6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
221 lines
7.2 KiB
Java
221 lines
7.2 KiB
Java
|
|
package org.owasp.webgoat.lessons.CrossSiteScripting;
|
|
|
|
import java.sql.PreparedStatement;
|
|
import java.sql.ResultSet;
|
|
import java.sql.SQLException;
|
|
import java.util.HashMap;
|
|
import java.util.Map;
|
|
import java.util.regex.Matcher;
|
|
import java.util.regex.Pattern;
|
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
|
import org.owasp.webgoat.session.Employee;
|
|
import org.owasp.webgoat.session.ParameterNotFoundException;
|
|
import org.owasp.webgoat.session.UnauthenticatedException;
|
|
import org.owasp.webgoat.session.UnauthorizedException;
|
|
import org.owasp.webgoat.session.ValidationException;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
|
|
|
|
/***************************************************************************************************
|
|
*
|
|
*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
|
* please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at code.google.com, a repository for free software
|
|
* projects.
|
|
*
|
|
* For details, please see http://code.google.com/p/webgoat/
|
|
*/
|
|
public class FindProfile extends DefaultLessonAction
|
|
{
|
|
|
|
private LessonAction chainedAction;
|
|
|
|
public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
|
{
|
|
super(lesson, lessonName, actionName);
|
|
this.chainedAction = chainedAction;
|
|
}
|
|
|
|
public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
|
|
UnauthorizedException, ValidationException
|
|
{
|
|
if (isAuthenticated(s))
|
|
{
|
|
int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
|
|
|
|
String searchName = null;
|
|
try
|
|
{
|
|
searchName = getRequestParameter(s, CrossSiteScripting.SEARCHNAME);
|
|
|
|
Employee employee = null;
|
|
|
|
employee = findEmployeeProfile(s, userId, searchName);
|
|
if (employee == null)
|
|
{
|
|
setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.SEARCHRESULT_ATTRIBUTE_KEY,
|
|
"Employee " + searchName + " not found.");
|
|
}
|
|
} catch (ValidationException e)
|
|
{
|
|
if (CrossSiteScripting.STAGE6.equals(getStage(s)))
|
|
{
|
|
setStageComplete(s, CrossSiteScripting.STAGE6);
|
|
}
|
|
throw e;
|
|
}
|
|
|
|
if (CrossSiteScripting.STAGE5.equals(getStage(s)))
|
|
{
|
|
if (searchName.indexOf("<script>") > -1 && searchName.indexOf("alert") > -1
|
|
&& searchName.indexOf("</script>") > -1)
|
|
{
|
|
setStageComplete(s, CrossSiteScripting.STAGE5);
|
|
}
|
|
}
|
|
|
|
// Execute the chained Action if the employee was found.
|
|
if (foundEmployee(s))
|
|
{
|
|
try
|
|
{
|
|
chainedAction.handleRequest(s);
|
|
} catch (UnauthenticatedException ue1)
|
|
{
|
|
// System.out.println("Internal server error");
|
|
ue1.printStackTrace();
|
|
} catch (UnauthorizedException ue2)
|
|
{
|
|
// System.out.println("Internal server error");
|
|
ue2.printStackTrace();
|
|
}
|
|
}
|
|
}
|
|
else
|
|
throw new UnauthenticatedException();
|
|
}
|
|
|
|
public String getNextPage(WebSession s)
|
|
{
|
|
String page = CrossSiteScripting.SEARCHSTAFF_ACTION;
|
|
|
|
if (foundEmployee(s)) page = CrossSiteScripting.VIEWPROFILE_ACTION;
|
|
|
|
return page;
|
|
}
|
|
|
|
protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
|
|
ValidationException
|
|
{
|
|
|
|
return s.getParser().getRawParameter(name);
|
|
}
|
|
|
|
protected String getRequestParameter_BACKUP(WebSession s, String name) throws ParameterNotFoundException,
|
|
ValidationException
|
|
{
|
|
return s.getParser().getRawParameter(name);
|
|
}
|
|
|
|
public Employee findEmployeeProfile(WebSession s, int userId, String pattern) throws UnauthorizedException
|
|
{
|
|
Employee profile = null;
|
|
|
|
// Query the database for the profile data of the given employee
|
|
try
|
|
{
|
|
String query = "SELECT * FROM employee WHERE first_name like ? OR last_name like ?";
|
|
|
|
try
|
|
{
|
|
PreparedStatement answer_statement = WebSession.getConnection(s)
|
|
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
|
answer_statement.setString(1, "%" + pattern + "%");
|
|
answer_statement.setString(2, "%" + pattern + "%");
|
|
ResultSet answer_results = answer_statement.executeQuery();
|
|
|
|
// Just use the first hit.
|
|
if (answer_results.next())
|
|
{
|
|
int id = answer_results.getInt("userid");
|
|
// Note: Do NOT get the password field.
|
|
profile = new Employee(id, answer_results.getString("first_name"), answer_results
|
|
.getString("last_name"), answer_results.getString("ssn"),
|
|
answer_results.getString("title"), answer_results.getString("phone"), answer_results
|
|
.getString("address1"), answer_results.getString("address2"), answer_results
|
|
.getInt("manager"), answer_results.getString("start_date"), answer_results
|
|
.getInt("salary"), answer_results.getString("ccn"), answer_results
|
|
.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
|
|
.getString("disciplined_notes"), answer_results.getString("personal_description"));
|
|
|
|
/*
|
|
* System.out.println("Retrieved employee from db: " + profile.getFirstName() +
|
|
* " " + profile.getLastName() + " (" + profile.getId() + ")");
|
|
*/
|
|
setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
|
|
}
|
|
} catch (SQLException sqle)
|
|
{
|
|
s.setMessage("Error finding employee profile");
|
|
sqle.printStackTrace();
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error finding employee profile");
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return profile;
|
|
}
|
|
|
|
private boolean foundEmployee(WebSession s)
|
|
{
|
|
boolean found = false;
|
|
try
|
|
{
|
|
getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
|
|
found = true;
|
|
} catch (ParameterNotFoundException e)
|
|
{
|
|
}
|
|
|
|
return found;
|
|
}
|
|
|
|
protected String validate(final String parameter, final Pattern pattern) throws ValidationException
|
|
{
|
|
Matcher matcher = pattern.matcher(parameter);
|
|
if (!matcher.matches()) throw new ValidationException();
|
|
|
|
return parameter;
|
|
}
|
|
|
|
protected static Map<String, Pattern> patterns = new HashMap<String, Pattern>();
|
|
static
|
|
{
|
|
patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
|
|
}
|
|
|
|
}
|