.session;
*/
public class LessonSession
{
private boolean isAuthenticated = false;
private String currentLessonScreen;
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
private boolean isAuthenticated = false;
private String currentLessonScreen;
public void setAuthenticated(boolean isAuthenticated)
{
this.isAuthenticated = isAuthenticated;
}
public boolean isAuthenticated()
{
return this.isAuthenticated;
}
public void setCurrentLessonScreen(String currentLessonScreen)
{
this.currentLessonScreen = currentLessonScreen;
}
public String getCurrentLessonScreen()
{
return this.currentLessonScreen;
}
}

767
webgoat/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
View File

@ -5,379 +5,444 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.util.Properties;
/**
* Description of the Class
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
*/
public class LessonTracker
{
private boolean completed = false;
private int currentStage = 1;
private int maxHintLevel = 0;
private int numVisits = 0;
private boolean viewedCookies = false;
private boolean viewedHtml = false;
private boolean viewedLessonPlan = false;
private boolean viewedParameters = false;
private boolean viewedSource = false;
private boolean completed = false;
Properties lessonProperties = new Properties();
private int currentStage = 1;
private int maxHintLevel = 0;
private int numVisits = 0;
private boolean viewedCookies = false;
private boolean viewedHtml = false;
private boolean viewedLessonPlan = false;
private boolean viewedParameters = false;
private boolean viewedSource = false;
Properties lessonProperties = new Properties();
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
/**
* Gets the completed attribute of the LessonTracker object
*
* @return The completed value
*/
public boolean getCompleted()
{
return completed;
}
public int getStage()
{
return currentStage;
}
public void setStage(int stage)
{
currentStage = stage;
}
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
return maxHintLevel;
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits()
{
return numVisits;
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
return viewedCookies;
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
return viewedHtml;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
return viewedLessonPlan;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
return viewedParameters;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
return viewedSource;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
numVisits++;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props The new properties value
*/
private void setProperties(Properties props, Screen screen)
{
completed = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".completed"))
.booleanValue();
maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".maxHintLevel"));
currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".currentStage"));
numVisits = Integer.parseInt(props.getProperty(screen.getTitle()
+ ".numVisits"));
viewedCookies = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedCookies"))
.booleanValue();
viewedHtml = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedHtml"))
.booleanValue();
viewedLessonPlan = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedLessonPlan"))
.booleanValue();
viewedParameters = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedParameters"))
.booleanValue();
viewedSource = Boolean.valueOf(
props.getProperty(screen.getTitle() + ".viewedSource"))
.booleanValue();
}
public static String getUserDir(WebSession s)
{
return s.getContext().getRealPath("users") + "/";
}
private static String getTrackerFile(WebSession s, String user,
Screen screen)
{
return getUserDir(s) + user + "." + screen.getClass().getName()
+ ".props";
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public static LessonTracker load(WebSession s, String user, Screen screen)
{
FileInputStream in = null;
try
{
return completed;
String fileName = getTrackerFile(s, user, screen);
if (fileName != null)
{
Properties tempProps = new Properties();
//System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream(fileName);
tempProps.load(in);
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen
.createLessonTracker(tempProps);
tempLessonTracker.setProperties(tempProps, screen);
return tempLessonTracker;
}
}
catch (FileNotFoundException e)
{
// Normal if the lesson has not been accessed yet.
}
catch (Exception e)
{
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
}
finally
{
try
{
in.close();
}
catch (Exception e)
{}
}
public int getStage()
return screen.createLessonTracker();
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed The new completed value
*/
public void setCompleted(boolean completed)
{
this.completed = completed;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel The new maxHintLevel value
*/
public void setMaxHintLevel(int maxHintLevel)
{
this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies The new viewedCookies value
*/
public void setViewedCookies(boolean viewedCookies)
{
this.viewedCookies = viewedCookies;
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml The new viewedHtml value
*/
public void setViewedHtml(boolean viewedHtml)
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan The new viewedLessonPlan value
*/
public void setViewedLessonPlan(boolean viewedLessonPlan)
