doc
java
org
owasp
webgoat
controller
lessons
ClientSideFiltering
CrossSiteScripting
DBCrossSiteScripting
DBSQLInjection
GoatHillsFinancial
RoleBasedAccessControl
SQLInjection
admin
instructor
model
AbstractLesson.java
AccessControlMatrix.java
BackDoors.java
BasicAuthentication.java
BlindNumericSqlInjection.java
BlindScript.java
BlindStringSqlInjection.java
BypassHtmlFieldRestrictions.java
CSRF.java
Category.java
Challenge2Screen.java
ClientSideValidation.java
CommandInjection.java
ConcurrencyCart.java
CsrfPromptByPass.java
CsrfTokenByPass.java
DOMInjection.java
DOMXSS.java
DOS_Login.java
DangerousEval.java
Encoding.java
FailOpenAuthentication.java
ForcedBrowsing.java
ForgotPassword.java
HiddenFieldTampering.java
HowToWork.java
HtmlClues.java
HttpBasics.java
HttpBasicsController.java
HttpOnly.java
HttpSplitting.java
InsecureLogin.java
JSONInjection.java
JavaScriptValidation.java
LessonAdapter.java
LogSpoofing.java
MaliciousFileExecution.java
MultiLevelLogin1.java
MultiLevelLogin2.java
NewLesson.java
OffByOne.java
PasswordStrength.java
PathBasedAccessControl.java
Phishing.java
RandomLessonAdapter.java
ReflectedXSS.java
RemoteAdminFlaw.java
SameOriginPolicyProtection.java
SequentialLessonAdapter.java
SessionFixation.java
SilentTransactions.java
SoapRequest.java
SqlAddData.java
SqlModifyData.java
SqlNumericInjection.java
SqlStringInjection.java
StoredXss.java
ThreadSafetyProblem.java
TomcatSetup.java
TraceXSS.java
UncheckedEmail.java
UsefulTools.java
WSDLScanning.java
WeakAuthenticationCookie.java
WeakSessionID.java
WelcomeScreen.java
WsSAXInjection.java
WsSqlInjection.java
XMLInjection.java
XPATHInjection.java
service
servlets
session
util
Catcher.java
HammerHead.java
LessonSource.java
resources
scripts
tomcatconf
webapp
.gitignore
README.txt
build.xml
pom.xml
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
373 lines
11 KiB
Java
373 lines
11 KiB
Java
|
|
package org.owasp.webgoat.lessons;
|
|
|
|
import java.sql.Connection;
|
|
import java.sql.PreparedStatement;
|
|
import java.sql.ResultSet;
|
|
import java.sql.Statement;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.StringElement;
|
|
import org.apache.ecs.html.A;
|
|
import org.apache.ecs.html.B;
|
|
import org.apache.ecs.html.H1;
|
|
import org.apache.ecs.html.HR;
|
|
import org.apache.ecs.html.IMG;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.P;
|
|
import org.apache.ecs.html.TD;
|
|
import org.apache.ecs.html.TR;
|
|
import org.apache.ecs.html.Table;
|
|
import org.apache.ecs.html.TextArea;
|
|
import org.owasp.webgoat.session.*;
|
|
import org.owasp.webgoat.util.HtmlEncoder;
|
|
import org.owasp.webgoat.util.WebGoatI18N;
|
|
|
|
|
|
/***************************************************************************************************
|
|
*
|
|
*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
|
* please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at code.google.com, a repository for free software
|
|
* projects.
