WebGoat/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java

package org.owasp.webgoat.lessons;

import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;

import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;

/*******************************************************************************
 * 
 * 
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 * 
 * Copyright (c) 2002 - 2007 Bruce Mayhew
 * 
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 * 
 * Getting Source ==============
 * 
 * Source for this application is maintained at code.google.com, a repository
 * for free software projects.
 * 
 * For details, please see http://code.google.com/p/webgoat/
 * 
 * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
 * @created    December 26, 2006
 */

public class SilentTransactions extends LessonAdapter
{

    private final static Integer DEFAULT_RANKING = new Integer(40);

    private final static Double CURRENT_BALANCE = 11987.09;

    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);

    public void handleRequest(WebSession s)
    {

	try
	{
	    if (s.getParser().getRawParameter("from", "").equals("ajax"))
	    {
		if (s.getParser().getRawParameter("confirm", "").equals(
			"Confirm"))
		{
		    String amount = s.getParser().getRawParameter("amount", "");
		    s.getResponse().setContentType("text/html");
		    s.getResponse().setHeader("Cache-Control", "no-cache");
		    PrintWriter out = new PrintWriter(s.getResponse()
			    .getOutputStream());
		    StringBuffer result = new StringBuffer();
		    result
			    .append("<br><br>* Congratulations. You have successfully completed this lesson.<br>");
		    if (!amount.equals(""))
		    {
			result.append("You have just silently authorized ");
			result.append(amount);
			result.append("$ without the user interaction.<br>");
		    }
		    result
			    .append("Now you can send out a spam email containing this link and whoever clicks on it<br>");
		    result
			    .append(" and happens to be logged in the same time will loose their money !!");
		    out.print(result.toString());
		    out.flush();
		    out.close();
		    getLessonTracker(s).setCompleted(true);
		    return;
		}
		else if (s.getParser().getRawParameter("confirm", "").equals(
			"Transferring"))
		{
		    s.getResponse().setContentType("text/html");
		    s.getResponse().setHeader("Cache-Control", "no-cache");
		    PrintWriter out = new PrintWriter(s.getResponse()
			    .getOutputStream());
		    out
			    .print("<br><br>The Transaction has Completed Successfully.");
		    out.flush();
		    out.close();
		    return;
		}
	    }
	}
	catch (Exception ex)
	{
	    ex.printStackTrace();
	}

	Form form = new Form(getFormAction(), Form.POST).setName("form")
		.setEncType("");

	form.addElement(createContent(s));

	setContent(form);

    }


    /**
     * Description of the Method
     * 
     * @param s Current WebSession
     */

    protected Element createContent(WebSession s)
    {
	ElementContainer ec = new ElementContainer();
	String lineSep = System.getProperty("line.separator");
	String script = "<script>"
		+ lineSep
		+ "function processData(){"
		+ lineSep
		+ " var accountNo = document.getElementById('newAccount').value;"
		+ lineSep
		+ " var amount = document.getElementById('amount').value;"
		+ lineSep
		+ " if ( accountNo == ''){"
		+ lineSep
		+ " alert('Please enter a valid account number to transfer to.')"
		+ lineSep
		+ " return;"
		+ lineSep
		+ "}"
		+ lineSep
		+ " else if ( amount == ''){"
		+ lineSep
		+ " alert('Please enter a valid amount to transfer.')"
		+ lineSep
		+ " return;"
		+ lineSep
		+ "}"
		+ lineSep
		+ " var balanceValue = document.getElementById('balanceID').innerHTML;"
		+ lineSep
		+ " balanceValue = balanceValue.replace( new RegExp('$') , '');"
		+ lineSep
		+ " if ( parseFloat(amount) > parseFloat(balanceValue) ) {"
		+ lineSep
		+ " alert('You can not transfer more funds than what is available in your balance.')"
		+ lineSep
		+ " return;"
		+ lineSep
		+ "}"
		+ lineSep
		+ " document.getElementById('confirm').value  = 'Transferring'"
		+ lineSep
		+ "submitData(accountNo, amount);"
		+ lineSep
		+ " document.getElementById('confirm').value  = 'Confirm'"
		+ lineSep
		+ "balanceValue = parseFloat(balanceValue) - parseFloat(amount);"
		+ lineSep
		+ "balanceValue = balanceValue.toFixed(2);"
		+ lineSep
		+ "document.getElementById('balanceID').innerHTML = balanceValue + '$';"
		+ lineSep
		+ "}"
		+ lineSep
		+ "function submitData(accountNo, balance) {"
		+ lineSep
		+ "var url = '" + getLink()
		+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; "
		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
		+ lineSep + "req = new XMLHttpRequest();" + lineSep
		+ "} else if (window.ActiveXObject) {" + lineSep
		+ "req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep
		+ "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
		+ "   req.onreadystatechange = callback;" + lineSep
		+ "   req.send(null);" + lineSep + "}" + lineSep
		+ "function callback() {" + lineSep
		+ "    if (req.readyState == 4) { " + lineSep
		+ "        if (req.status == 200) { " + lineSep
		+ "                   var result =  req.responseText ;"
		+ lineSep
		+ "			 var resultsDiv = document.getElementById('resultsDiv');"
		+ lineSep + "				resultsDiv.innerHTML = '';" + lineSep
		+ "				resultsDiv.innerHTML = result;" + lineSep
		+ "        }}}" + lineSep + "</script>" + lineSep;