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters The new viewedParameters value
*/
public void setViewedParameters(boolean viewedParameters)
{
this.viewedParameters = viewedParameters;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource The new viewedSource value
*/
public void setViewedSource(boolean viewedSource)
{
this.viewedSource = viewedSource;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s Description of the Parameter
*/
public void store(WebSession s, Screen screen)
{
store(s, screen, s.getUserName());
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s Description of the Parameter
*/
public void store(WebSession s, Screen screen, String user)
{
FileOutputStream out = null;
String fileName = getTrackerFile(s, user, screen);
//System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean
.toString(completed));
lessonProperties.setProperty(screen.getTitle() + ".currentStage",
Integer.toString(currentStage));
lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel",
Integer.toString(maxHintLevel));
lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer
.toString(numVisits));
lessonProperties.setProperty(screen.getTitle() + ".viewedCookies",
Boolean.toString(viewedCookies));
lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean
.toString(viewedHtml));
lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan",
Boolean.toString(viewedLessonPlan));
lessonProperties.setProperty(screen.getTitle() + ".viewedParameters",
Boolean.toString(viewedParameters));
lessonProperties.setProperty(screen.getTitle() + ".viewedSource",
Boolean.toString(viewedSource));
try
{
return currentStage;
out = new FileOutputStream(fileName);
lessonProperties.store(out, s.getUserName());
}
public void setStage(int stage)
catch (Exception e)
{
currentStage = stage;
// what do we want to do, I think nothing.
System.out.println("Warning User data for " + s.getUserName()
+ " will not persist");
}
finally
{
try
{
out.close();
}
catch (Exception e)
{}
}
/**
* Gets the maxHintLevel attribute of the LessonTracker object
*
* @return The maxHintLevel value
*/
public int getMaxHintLevel()
{
return maxHintLevel;
}
}
/**
* Gets the numVisits attribute of the LessonTracker object
*
* @return The numVisits value
*/
public int getNumVisits()
{
return numVisits;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append("LessonTracker:" + "\n");
buff.append(" - completed:.......... " + completed + "\n");
buff.append(" - currentStage:....... " + currentStage + "\n");
buff.append(" - maxHintLevel:....... " + maxHintLevel + "\n");
buff.append(" - numVisits:.......... " + numVisits + "\n");
buff.append(" - viewedCookies:...... " + viewedCookies + "\n");
buff.append(" - viewedHtml:......... " + viewedHtml + "\n");
buff.append(" - viewedLessonPlan:... " + viewedLessonPlan + "\n");
buff.append(" - viewedParameters:... " + viewedParameters + "\n");
buff.append(" - viewedSource:....... " + viewedSource + "\n" + "\n");
return buff.toString();
}
/**
* Gets the viewedCookies attribute of the LessonTracker object
*
* @return The viewedCookies value
*/
public boolean getViewedCookies()
{
return viewedCookies;
}
/**
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* Gets the viewedHtml attribute of the LessonTracker object
*
* @return The viewedHtml value
*/
public boolean getViewedHtml()
{
return viewedHtml;
}
/**
* Gets the viewedLessonPlan attribute of the LessonTracker object
*
* @return The viewedLessonPlan value
*/
public boolean getViewedLessonPlan()
{
return viewedLessonPlan;
}
/**
* Gets the viewedParameters attribute of the LessonTracker object
*
* @return The viewedParameters value
*/
public boolean getViewedParameters()
{
return viewedParameters;
}
/**
* Gets the viewedSource attribute of the LessonTracker object
*
* @return The viewedSource value
*/
public boolean getViewedSource()
{
return viewedSource;
}
/**
* Description of the Method
*/
public void incrementNumVisits()
{
numVisits++;
}
/**
* Sets the properties attribute of the LessonTracker object
*
* @param props The new properties value
*/
private void setProperties( Properties props, Screen screen )
{
completed = Boolean.valueOf( props.getProperty( screen.getTitle() + ".completed" ) ).booleanValue();
maxHintLevel = Integer.parseInt( props.getProperty( screen.getTitle() + ".maxHintLevel" ) );
currentStage = Integer.parseInt( props.getProperty( screen.getTitle() + ".currentStage" ) );
numVisits = Integer.parseInt( props.getProperty( screen.getTitle() + ".numVisits" ) );
viewedCookies = Boolean.valueOf( props.getProperty( screen.getTitle() + ".viewedCookies" ) ).booleanValue();
viewedHtml = Boolean.valueOf( props.getProperty( screen.getTitle() + ".viewedHtml" ) ).booleanValue();
viewedLessonPlan = Boolean.valueOf( props.getProperty( screen.getTitle() + ".viewedLessonPlan" ) ).booleanValue();
viewedParameters = Boolean.valueOf( props.getProperty( screen.getTitle() + ".viewedParameters" ) ).booleanValue();
viewedSource = Boolean.valueOf( props.getProperty( screen.getTitle() + ".viewedSource" ) ).booleanValue();
}
public static String getUserDir( WebSession s )
{
return s.getContext().getRealPath( "users" ) +"/";
}
private static String getTrackerFile( WebSession s, String user, Screen screen )
{
return getUserDir( s ) + user + "." + screen.getClass().getName() + ".props";
