227 lines
7.2 KiB
Java
227 lines
7.2 KiB
Java
package org.owasp.webgoat.lessons;
|
|
|
|
import java.text.Format;
|
|
import java.text.SimpleDateFormat;
|
|
import java.util.ArrayList;
|
|
import java.util.Date;
|
|
import java.util.List;
|
|
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.StringElement;
|
|
import org.apache.ecs.html.B;
|
|
import org.apache.ecs.html.BR;
|
|
import org.apache.ecs.html.Center;
|
|
import org.apache.ecs.html.H1;
|
|
import org.apache.ecs.html.H3;
|
|
import org.apache.ecs.html.HR;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.TD;
|
|
import org.apache.ecs.html.TH;
|
|
import org.apache.ecs.html.TR;
|
|
import org.apache.ecs.html.Table;
|
|
import org.apache.ecs.html.TextArea;
|
|
|
|
import org.owasp.webgoat.session.ECSFactory;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
|
|
/**
|
|
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
|
|
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
|
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
|
* this software.
|
|
*
|
|
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
|
|
* @created October 28, 2003
|
|
*/
|
|
|
|
public class UncheckedEmail extends LessonAdapter
|
|
{
|
|
|
|
private final static String MESSAGE = "msg";
|
|
private final static String TO = "to";
|
|
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
|
|
protected Element createContent( WebSession s )
|
|
{
|
|
|
|
ElementContainer ec = new ElementContainer();
|
|
try
|
|
{
|
|
String to = s.getParser().getRawParameter( TO, "" );
|
|
|
|
Table t = new Table().setCellSpacing( 0 ).setCellPadding( 2 ).setBorder( 0 ).setWidth("90%").setAlign("center");
|
|
|
|
if ( s.isColor() )
|
|
{
|
|
t.setBorder( 1 );
|
|
}
|
|
|
|
TR tr = new TR();
|
|
tr.addElement( new TH().addElement("Send OWASP your Comments<BR>").setAlign("left").setColSpan(3));
|
|
t.addElement( tr );
|
|
|
|
tr = new TR();
|
|
tr.addElement( new TD().addElement( " ").setColSpan(3));
|
|
t.addElement( tr );
|
|
|
|
tr = new TR();
|
|
tr.addElement( new TH().addElement(new H1("Contact Us")).setAlign("left").setWidth("55%").setVAlign("BOTTOM"));
|
|
tr.addElement( new TH().addElement( " "));
|
|
tr.addElement( new TH().addElement(new H3("Contact Information:")).setAlign("left").setVAlign("BOTTOM"));
|
|
t.addElement( tr );
|
|
|
|
|
|
tr = new TR();
|
|
tr.addElement( new TD().addElement("We value your comments. To send OWASP your questions or comments regarding the " +
|
|
"WebGoat tool, please enter your comments below. The information you provide will be handled according " +
|
|
"to our <U>Privacy Policy</U>."));
|
|
tr.addElement( new TD().addElement( " "));
|
|
tr.addElement( new TD().addElement("<b>OWASP</B><BR>" +
|
|
"9175 Guilford Rd <BR> Suite 300 <BR>" +
|
|
"Columbia, MD. 21046").setVAlign("top"));
|
|
t.addElement( tr );
|
|
|
|
|
|
|
|
tr = new TR();
|
|
tr.addElement( new TD().addElement( " ").setColSpan(3));
|
|
t.addElement( tr );
|
|
|
|
Input input = new Input( Input.HIDDEN, TO, "webgoat.admin@owasp.org" );
|
|
tr = new TR();
|
|
tr.addElement( new TD().addElement( "Questions or Comments:"));
|
|
tr.addElement( new TD().addElement( " "));
|
|
tr.addElement( new TD().setAlign( "LEFT" ).addElement( input ));
|
|
t.addElement( tr );
|
|
|
|
|
|
tr = new TR();
|
|
String message = s.getParser().getRawParameter( MESSAGE, "" );
|
|
TextArea ta = new TextArea( MESSAGE, 5, 40 );
|
|
ta.addElement( new StringElement( convertMetachars(message) ));
|
|
tr.addElement( new TD().setAlign( "LEFT" ).addElement( ta ));
|
|
