main
project
JavaSource
org
owasp
webgoat
lessons
ClientSideFiltering
CrossSiteScripting
DBCrossSiteScripting
DBSQLInjection
GoatHillsFinancial
RoleBasedAccessControl
SQLInjection
admin
instructor
AbstractLesson.java
AccessControlMatrix.java
BackDoors.java
BasicAuthentication.java
BlindSqlInjection.java
BufferOverflow.java
CSRF.java
Category.java
Challenge2Screen.java
ClientSideValidation.java
CommandInjection.java
ConcurrencyCart.java
DOMInjection.java
DOMXSS.java
DOS_Login.java
DangerousEval.java
Encoding.java
FailOpenAuthentication.java
ForcedBrowsing.java
ForgotPassword.java
HiddenFieldTampering.java
HowToWork.java
HtmlClues.java
HttpBasics.java
HttpOnly.java
HttpSplitting.java
JSONInjection.java
JavaScriptValidation.java
LessonAdapter.java
LogSpoofing.java
MultiLevelLogin1.java
MultiLevelLogin2.java
NewLesson.java
PasswordStrength.java
PathBasedAccessControl.java
Phishing.java
RandomLessonAdapter.java
ReflectedXSS.java
RemoteAdminFlaw.java
SameOriginPolicyProtection.java
SequentialLessonAdapter.java
SessionFixation.java
SilentTransactions.java
SoapRequest.java
SqlNumericInjection.java
SqlStringInjection.java
StoredXss.java
ThreadSafetyProblem.java
TraceXSS.java
UncheckedEmail.java
UsefulTools.java
WSDLScanning.java
WeakAuthenticationCookie.java
WeakSessionID.java
WelcomeScreen.java
WsSAXInjection.java
WsSqlInjection.java
XMLInjection.java
XPATHInjection.java
servlets
session
util
Catcher.java
HammerHead.java
LessonSource.java
WebContent
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
a8db8989c8
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@287 4033779f-a91e-0410-96ef-6bf7bf53c507
277 lines
7.6 KiB
Java
277 lines
7.6 KiB
Java
|
|
package org.owasp.webgoat.lessons;
|
|
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.html.A;
|
|
import org.apache.ecs.html.IMG;
|
|
import org.apache.ecs.html.TD;
|
|
import org.apache.ecs.html.TR;
|
|
import org.apache.ecs.html.Table;
|
|
import org.owasp.webgoat.session.ECSFactory;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
|
|
|
|
/***************************************************************************************************
|
|
*
|
|
*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
|
* please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at code.google.com, a repository for free software
|
|
* projects.
|
|
*
|
|
* For details, please see http://code.google.com/p/webgoat/
|
|
*
|
|
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
|
|
* @created October 28, 2003
|
|
*/
|
|
|
|
public class AccessControlMatrix extends LessonAdapter
|
|
{
|
|
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
|
|
.addElement(
|
|
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
|
|
.setVspace(0));
|
|
|
|
private final static String RESOURCE = "Resource";
|
|
|
|
private final static String USER = "User";
|
|
|
|
private final static String[] resources = { "Public Share", "Time Card Entry", "Performance Review",
|
|
"Time Card Approval", "Site Manager", "Account Manager" };
|
|
|
|
private final static String[] roles = { "Public", "User", "Manager", "Admin" };
|
|
|
|
private final static String[] users = { "Moe", "Larry", "Curly", "Shemp" };
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s
|
|
* Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element createContent(WebSession s)
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
try
|
|
{
|
|
String user = s.getParser().getRawParameter(USER, users[0]);
|
|
String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
|
|
String credentials = getRoles(user).toString();
|
|
|
|
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
|
|
|
|
if (s.isColor())
|
|
{
|
|
t.setBorder(1);
|
|
}
|
|
|
|
TR tr = new TR();
|
|
tr.addElement(new TD().addElement("Change user:"));
|
|
tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
|
|
t.addElement(tr);
|
|
|
|
// These two lines would allow the user to select the resource from a list
|
|
// Didn't seem right to me so I made them type it in.
