6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
227 lines
7.1 KiB
Java
227 lines
7.1 KiB
Java
|
|
package org.owasp.webgoat.lessons.DBSQLInjection;
|
|
|
|
import java.sql.CallableStatement;
|
|
import java.sql.ResultSet;
|
|
import java.sql.SQLException;
|
|
import java.sql.Statement;
|
|
import java.sql.Types;
|
|
import java.util.List;
|
|
import java.util.Vector;
|
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
|
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
|
import org.owasp.webgoat.session.EmployeeStub;
|
|
import org.owasp.webgoat.session.ParameterNotFoundException;
|
|
import org.owasp.webgoat.session.UnauthenticatedException;
|
|
import org.owasp.webgoat.session.UnauthorizedException;
|
|
import org.owasp.webgoat.session.ValidationException;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
|
|
|
|
/***************************************************************************************************
|
|
*
|
|
*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
|
* please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at code.google.com, a repository for free software
|
|
* projects.
|
|
*
|
|
* For details, please see http://code.google.com/p/webgoat/
|
|
*/
|
|
public class Login extends DefaultLessonAction
|
|
{
|
|
|
|
private LessonAction chainedAction;
|
|
|
|
public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
|
|
{
|
|
super(lesson, lessonName, actionName);
|
|
this.chainedAction = chainedAction;
|
|
}
|
|
|
|
public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
|
|
{
|
|
// System.out.println("Login.handleRequest()");
|
|
getLesson().setCurrentAction(s, getActionName());
|
|
|
|
List employees = getAllEmployees(s);
|
|
setSessionAttribute(s, getLessonName() + "." + DBSQLInjection.STAFF_ATTRIBUTE_KEY, employees);
|
|
|
|
String employeeId = null;
|
|
try
|
|
{
|
|
employeeId = s.getParser().getStringParameter(DBSQLInjection.EMPLOYEE_ID);
|
|
String password = s.getParser().getRawParameter(DBSQLInjection.PASSWORD);
|
|
|
|
// Attempt authentication
|
|
boolean authenticated = login(s, employeeId, password);
|
|
|
|
if (authenticated)
|
|
{
|
|
// Execute the chained Action if authentication succeeded.
|
|
try
|
|
{
|
|
chainedAction.handleRequest(s);
|
|
} catch (UnauthenticatedException ue1)
|
|
{
|
|
// System.out.println("Internal server error");
|
|
ue1.printStackTrace();
|
|
} catch (UnauthorizedException ue2)
|
|
{
|
|
// System.out.println("Internal server error");
|
|
ue2.printStackTrace();
|
|
}
|
|
}
|
|
else
|
|
s.setMessage("Login failed");
|
|
|
|
} catch (ParameterNotFoundException pnfe)
|
|
{
|
|
// No credentials offered, so we log them out
|
|
setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
|
|
}
|
|
}
|
|
|
|
public String getNextPage(WebSession s)
|
|
{
|
|
String nextPage = DBSQLInjection.LOGIN_ACTION;
|
|
|
|
if (isAuthenticated(s)) nextPage = chainedAction.getNextPage(s);
|
|
|
|
return nextPage;
|
|
|
|
}
|
|
|
|
public boolean requiresAuthentication()
|
|
{
|
|
return false;
|
|
}
|
|
|
|
public boolean login(WebSession s, String userId, String password)
|
|
{
|
|
boolean authenticated = false;
|
|
|
|
try
|
|
{
|
|
String call = "{ ? = call EMPLOYEE_LOGIN(?,?) }"; // NB: "call", not "CALL"! Doh!
|
|
|
|
try
|
|
{
|
|
CallableStatement statement = WebSession.getConnection(s)
|
|
.prepareCall(call, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
|
statement.registerOutParameter(1, Types.INTEGER);
|
|
statement.setInt(2, Integer.parseInt(userId));
|
|
statement.setString(3, password);
|
|
statement.execute();
|
|
|
|
int rows = statement.getInt(1);
|
|
if (rows > 0)
|
|
{
|
|
setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
|
|
setSessionAttribute(s, getLessonName() + "." + DBSQLInjection.USER_ID, userId);
|
|
authenticated = true;
|
|
if (DBSQLInjection.STAGE1.equals(getStage(s))
|
|
&& DBSQLInjection.PRIZE_EMPLOYEE_ID == Integer.parseInt(userId))
|
|
{
|
|
setStageComplete(s, DBSQLInjection.STAGE1);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
|
|
if (DBSQLInjection.STAGE2.equals(getStage(s)))
|
|
{
|
|
try
|
|
{
|
|
String call2 = "{ ? = call EMPLOYEE_LOGIN_BACKUP(?,?) }";
|
|
statement = WebSession.getConnection(s).prepareCall(call2,
|
|
ResultSet.TYPE_SCROLL_INSENSITIVE,
|
|
ResultSet.CONCUR_READ_ONLY);
|
|
statement.registerOutParameter(1, Types.INTEGER);
|
|
statement.setInt(2, Integer.parseInt(userId));
|
|
statement.setString(3, password);
|
|
statement.execute();
|
|
|
|
rows = statement.getInt(1);
|
|
if (rows > 0) setStageComplete(s, DBSQLInjection.STAGE2);
|
|
} catch (SQLException sqle2)
|
|
{
|
|
}
|
|
}
|
|
}
|
|
} catch (SQLException sqle)
|
|
{
|
|
s.setMessage("Error logging in: " + sqle.getLocalizedMessage());
|
|
sqle.printStackTrace();
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error logging in: " + e.getLocalizedMessage());
|
|
e.printStackTrace();
|
|
}
|
|
|
|
// System.out.println("Lesson login result: " + authenticated);
|
|
return authenticated;
|
|
}
|
|
|
|
public List getAllEmployees(WebSession s)
|
|
{
|
|
List<EmployeeStub> employees = new Vector<EmployeeStub>();
|
|
|
|
// Query the database for all roles the given employee belongs to
|
|
// Query the database for all employees "owned" by these roles
|
|
|
|
try
|
|
{
|
|
String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
|
|
+ "where employee.userid=roles.userid";
|
|
|
|
try
|
|
{
|
|
Statement answer_statement = WebSession.getConnection(s)
|
|
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
|
ResultSet answer_results = answer_statement.executeQuery(query);
|
|
answer_results.beforeFirst();
|
|
while (answer_results.next())
|
|
{
|
|
int employeeId = answer_results.getInt("userid");
|
|
String firstName = answer_results.getString("first_name");
|
|
String lastName = answer_results.getString("last_name");
|
|
String role = answer_results.getString("role");
|
|
EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
|
|
employees.add(stub);
|
|
}
|
|
} catch (SQLException sqle)
|
|
{
|
|
s.setMessage("Error getting employees");
|
|
sqle.printStackTrace();
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error getting employees");
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return employees;
|
|
}
|
|
|
|
}
|