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public static LessonTracker load( WebSession s, String user, Screen screen )
{
FileInputStream in = null;
try
{
String fileName = getTrackerFile(s, user, screen);
if ( fileName != null )
{
Properties tempProps = new Properties();
//System.out.println("Loading lesson state from: " + fileName);
in = new FileInputStream( fileName );
tempProps.load( in );
// allow the screen to use any custom properties it may have set
LessonTracker tempLessonTracker = screen.createLessonTracker( tempProps );
tempLessonTracker.setProperties( tempProps, screen );
return tempLessonTracker;
}
}
catch ( FileNotFoundException e )
{
// Normal if the lesson has not been accessed yet.
}
catch ( Exception e )
{
System.out.println("Failed to load lesson state for " + screen);
e.printStackTrace();
}
finally
{
try
{
in.close();
}
catch (Exception e) {}
}
return screen.createLessonTracker();
}
/**
* Sets the completed attribute of the LessonTracker object
*
* @param completed The new completed value
*/
public void setCompleted( boolean completed )
{
this.completed = completed;
}
/**
* Sets the maxHintLevel attribute of the LessonTracker object
*
* @param maxHintLevel The new maxHintLevel value
*/
public void setMaxHintLevel( int maxHintLevel )
{
this.maxHintLevel = Math.max( this.maxHintLevel, maxHintLevel );
}
/**
* Sets the viewedCookies attribute of the LessonTracker object
*
* @param viewedCookies The new viewedCookies value
*/
public void setViewedCookies( boolean viewedCookies )
{
this.viewedCookies = viewedCookies;
}
/**
* Sets the viewedHtml attribute of the LessonTracker object
*
* @param viewedHtml The new viewedHtml value
*/
public void setViewedHtml( boolean viewedHtml )
{
this.viewedHtml = viewedHtml;
}
/**
* Sets the viewedLessonPlan attribute of the LessonTracker object
*
* @param viewedLessonPlan The new viewedLessonPlan value
*/
public void setViewedLessonPlan( boolean viewedLessonPlan )
{
this.viewedLessonPlan = viewedLessonPlan;
}
/**
* Sets the viewedParameters attribute of the LessonTracker object
*
* @param viewedParameters The new viewedParameters value
*/
public void setViewedParameters( boolean viewedParameters )
{
this.viewedParameters = viewedParameters;
}
/**
* Sets the viewedSource attribute of the LessonTracker object
*
* @param viewedSource The new viewedSource value
*/
public void setViewedSource( boolean viewedSource )
{
this.viewedSource = viewedSource;
}
/**
* Allows the storing of properties for the logged in and a screen.
*
* @param s Description of the Parameter
*/
public void store( WebSession s, Screen screen )
{
store( s, screen, s.getUserName() );
}
/**
* Allows the storing of properties for a user and a screen.
*
* @param s Description of the Parameter
*/
public void store( WebSession s, Screen screen, String user )
{
FileOutputStream out = null;
String fileName = getTrackerFile(s, user, screen);
//System.out.println( "Storing data to" + fileName );
lessonProperties.setProperty( screen.getTitle() + ".completed", Boolean.toString( completed ) );
lessonProperties.setProperty( screen.getTitle() + ".currentStage", Integer.toString( currentStage ) );
lessonProperties.setProperty( screen.getTitle() + ".maxHintLevel", Integer.toString( maxHintLevel ) );
lessonProperties.setProperty( screen.getTitle() + ".numVisits", Integer.toString( numVisits ) );
lessonProperties.setProperty( screen.getTitle() + ".viewedCookies", Boolean.toString( viewedCookies ) );
lessonProperties.setProperty( screen.getTitle() + ".viewedHtml", Boolean.toString( viewedHtml ) );
lessonProperties.setProperty( screen.getTitle() + ".viewedLessonPlan", Boolean.toString( viewedLessonPlan ) );
lessonProperties.setProperty( screen.getTitle() + ".viewedParameters", Boolean.toString( viewedParameters ) );
lessonProperties.setProperty( screen.getTitle() + ".viewedSource", Boolean.toString( viewedSource ) );
try
{
out = new FileOutputStream( fileName );
lessonProperties.store( out, s.getUserName() );
}
catch ( Exception e )
{
// what do we want to do, I think nothing.
System.out.println( "Warning User data for " + s.getUserName() + " will not persist" );
}
finally
{
try
{
out.close();
}
catch (Exception e) {}
}
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String toString()
{
StringBuffer buff = new StringBuffer();
buff.append( "LessonTracker:" + "\n" );
buff.append( " - completed:.......... " + completed + "\n" );
buff.append( " - currentStage:....... " + currentStage + "\n" );
buff.append( " - maxHintLevel:....... " + maxHintLevel + "\n" );
buff.append( " - numVisits:.......... " + numVisits + "\n" );
buff.append( " - viewedCookies:...... " + viewedCookies + "\n" );
buff.append( " - viewedHtml:......... " + viewedHtml + "\n" );
buff.append( " - viewedLessonPlan:... " + viewedLessonPlan + "\n" );
buff.append( " - viewedParameters:... " + viewedParameters + "\n" );
buff.append( " - viewedSource:....... " + viewedSource + "\n" + "\n" );
return buff.toString();
}
/**
* @return Returns the lessonProperties.
*/
public Properties getLessonProperties()
{
return lessonProperties;
}
/**
* @param lessonProperties The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
/**
* @param lessonProperties The lessonProperties to set.
*/
public void setLessonProperties(Properties lessonProperties)
{
this.lessonProperties = lessonProperties;
}
}

