236 lines
8.4 KiB
Java
236 lines
8.4 KiB
Java
package org.owasp.webgoat.lessons;
|
||
|
||
import java.util.ArrayList;
|
||
import java.util.List;
|
||
import java.util.regex.Pattern;
|
||
|
||
import org.apache.ecs.Element;
|
||
import org.apache.ecs.ElementContainer;
|
||
import org.apache.ecs.html.BR;
|
||
import org.apache.ecs.html.Center;
|
||
import org.apache.ecs.html.H1;
|
||
import org.apache.ecs.html.HR;
|
||
import org.apache.ecs.html.Input;
|
||
import org.apache.ecs.html.TD;
|
||
import org.apache.ecs.html.TH;
|
||
import org.apache.ecs.html.TR;
|
||
import org.apache.ecs.html.Table;
|
||
import org.owasp.webgoat.session.ECSFactory;
|
||
import org.owasp.webgoat.session.WebSession;
|
||
import org.owasp.webgoat.util.HtmlEncoder;
|
||
|
||
|
||
|
||
/**
|
||
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
|
||
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
||
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
||
* this software.
|
||
*
|
||
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
|
||
* @created October 28, 2003
|
||
*/
|
||
|
||
public class ReflectedXSS extends LessonAdapter
|
||
{
|
||
|
||
/**
|
||
* Description of the Method
|
||
*
|
||
* @param s Description of the Parameter
|
||
* @return Description of the Return Value
|
||
*/
|
||
|
||
protected Element createContent( WebSession s )
|
||
{
|
||
|
||
ElementContainer ec = new ElementContainer();
|
||
String regex1 = "^[0-9]{3}$";// any three digits
|
||
Pattern pattern1 = Pattern.compile( regex1 );
|
||
|
||
try
|
||
{
|
||
String param1 = s.getParser().getRawParameter( "field1", "111" );
|
||
String param2 = HtmlEncoder.encode( s.getParser().getRawParameter( "field2", "4128 3214 0002 1999" ) );
|
||
float quantity = 1.0f;
|
||
float total = 0.0f;
|
||
float runningTotal = 0.0f;
|
||
|
||
// test input field1
|
||
if ( !pattern1.matcher( param1 ).matches() )
|
||
{
|
||
if ( param1.toLowerCase().indexOf( "script" ) != -1 )
|
||
{
|
||
makeSuccess( s );
|
||
}
|
||
|
||
s.setMessage( "Whoops! You entered " + param1 + " instead of your three digit code. Please try again." );
|
||
}
|
||
|
||
// FIXME: encode output of field2, then s.setMessage( field2 );
|
||
|
||
ec.addElement( new HR().setWidth("90%") );
|
||
ec.addElement( new Center().addElement( new H1().addElement( "Shopping Cart " )));
|
||
Table t = new Table().setCellSpacing( 0 ).setCellPadding( 2 ).setBorder( 1 ).setWidth("90%").setAlign("center");
|
||
|
||
if ( s.isColor() )
|
||
{
|
||
t.setBorder( 1 );
|
||
}
|
||
|
||
TR tr = new TR();
|
||
tr.addElement( new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
|
||
tr.addElement( new TH().addElement("Price:").setWidth("10%"));
|
||
tr.addElement( new TH().addElement("Quantity:").setWidth("3%"));
|
||
tr.addElement( new TH().addElement("Total").setWidth("7%"));
|
||
t.addElement( tr );
|
||
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
|
||
tr.addElement( new TD().addElement("69.99").setAlign("right"));
|
||
tr.addElement( new TD().addElement(new Input( Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1") )).setAlign( "right" ));
|
||
quantity = s.getParser().getFloatParameter("QTY1", 1.0f);
|
||
total = quantity * 69.99f;
|
||
runningTotal += total;
|
||
tr.addElement( new TD().addElement("$" +total));
|
||
t.addElement( tr );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement("Dynex - Traditional Notebook Case"));
|
||
tr.addElement( new TD().addElement("27.99").setAlign("right"));
|
||
tr.addElement( new TD().addElement(new Input( Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1") )).setAlign( "right" ));
|
||
quantity = s.getParser().getFloatParameter("QTY2", 1.0f);
|
||
total = quantity * 27.99f;
|
||
runningTotal += total;
|
||
tr.addElement( new TD().addElement("$" +total));
|
||
t.addElement( tr );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel<65> Centrino<6E>"));
|
||
tr.addElement( new TD().addElement("1599.99").setAlign("right"));
|
||
tr.addElement( new TD().addElement(new Input( Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1") )).setAlign( "right" ));