tr.addElement( new TD().setAlign( "LEFT" ).setVAlign( "MIDDLE" ).addElement( ECSFactory.makeButton( "Send!" ) ) );
|
|
tr.addElement( new TD().addElement( " "));
|
|
t.addElement( tr );
|
|
ec.addElement( t );
|
|
|
|
// Eventually we could send the actually mail, but the point should already be made
|
|
//ec.addElement(exec( use java mail here + to));
|
|
|
|
if ( to.length() > 0 )
|
|
{
|
|
Format formatter;
|
|
// Get today's date
|
|
Date date = new Date();
|
|
formatter = new SimpleDateFormat("E, dd MMM yyyy HH:mm:ss Z");
|
|
String today = formatter.format(date);
|
|
// Tue, 09 Jan 2002 22:14:02 -0500
|
|
|
|
ec.addElement( new HR() );
|
|
ec.addElement( new Center().addElement( new B().addElement( "You sent the following message to: " + to ) ) );
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("<b>Return-Path:</b> <webgoat@owasp.org>"));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("<b>Delivered-To:</b> " + to));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("<b>Received:</b> (qmail 614458 invoked by uid 239); " + today));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("for <" + to+">; " + today ));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("<b>To:</b> " + to));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("<b>From:</b> Blame it on the Goat <webgoat@owasp.org>"));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement("<b>Subject:</b> OWASP security issues"));
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new BR() );
|
|
ec.addElement( new StringElement( message ) );
|
|
}
|
|
|
|
// only complete the lesson if they changed the "to" hidden field
|
|
if ( to.length() > 0 && ! "webgoat.admin@owasp.org".equals( to ) )
|
|
{
|
|
makeSuccess( s );
|
|
}
|
|
}
|
|
catch ( Exception e )
|
|
{
|
|
s.setMessage( "Error generating " + this.getClass().getName() );
|
|
e.printStackTrace();
|
|
}
|
|
return ( ec );
|
|
}
|
|
|
|
|
|
/**
|
|
* DOCUMENT ME!
|
|
*
|
|
* @return DOCUMENT ME!
|
|
*/
|
|
protected Category getDefaultCategory()
|
|
{
|
|
return AbstractLesson.A1;
|
|
}
|
|
|
|
|
|
/**
|
|
* Gets the hints attribute of the EmailScreen object
|
|
*
|
|
* @return The hints value
|
|
*/
|
|
protected List getHints()
|
|
{
|
|
List hints = new ArrayList();
|
|
hints.add( "Try sending an anonymous message to yourself." );
|
|
hints.add( "Try inserting some html or javascript code in the message field" );
|
|
hints.add( "Look at the hidden fields in the HTML.");
|
|
hints.add( "Insert <A href=\"http://www.aspectsecurity.com/webgoat.html\">Click here for Aspect</A> in the message field" );
|
|
hints.add( "Insert <script>alert(\"Bad Stuff\");</script> in the message field" );
|
|
return hints;
|
|
}
|
|
|
|
|
|
/**
|
|
* Gets the instructions attribute of the UncheckedEmail object
|
|
*
|
|
* @return The instructions value
|
|
*/
|
|
public String getInstructions(WebSession s)
|
|
{
|
|
String instructions = "This form is an example of a customer support page. Using the form below try to:<br>"
|
|
+ "1) Send a malicious script to the website admin.<br>"
|
|
+ "2) Send a malicious script to a 'friend' from OWASP.<br>";
|
|
return ( instructions );
|
|
}
|
|
|
|
|
|
|
|
|
|
private final static Integer DEFAULT_RANKING = new Integer(55);
|
|
|
|
protected Integer getDefaultRanking()
|
|
{
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
/**
|
|
* Gets the title attribute of the EmailScreen object
|
|
*
|
|
* @return The title value
|
|
*/
|
|
public String getTitle()
|
|
{
|
|
return ( "How to Exploit Unchecked Email" );
|
|
}
|
|
}
|
|
|
|
|