86
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Parameter.java
View File

@ -1,46 +1,90 @@
package org.owasp.webgoat.session;
public class Parameter implements Comparable {
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class Parameter implements Comparable
{
String name;
String value;
public Parameter(String name, String value) {
this.name=name;
this.value=value;
public Parameter(String name, String value)
{
this.name = name;
this.value = value;
}
public String getName()
{
return name;
return name;
}
public String getValue()
{
return value;
return value;
}
//@Override
public boolean equals(Object obj) {
if ( obj instanceof Parameter )
{
Parameter other = (Parameter)obj;
return ( name.equals( other.getName() ) && value.equals( other.getValue() ) );
}
return false;
public boolean equals(Object obj)
{
if (obj instanceof Parameter)
{
Parameter other = (Parameter) obj;
return (name.equals(other.getName()) && value.equals(other
.getValue()));
}
return false;
}
//@Override
public int hashCode() {
return toString().hashCode();
public int hashCode()
{
return toString().hashCode();
}
//@Override
public String toString() {
return( name + "=" + value );
public String toString()
{
return (name + "=" + value);
}
public int compareTo(Object o) {
return toString().compareTo( o.toString() );
public int compareTo(Object o)
{
return toString().compareTo(o.toString());
}
}

38
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java
View File

@ -1,21 +1,45 @@
package org.owasp.webgoat.session;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of
* the Open Web Application Security Project (http://www.owasp.org) This
* software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
* accept the LICENSE before you use, modify and/or redistribute this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class ParameterNotFoundException extends Exception
{
/**
* Constructs a new ParameterNotFoundException with no detail message.
*/
public ParameterNotFoundException()
{
super();
super();
}
@ -27,6 +51,6 @@ public class ParameterNotFoundException extends Exception
*/
public ParameterNotFoundException(String s)
{
super(s);
super(s);
}
}