|
||
quantity = s.getParser().getFloatParameter("QTY3", 1.0f);
|
||
total = quantity * 1599.99f;
|
||
runningTotal += total;
|
||
tr.addElement( new TD().addElement("$" +total));
|
||
t.addElement( tr );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
|
||
tr.addElement( new TD().addElement("299.99").setAlign("right"));
|
||
|
||
tr.addElement( new TD().addElement(new Input( Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1") )).setAlign( "right" ));
|
||
quantity = s.getParser().getFloatParameter("QTY4", 1.0f);
|
||
total = quantity * 299.99f;
|
||
runningTotal += total;
|
||
tr.addElement( new TD().addElement("$" +total));
|
||
t.addElement( tr );
|
||
|
||
ec.addElement(t);
|
||
|
||
t = new Table().setCellSpacing( 0 ).setCellPadding( 2 ).setBorder( 0 ).setWidth("90%").setAlign("center");
|
||
|
||
if ( s.isColor() )
|
||
{
|
||
t.setBorder( 1 );
|
||
}
|
||
|
||
ec.addElement( new BR() );
|
||
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement( "The total charged to your credit card:" ) );
|
||
tr.addElement( new TD().addElement( "$" + runningTotal ));
|
||
tr.addElement( new TD().addElement( ECSFactory.makeButton( "Update Cart" )));
|
||
t.addElement( tr );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement( " " ).setColSpan(2) );
|
||
t.addElement( tr );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement( "Enter your credit card number:" ) );
|
||
tr.addElement( new TD().addElement( new Input( Input.TEXT, "field2", param2 )));
|
||
t.addElement( tr );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement( "Enter your three digit access code:" ) );
|
||
tr.addElement( new TD().addElement( new Input( Input.TEXT, "field1", param1 )));
|
||
t.addElement( tr );
|
||
|
||
Element b = ECSFactory.makeButton( "Purchase" );
|
||
tr = new TR();
|
||
tr.addElement( new TD().addElement( b ).setColSpan(2).setAlign("center"));
|
||
t.addElement( tr );
|
||
|
||
ec.addElement( t );
|
||
ec.addElement( new BR() );
|
||
ec.addElement( new HR().setWidth("90%") );
|
||
}
|
||
catch ( Exception e )
|
||
{
|
||
s.setMessage( "Error generating " + this.getClass().getName() );
|
||
e.printStackTrace();
|
||
}
|
||
return ( ec );
|
||
}
|
||
|
||
|
||
/**
|
||
* DOCUMENT ME!
|
||
*
|
||
* @return DOCUMENT ME!
|
||
*/
|
||
protected Category getDefaultCategory()
|
||
{
|
||
return AbstractLesson.A4;
|
||
}
|
||
|
||
|
||
|
||
/**
|
||
* Gets the hints attribute of the AccessControlScreen object
|
||
*
|
||
* @return The hints value
|
||
*/
|
||
protected List getHints()
|
||
{
|
||
List hints = new ArrayList();
|
||
hints.add( "A simple script is <SCRIPT>alert('bang!');</SCRIPT>." );
|
||
hints.add( "Can you get the script to disclose the JSESSIONID cookie?" );
|
||
hints.add( "You can use <SCRIPT>alert(document.cookie);</SCRIPT> to access the session id cookie" );
|
||
hints.add( "Can you get the script to access the credit card form field?" );
|
||
hints.add( "Try a cross site trace (XST) Command:<br>" +
|
||
"<script type=\"text/javascript\">if ( navigator.appName.indexOf(\"Microsoft\") !=-1)" +
|
||
" {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);" +
|
||
" xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"<br>\"); " +
|
||
"document.write(str1);}</script>");
|
||
return hints;
|
||
}
|
||
// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
|
||
/**
|
||
* Gets the instructions attribute of the WeakAccessControl object
|
||
*
|
||
* @return The instructions value
|
||
*/
|
||
public String getInstructions(WebSession s)
|
||
{
|
||
String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
|
||
return ( instructions );
|
||
}
|
||
|
||
|
||
|
||
private final static Integer DEFAULT_RANKING = new Integer(120);
|
||
|
||
protected Integer getDefaultRanking()
|
||
{
|
||
return DEFAULT_RANKING;
|
||
}
|
||
|
||
/**
|
||
* Gets the title attribute of the AccessControlScreen object
|
||
*
|
||
* @return The title value
|
||
*/
|
||
public String getTitle()
|
||
{
|
||
return "How to Perform Reflected Cross Site Scripting (XSS) Attacks";
|
||
}
|
||
}
|
||
|
||
|