|
|
*
|
|
* For details, please see http://code.google.com/p/webgoat/
|
|
*
|
|
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
|
|
* @created October 28, 2003
|
|
*/
|
|
public class StoredXss extends LessonAdapter
|
|
{
|
|
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
|
|
.addElement(
|
|
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
|
|
.setVspace(0));
|
|
|
|
private final static String MESSAGE = "message";
|
|
|
|
private final static int MESSAGE_COL = 3;
|
|
|
|
private final static String NUMBER = "Num";
|
|
|
|
private final static int NUM_COL = 1;
|
|
|
|
private final static String STANDARD_QUERY = "SELECT * FROM messages";
|
|
|
|
private final static String TITLE = "title";
|
|
|
|
private final static int TITLE_COL = 2;
|
|
|
|
private static int count = 1;
|
|
|
|
private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
|
|
|
|
// message
|
|
|
|
/**
|
|
* Adds a feature to the Message attribute of the MessageBoardScreen object
|
|
*
|
|
* @param s
|
|
* The feature to be added to the Message attribute
|
|
*/
|
|
protected void addMessage(WebSession s)
|
|
{
|
|
try
|
|
{
|
|
String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
|
|
String message = s.getParser().getRawParameter(MESSAGE, "");
|
|
|
|
Connection connection = DatabaseUtilities.getConnection(s);
|
|
|
|
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
|
|
|
|
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
|
|
ResultSet.CONCUR_READ_ONLY);
|
|
statement.setInt(1, count++);
|
|
statement.setString(2, title);
|
|
statement.setString(3, message);
|
|
statement.setString(4, s.getUserName());
|
|
statement.setString(5, this.getClass().getName());
|
|
statement.execute();
|
|
} catch (Exception e)
|
|
{
|
|
// ignore the empty resultset on the insert. There are a few more SQL Injection errors
|
|
// that could be trapped here but we will let them try. One error would be something
|
|
// like "Characters found after end of SQL statement."
|
|
if (e.getMessage().indexOf("No ResultSet was produced") == -1)
|
|
{
|
|
s.setMessage(WebGoatI18N.get("CouldNotAddMessage"));
|
|
}
|
|
e.printStackTrace();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s
|
|
* Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element createContent(WebSession s)
|
|
{
|
|
addMessage(s);
|
|
|
|
ElementContainer ec = new ElementContainer();
|
|
ec.addElement(makeInput(s));
|
|
ec.addElement(new HR());
|
|
ec.addElement(makeCurrent(s));
|
|
ec.addElement(new HR());
|
|
ec.addElement(makeList(s));
|
|
|
|
return (ec);
|
|
}
|
|
|
|
/**
|
|
* Gets the category attribute of the StoredXss object
|
|
*
|
|
* @return The category value
|
|
*/
|
|
protected Category getDefaultCategory()
|
|
{
|
|
return Category.XSS;
|
|
}
|
|
|
|
/**
|
|
* Gets the hints attribute of the MessageBoardScreen object
|
|
*
|
|
* @return The hints value
|
|
*/
|
|
protected List<String> getHints(WebSession s)
|
|
{
|
|
List<String> hints = new ArrayList<String>();
|
|
hints.add(WebGoatI18N.get("StoredXssHint1"));
|
|
hints.add(WebGoatI18N.get("StoredXssHint1"));
|
|
hints.add(WebGoatI18N.get("StoredXssHint1"));
|
|
hints.add(WebGoatI18N.get("StoredXssHint1"));
|
|
|
|
|
|
|
|
return hints;
|
|
}
|
|
|
|
private final static Integer DEFAULT_RANKING = new Integer(100);
|
|
|
|
protected Integer getDefaultRanking()
|
|
{
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
/**
|
|
* Gets the title attribute of the MessageBoardScreen object
|
|
*
|
|
* @return The title value
|
|
*/
|
|
public String getTitle()
|
|
{
|
|
return ("Stored XSS Attacks");
|
|
}
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s
|
|
* Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element makeCurrent(WebSession s)
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
try
|
|
{
|
|
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
|
|
|
|
Connection connection = DatabaseUtilities.getConnection(s);
|
|
|
|
// edit by Chuck Willis - Added logic to associate similar usernames
|
|
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
|
|
// but not anyone elses. This allows users to try out XSS to grab another user's
|
|
// cookies, but not get confused by other users scripts
|
|
|
|
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
|
|
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
|
|
ResultSet.CONCUR_READ_ONLY);
|
|
statement.setString(1, getNameroot(s.getUserName()) + "%");