1022
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
View File

File diff suppressed because it is too large Load Diff

557
webgoat/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
View File

@ -13,316 +13,345 @@ import org.apache.ecs.html.IMG;
import org.apache.ecs.html.TD;
import org.owasp.webgoat.lessons.AbstractLesson;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public abstract class Screen
{
/**
* Description of the Field
*/
public static int MAIN_SIZE = 375;
/**
* Description of the Field
*/
public static int MAIN_SIZE = 375;
//private Head head;
private Element content;
private LessonTracker lessonTracker;
final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg")
.setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0);
//private Head head;
private Element content;
private LessonTracker lessonTracker;
final static IMG logo = new IMG( "images/aspectlogo-horizontal-small.jpg" ).setAlt( "Aspect Security" ).setBorder( 0 ).setHspace( 0 ).setVspace( 0 );
/**
* Constructor for the Screen object
*/
public Screen()
{}
/**
* Constructor for the Screen object
*/
public Screen() { }
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
public abstract String getRole();
// FIXME: Each lesson should have a role assigned to it. Each user/student
// should also have a role(s) assigned. The user would only be allowed
// to see lessons that correspond to their role. Eventually these roles
// will be stored in the internal database. The user will be able to hack
// into the database and change their role. This will allow the user to
// see the admin screens, once they figure out how to turn the admin switch on.
public abstract String getRole();
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected abstract Element createContent( WebSession s );
protected abstract Element createContent(WebSession s);
/**
* Gets the credits attribute of the Screen object
*
* @return The credits value
*/
public abstract Element getCredits();
/**
* Gets the credits attribute of the Screen object
*
* @return The credits value
*/
public abstract Element getCredits();
/**
* Creates a new lessonTracker object.
*
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
/**
* Creates a new lessonTracker object.
*
* @param props The properties file that was used to persist the user data.
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker( Properties props )
public LessonTracker createLessonTracker(Properties props)
{
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
lessonTracker = createLessonTracker();
return lessonTracker;
}
/**
* This allows the screens to provide a custom LessonTracker object if needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker()
{
lessonTracker = new LessonTracker();
return lessonTracker;
}
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, this);
}
public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, userNameOverride, this);
}
public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker(s, lesson);
}
/**
* Fill in a descriptive title for this lesson
*
* @return The title value
*/
public abstract String getTitle();
protected void setContent(Element content)
{
this.content = content;
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected Element makeLogo()
{
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
public String getSponsor()
{
return "Aspect Security";
}
public String getSponsorLogoResource()
{
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @return Description of the Return Value
*/
protected TD makeMenuCategory_DELETE_ME(String text)
{
return (new TD().setWidth("100%").addElement(new Font().setColor(
HtmlColor.WHITE).addElement(new B().addElement(text))));
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages(WebSession s)
{
if (s == null)
{
// If the lesson had any specialized properties in the user persisted properties,
// now would be the time to pull them out.
lessonTracker = createLessonTracker();
return lessonTracker;
return (new StringElement(""));
}
Font f = new Font().setColor(HtmlColor.RED);
/**
* This allows the screens to provide a custom LessonTracker object if needed.
*
* @return Description of the Return Value
*/
public LessonTracker createLessonTracker()
{
lessonTracker = new LessonTracker();
return lessonTracker;
}
String message = s.getMessage();
f.addElement(message);
return (f);
}
/**
* Returns the content length of the the html.
*
*/
/**
* Gets the lessonTracker attribute of the AbstractLesson object
*
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker( WebSession s )
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker( s, this );
}
public LessonTracker getLessonTracker( WebSession s, String userNameOverride )