|
|
// ec.addElement( new P().addElement( "Choose a resource:" ) );
|
|
// ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
|
|
tr = new TR();
|
|
tr.addElement(new TD().addElement("Select resource: "));
|
|
tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
|
|
t.addElement(tr);
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD(" ").setColSpan(2).setAlign("center"));
|
|
t.addElement(tr);
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
|
|
t.addElement(tr);
|
|
ec.addElement(t);
|
|
|
|
if (isAllowed(user, resource))
|
|
{
|
|
if (!getRoles(user).contains("Admin") && resource.equals("Account Manager"))
|
|
{
|
|
makeSuccess(s);
|
|
}
|
|
s.setMessage("User " + user + " " + credentials + " was allowed to access resource " + resource);
|
|
}
|
|
else
|
|
{
|
|
s.setMessage("User " + user + " " + credentials + " did not have privilege to access resource "
|
|
+ resource);
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
/**
|
|
* Gets the category attribute of the RoleBasedAccessControl object
|
|
*
|
|
* @return The category value
|
|
*/
|
|
|
|
protected Category getDefaultCategory()
|
|
{
|
|
return Category.ACCESS_CONTROL;
|
|
}
|
|
|
|
/**
|
|
* Gets the hints attribute of the RoleBasedAccessControl object
|
|
*
|
|
* @return The hints value
|
|
*/
|
|
protected List<String> getHints(WebSession s)
|
|
{
|
|
List<String> hints = new ArrayList<String>();
|
|
hints.add("Many sites attempt to restrict access to resources by role.");
|
|
hints.add("Developers frequently make mistakes implementing this scheme.");
|
|
hints.add("Attempt combinations of users, roles, and resources.");
|
|
return hints;
|
|
}
|
|
|
|
private final static Integer DEFAULT_RANKING = new Integer(10);
|
|
|
|
protected Integer getDefaultRanking()
|
|
{
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
/**
|
|
* Gets the resources attribute of the RoleBasedAccessControl object
|
|
*
|
|
* @param rl
|
|
* Description of the Parameter
|
|
* @return The resources value
|
|
*/
|
|
private List getResources(List rl)
|
|
{
|
|
// return the resources allowed for these roles
|
|
ArrayList<String> list = new ArrayList<String>();
|
|
|
|
if (rl.contains(roles[0]))
|
|
{
|
|
list.add(resources[0]);
|
|
}
|
|
|
|
if (rl.contains(roles[1]))
|
|
{
|
|
list.add(resources[1]);
|
|
list.add(resources[5]);
|
|
}
|
|
|
|
if (rl.contains(roles[2]))
|
|
{
|
|
list.add(resources[2]);
|
|
list.add(resources[3]);
|
|
}
|
|
|
|
if (rl.contains(roles[3]))
|
|
{
|
|
list.add(resources[4]);
|
|
list.add(resources[5]);
|
|
}
|
|
|
|
return list;
|
|
}
|
|
|
|
/**
|
|
* Gets the role attribute of the RoleBasedAccessControl object
|
|
*
|
|
* @param user
|
|
* Description of the Parameter
|
|
* @return The role value
|
|
*/
|
|
|
|
private List getRoles(String user)
|
|
{
|
|
ArrayList<String> list = new ArrayList<String>();
|
|
|
|
if (user.equals(users[0]))
|
|
{
|
|
list.add(roles[0]);
|
|
}
|
|
else if (user.equals(users[1]))
|
|
{
|
|
list.add(roles[1]);
|
|
list.add(roles[2]);
|
|
}
|
|
else if (user.equals(users[2]))
|
|
{
|
|
list.add(roles[0]);
|
|
list.add(roles[2]);
|
|
}
|
|
else if (user.equals(users[3]))
|
|
{
|
|
list.add(roles[3]);
|
|
}
|
|
|
|
return list;
|
|
}
|
|
|
|
/**
|
|
* Gets the title attribute of the AccessControlScreen object
|
|
*
|
|
* @return The title value
|
|
*/
|
|
|
|
public String getTitle()
|
|
{
|
|
return ("Using an Access Control Matrix");
|
|
}
|
|
|
|
// private final static ArrayList userList = new ArrayList(Arrays.asList(users));
|
|
// private final static ArrayList resourceList = new ArrayList(Arrays.asList(resources));
|
|
// private final static ArrayList roleList = new ArrayList(Arrays.asList(roles));
|
|
|
|
/**
|
|
* Please do not ever implement an access control scheme this way! But it's not the worst I've
|
|
* seen.
|
|
*
|
|
* @param user
|
|
* Description of the Parameter
|
|
* @param resource
|
|
* Description of the Parameter
|
|
* @return The allowed value
|
|
*/
|
|
|
|
private boolean isAllowed(String user, String resource)
|
|
{
|
|
List roles = getRoles(user);
|
|
List resources = getResources(roles);
|
|
return (resources.contains(resource));
|
|
}
|
|
|
|
public Element getCredits()
|
|
{
|
|
return super.getCustomCredits("", ASPECT_LOGO);
|
|
}
|
|
}
|