|
|
statement.setInt(2, messageNum);
|
|
statement.setString(3, this.getClass().getName());
|
|
ResultSet results = statement.executeQuery();
|
|
|
|
if ((results != null) && results.first())
|
|
{
|
|
ec.addElement(new H1(WebGoatI18N.get("MessageContentsFor")+": " + results.getString(TITLE_COL)));
|
|
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
|
|
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title")+":"))));
|
|
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
|
|
t.addElement(row1);
|
|
|
|
String messageData = results.getString(MESSAGE_COL);
|
|
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message")+":"))));
|
|
row2.addElement(new TD(new StringElement(messageData)));
|
|
t.addElement(row2);
|
|
|
|
// Edited by Chuck Willis - added display of the user who posted the message, so
|
|
// that
|
|
// if users use a cross site request forgery or XSS to make another user post a
|
|
// message,
|
|
// they can see that the message is attributed to that user
|
|
|
|
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy")+":")));
|
|
row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
|
|
t.addElement(row3);
|
|
|
|
ec.addElement(t);
|
|
|
|
// Some sanity checks that the script may be correct
|
|
if (messageData.toLowerCase().indexOf("<script>") != -1
|
|
&& messageData.toLowerCase().indexOf("</script>") != -1
|
|
&& messageData.toLowerCase().indexOf("alert") != -1)
|
|
{
|
|
makeSuccess(s);
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
if (messageNum != 0)
|
|
{
|
|
ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
|
|
}
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s
|
|
* Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element makeInput(WebSession s)
|
|
{
|
|
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
|
|
TR row1 = new TR();
|
|
TR row2 = new TR();
|
|
row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title")+": ")));
|
|
|
|
Input inputTitle = new Input(Input.TEXT, TITLE, "");
|
|
row1.addElement(new TD(inputTitle));
|
|
|
|
TD item1 = new TD();
|
|
item1.setVAlign("TOP");
|
|
item1.addElement(new StringElement(WebGoatI18N.get("Message")+": "));
|
|
row2.addElement(item1);
|
|
|
|
TD item2 = new TD();
|
|
TextArea ta = new TextArea(MESSAGE, 5, 60);
|
|
item2.addElement(ta);
|
|
row2.addElement(item2);
|
|
t.addElement(row1);
|
|
t.addElement(row2);
|
|
|
|
Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
|
|
ElementContainer ec = new ElementContainer();
|
|
ec.addElement(t);
|
|
ec.addElement(new P().addElement(b));
|
|
|
|
return (ec);
|
|
}
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s
|
|
* Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
public Element makeList(WebSession s)
|
|
{
|
|
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
|
|
|
|
try
|
|
{
|
|
Connection connection = DatabaseUtilities.getConnection(s);
|
|
|
|
// edit by Chuck Willis - Added logic to associate similar usernames
|
|
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
|
|
// but not anyone elses. This allows users to try out XSS to grab another user's
|
|
// cookies, but not get confused by other users scripts
|
|
|
|
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
|
|
PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
|
|
ResultSet.CONCUR_READ_ONLY);
|
|
statement.setString(1, getNameroot(s.getUserName()) + "%");
|
|
statement.setString(2, getClass().getName());
|
|
ResultSet results = statement.executeQuery();
|
|
|
|
if ((results != null) && (results.first() == true))
|
|
{
|
|
results.beforeFirst();
|
|
|
|
for (int i = 0; results.next(); i++)
|
|
{
|
|
A a = ECSFactory.makeLink(results.getString(TITLE_COL), NUMBER, results.getInt(NUM_COL));
|
|
TD td = new TD().addElement(a);
|
|
TR tr = new TR().addElement(td);
|
|
t.addElement(tr);
|
|
}
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
|
|
}
|
|
|
|
ElementContainer ec = new ElementContainer();
|
|
ec.addElement(new H1(WebGoatI18N.get("MessageList")));
|
|
ec.addElement(t);
|
|
|
|
return (ec);
|
|
}
|
|
|
|
private static String getNameroot(String name)
|
|
{
|
|
String nameroot = name;
|
|
if (nameroot.indexOf('-') != -1)
|
|
{
|
|
nameroot = nameroot.substring(0, nameroot.indexOf('-'));
|
|
}
|
|
return nameroot;
|
|
}
|
|
|
|
public Element getCredits()
|
|
{
|
|
return super.getCustomCredits("", ASPECT_LOGO);
|
|
}
|
|
}
|