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker( s, userNameOverride, this );
}
public LessonTracker getLessonTracker( WebSession s, AbstractLesson lesson )
{
UserTracker userTracker = UserTracker.instance();
return userTracker.getLessonTracker( s, lesson );
}
/**
* Fill in a descriptive title for this lesson
*
* @return The title value
*/
public abstract String getTitle();
public int getContentLength()
{
return content.toString().length();
}
protected void setContent(Element content)
{
this.content = content;
}
/**
* Description of the Method
*
* @param out Description of the Parameter
*/
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public void output(PrintWriter out)
{
protected Element makeLogo()
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print(content.toString());
}
public String getContent()
{
return (content == null) ? "" : content.toString();
}
/**
* Description of the Method
*
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad(int x)
{
StringBuffer sb = new StringBuffer();
if (x < 10)
{
return new A("http://www.aspectsecurity.com/webgoat.html", logo);
}
public String getSponsor()
{
return "Aspect Security";
}
public String getSponsorLogoResource()
{
return "images/aspectlogo-horizontal-small.jpg";
}
/**
* Description of the Method
*
* @param text Description of the Parameter
* @return Description of the Return Value
*/
protected TD makeMenuCategory_DELETE_ME( String text )
{
return ( new TD().setWidth( "100%" ).addElement( new Font().setColor( HtmlColor.WHITE ).addElement( new B().addElement( text ) ) ) );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeMessages( WebSession s )
{
if ( s == null )
{
return ( new StringElement( "" ) );
}
Font f = new Font().setColor( HtmlColor.RED );
String message = s.getMessage();
f.addElement( message );
return ( f );
}
/**
* Returns the content length of the the html.
*
*/
public int getContentLength()
{
return content.toString().length();
}
/**
* Description of the Method
*
* @param out Description of the Parameter
*/
public void output( PrintWriter out )
{
// format output -- then send to printwriter
// otherwise we're doing way too much SSL encryption work
out.print( content.toString() );
sb.append(" ");
}
public String getContent()
{
return (content == null) ? "" : content.toString();
}
/**
* Description of the Method
*
* @param x Description of the Parameter
* @return Description of the Return Value
*/
protected static String pad( int x )
if (x < 100)
{
StringBuffer sb = new StringBuffer();
sb.append(" ");
if ( x < 10 )
{
sb.append( " " );
}
if ( x < 100 )
{
sb.append( " " );
}
sb.append( x );
return ( sb.toString() );
}
sb.append(x);
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
return (sb.toString());
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetachars(String token)
{
int mci = 0;
/*
* meta char array
*
* FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for the
* html to be automatically wrapped in client browser. It is better to add line
* length checking and only do "&nbsp" conversion in lines that won't exceed
* screen size, say less than 80 characters.
*/
protected static String convertMetachars( String token )
String[] metaChar = { "&", "<", ">", "\"", "\t",
System.getProperty("line.separator") };
String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>" };
String replacedString = token;
for (; mci < metaChar.length; mci += 1)
{
int mci = 0;
/*
* meta char array
*
* FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for the
* html to be automatically wrapped in client browser. It is better to add line
* length checking and only do "&nbsp" conversion in lines that won't exceed
* screen size, say less than 80 characters.
*/
String[] metaChar = {"&", "<", ">", "\"", "\t", System.getProperty("line.separator")};
String[] htmlCode = {"&amp;", "&lt;", "&gt;", "&quot;", " ", "<br>"};
String replacedString = token;
for ( ; mci < metaChar.length; mci += 1 )
{
replacedString = replacedString.replaceAll( metaChar[mci], htmlCode[mci] );
}
return ( replacedString );
replacedString = replacedString.replaceAll(metaChar[mci],
htmlCode[mci]);
}
return (replacedString);
}
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode( String token )
{
return( convertMetachars(token).replaceAll(" ", "&nbsp;") );
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
/**
* Description of the Method
*
* @param token Description of the Parameter
* @return Description of the Return Value
*/
protected static String convertMetacharsJavaCode(String token)
{
return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
}
//protected abstract Element wrapForm( WebSession s );
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
//protected abstract Element wrapForm( WebSession s );
}