	ec.addElement(new StringElement(script));
	ec.addElement(new H1("Welcome to WebGoat Banking System"));
	ec.addElement(new BR());
	ec.addElement(new H3("Account Summary:"));

	Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1)
		.setWidth("70%").setAlign("left");
	ec.addElement(new BR());
	TR tr = new TR();
	tr.addElement(new TD(new StringElement("Account Balance:")));
	tr.addElement(new TD(new StringElement("<div id='balanceID'>"
		+ CURRENT_BALANCE.toString() + "$</div>")));
	t1.addElement(tr);

	tr = new TR();
	tr.addElement(new TD(new StringElement("Transfer to Account:")));
	Input newAccount = new Input();
	newAccount.addAttribute("id", "newAccount");
	newAccount.setType(Input.TEXT);
	newAccount.setName("newAccount");
	newAccount.setValue("");
	tr.addElement(new TD(newAccount));
	t1.addElement(tr);

	tr = new TR();
	tr.addElement(new TD(new StringElement("Transfer Amount:")));
	Input amount = new Input();
	amount.addAttribute("id", "amount");
	amount.setType(Input.TEXT);
	amount.setName("amount");
	amount.setValue(0);
	tr.addElement(new TD(amount));
	t1.addElement(tr);

	ec.addElement(t1);
	ec.addElement(new BR());
	ec.addElement(new BR());

	ec.addElement(new PRE());
	Input b = new Input();
	b.setType(Input.BUTTON);
	b.setName("confirm");
	b.addAttribute("id", "confirm");
	b.setValue("Confirm");
	b.setOnClick("processData();");
	ec.addElement(b);

	ec.addElement(new BR());
	Div div = new Div();
	div.addAttribute("name", "resultsDiv");
	div.addAttribute("id", "resultsDiv");
	div.setStyle("font-weight: bold;color:red;");
	ec.addElement(div);

	return ec;
    }


    protected Category getDefaultCategory()
    {
	return Category.AJAX_SECURITY;
    }


    protected List<String> getHints(WebSession s)
    {
	List<String> hints = new ArrayList<String>();
	hints.add("Check the javascript in the HTML source.");
	hints
		.add("Check how the application calls a specific javascript function to execute the transaction.");
	hints
		.add("Check the javascript functions processData and submitData()");
	hints
		.add("Function submitData() is the one responsible for actually ececuting the transaction.");
	hints
		.add("Check if your browser supports running javascript from the address bar.");
	hints.add("Try to navigate to 'javascript:submitData(1234556,11000);'");
	return hints;

    }


    protected Integer getDefaultRanking()
    {
	return DEFAULT_RANKING;
    }


    /**
     *  Gets the title attribute of the HelloScreen object
     *
     * @return    The title value
     */
    public String getTitle()
    {
	return ("Silent Transactions Attacks");
    }


    public Element getCredits()
    {
	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
    }

}