29
webgoat/main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java
View File

@ -1,5 +1,34 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class UnauthenticatedException extends Exception
{

29
webgoat/main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java
View File

@ -1,5 +1,34 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class UnauthorizedException extends Exception
{

388
webgoat/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
View File

@ -9,11 +9,35 @@ import java.util.Map;
import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.users.MemoryUserDatabase;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 29, 2003
@ -22,222 +46,228 @@ import org.apache.catalina.users.MemoryUserDatabase;
public class UserTracker
{
private static UserTracker instance;
private static UserTracker instance;
// FIXME: persist this somehow!
// FIXME: persist this somehow!
private static HashMap storage = new HashMap();
private static HashMap storage = new HashMap();
private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
/**
* Constructor for the UserTracker object
*/
private UserTracker() { }
/**
* Constructor for the UserTracker object
*/
private UserTracker()
{}
/**
* Gets the completed attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The completed value
*/
public int getCompleted(String userName)
{
/**
* Gets the completed attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The completed value
*/
public int getCompleted( String userName )
HashMap usermap = getUserMap(userName);
Iterator i = usermap.entrySet().iterator();
int count = 0;
while (i.hasNext())
{
HashMap usermap = getUserMap( userName );
Map.Entry entry = (Map.Entry) i.next();
Iterator i = usermap.entrySet().iterator();
int value = ((Integer) entry.getValue()).intValue();
int count = 0;
if (value > 5)
{
count++;
}
while ( i.hasNext() )
}
return count;
}
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
{
return storage.keySet();
}
public Collection getAllUsers(String roleName)
{
synchronized (usersDB)
{
Collection allUsers = new ArrayList();
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
Map.Entry entry = (Map.Entry) i.next();
int value = ( (Integer) entry.getValue() ).intValue();
if ( value > 5 )
User user = (User) users.next();
Iterator roles = user.getRoles();
while (roles.hasNext())
{
Role role = (Role) roles.next();
if (role.getRolename().trim().equals(roleName))
{
count++;
allUsers.add(user.getUsername());
}
}
}
return count;
usersDB.close();
}
catch (Exception e)
{}
return allUsers;
}
}
/**
* Gets the users attribute of the UserTracker object
*
* @return The users value
*/
public Collection getUsers()
public void deleteUser(String user)
{
synchronized (usersDB)
{
return storage.keySet();
}
public Collection getAllUsers(String roleName)
{
synchronized ( usersDB ) {
Collection allUsers = new ArrayList();
try {
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User user = (User) users.next();
Iterator roles = user.getRoles();
while( roles.hasNext() )
{
Role role = (Role)roles.next();
if ( role.getRolename().trim().equals(roleName))
{
allUsers.add( user.getUsername() );
}
}
}
usersDB.close();
}
catch ( Exception e )
{}
return allUsers;
}
}
public void deleteUser( String user )
{
synchronized ( usersDB ) {
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
User tomcatUser = (User) users.next();
if ( tomcatUser.getUsername().equals( user ) )
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
}
usersDB.close();
}
catch ( Exception e )
{}
}
}
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker( WebSession s, Screen screen )
{
return getLessonTracker(s, s.getUserName(), screen );
}
public LessonTracker getLessonTracker( WebSession s, String user, Screen screen )
{
HashMap usermap = getUserMap( user );
LessonTracker tracker = (LessonTracker) usermap.get( screen.getTitle() );
if ( tracker == null )
try
{
usersDB.open();
Iterator users = usersDB.getUsers();
while (users.hasNext())
{
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load( s, user, screen );
usermap.put( screen.getTitle(), tracker );
User tomcatUser = (User) users.next();
if (tomcatUser.getUsername().equals(user))
{
usersDB.removeUser(tomcatUser);
// FIXME: delete all the lesson tracking property files
break;
}
}
//System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " + tracker.hashCode() + " for " + screen );
return tracker;
usersDB.close();
}
catch (Exception e)
{}
}
}
/**
* Gets the status attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The status value
*/
public String getStatus( WebSession s, Screen screen )
/**
* Gets the lessonTracker attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The lessonTracker value
*/
public LessonTracker getLessonTracker(WebSession s, Screen screen)
{
return getLessonTracker(s, s.getUserName(), screen);
}
public LessonTracker getLessonTracker(WebSession s, String user,
Screen screen)
{
HashMap usermap = getUserMap(user);
LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
if (tracker == null)
{
return ( "User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker( s, screen ).hashCode() );
// Creates a new lesson tracker, if one does not exist on disk.
tracker = LessonTracker.load(s, user, screen);
usermap.put(screen.getTitle(), tracker);
}
//System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " + tracker.hashCode() + " for " + screen );
return tracker;
}
/**
* Gets the status attribute of the UserTracker object
*
* @param screen Description of the Parameter
* @param userName Description of the Parameter
* @return The status value
*/
public String getStatus(WebSession s, Screen screen)
{
return ("User [" + s.getUserName() + "] has accessed " + screen
+ " UserTracker:getStatus()LTH = " + getLessonTracker(s, screen)
.hashCode());
}
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The userMap value
*/
private HashMap getUserMap( String userName )
/**
* Gets the userMap attribute of the UserTracker object
*
* @param userName Description of the Parameter
* @return The userMap value
*/
private HashMap getUserMap(String userName)
{
HashMap usermap = (HashMap) storage.get(userName);
if (usermap == null)
{
HashMap usermap = (HashMap) storage.get( userName );
usermap = new HashMap();
if ( usermap == null )
{
storage.put(userName, usermap);
usermap = new HashMap();
storage.put( userName, usermap );
}
return ( usermap );
}
return (usermap);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public static synchronized UserTracker instance()
{
if (instance == null)
{
if ( instance == null )
{
instance = new UserTracker();
}
return instance;
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
*/
public void update( WebSession s, Screen screen )
{
LessonTracker tracker = getLessonTracker( s, screen );
//System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH " + tracker.hashCode() );
tracker.store( s, screen );
HashMap usermap = getUserMap( s.getUserName() );
usermap.put( screen.getTitle(), tracker );
instance = new UserTracker();
}
return instance;
}
/**
* Description of the Method
*
* @param screen Description of the Parameter
* @param s Description of the Parameter
*/
public void update(WebSession s, Screen screen)
{
LessonTracker tracker = getLessonTracker(s, screen);
//System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH " + tracker.hashCode() );
tracker.store(s, screen);
HashMap usermap = getUserMap(s.getUserName());
usermap.put(screen.getTitle(), tracker);
}
}

49
webgoat/main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java
View File

@ -1,14 +1,45 @@
package org.owasp.webgoat.session;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class ValidationException extends Exception
{
public ValidationException()
{
super();
}
public ValidationException(String message)
{
super(message);
}
public ValidationException()
{
super();
}
public ValidationException(String message)
{
super(message);
}
}

35
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -25,13 +25,38 @@ import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.admin.RefreshDBScreen;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
* published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
* and/or redistribute this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
*
* @created October 28, 2003
*/
public class WebSession

178
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java
View File

@ -4,88 +4,124 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class WebgoatProperties extends Properties
{
public WebgoatProperties(String propertiesFileName) throws IOException
public WebgoatProperties(String propertiesFileName) throws IOException
{
try
{
try
{
FileInputStream in = new FileInputStream(propertiesFileName);
load(in);
}
catch ( IOException e )
{
System.out.println("Warning: Unable to open webgoat.properties file");
}
FileInputStream in = new FileInputStream(propertiesFileName);
load(in);
}
public int getIntProperty(String key, int defaultValue)
catch (IOException e)
{
int value = defaultValue;
String s = getProperty(key);
if (s != null)
{
value = Integer.parseInt(s);
}
return value;
System.out
.println("Warning: Unable to open webgoat.properties file");
}
}
public int getIntProperty(String key, int defaultValue)
{
int value = defaultValue;
String s = getProperty(key);
if (s != null)
{
value = Integer.parseInt(s);
}
public boolean getBooleanProperty(String key, boolean defaultValue)
return value;
}
public boolean getBooleanProperty(String key, boolean defaultValue)
{
boolean value = defaultValue;
key = this.trimLesson(key);
String s = getProperty(key);
if (s != null)
{
boolean value = defaultValue;
key = this.trimLesson(key);
String s = getProperty(key);
if (s != null)
{
if (s.equalsIgnoreCase("true"))
value = true;
else if (s.equalsIgnoreCase("yes"))
value = true;
else if (s.equalsIgnoreCase("on"))
value = true;
else if (s.equalsIgnoreCase("false"))
value = false;
else if (s.equalsIgnoreCase("no"))
value = false;
else if (s.equalsIgnoreCase("off"))
value = false;
}
return value;
}
private String trimLesson(String lesson)
{
String result = "";
if(lesson.startsWith("org.owasp.webgoat.lessons."))
{
result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length());
}
else
{
result = lesson;
}
return result;
if (s.equalsIgnoreCase("true"))
value = true;
else if (s.equalsIgnoreCase("yes"))
value = true;
else if (s.equalsIgnoreCase("on"))
value = true;
else if (s.equalsIgnoreCase("false"))
value = false;
else if (s.equalsIgnoreCase("no"))
value = false;
else if (s.equalsIgnoreCase("off"))
value = false;
}
public static void main(String[] args)
return value;
}
private String trimLesson(String lesson)
{
String result = "";
if (lesson.startsWith("org.owasp.webgoat.lessons."))
{
WebgoatProperties properties = null;
try
{
properties = new WebgoatProperties("C:\\webgoat.properties");
}
catch (IOException e)
{
System.out.println("Error loading properties");
e.printStackTrace();
}
System.out.println(properties.getProperty("CommandInjection.category"));
result = lesson.substring("org.owasp.webgoat.lessons.".length(),
lesson.length());
}
else
{
result = lesson;
}
return result;
}
public static void main(String[] args)
{
WebgoatProperties properties = null;
try
{
properties = new WebgoatProperties("C:\\webgoat.properties");
}
catch (IOException e)
{
System.out.println("Error loading properties");
e.printStackTrace();
}
System.out.println(properties.getProperty("CommandInjection.category"));
}
}