6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
39 lines
1.4 KiB
Plaintext
39 lines
1.4 KiB
Plaintext
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" import="java.util.regex.*" import="org.owasp.webgoat.lessons.DangerousEval"
|
|
pageEncoding="ISO-8859-1"%>
|
|
<%
|
|
String action = request.getParameter("action");
|
|
String field1 = request.getParameter("field1");
|
|
String field2 = request.getParameter("field2");
|
|
String regex1 = "^[0-9]{3}$";// any three digits
|
|
Pattern pattern1 = Pattern.compile(regex1);
|
|
|
|
if(action == null) action = "Purchase";
|
|
if(field1 == null) field1 = "123";
|
|
if(field2 == null) field2 = "-1";
|
|
|
|
/** For security reasons, we remove all '<' and '>' characters to prevent XSS **/
|
|
// Thank you Victor Bucutea for noticing replaceAll only cleans taint to the return value.
|
|
field1 = field1.replaceAll("<", "");
|
|
field1 = field1.replaceAll(">", "");
|
|
field2 = field2.replaceAll("<", "");
|
|
field2 = field2.replaceAll(">", "");
|
|
|
|
if("Purchase".equals(action))
|
|
{
|
|
if(!pattern1.matcher(field1).matches())
|
|
{
|
|
/** If they supplied the right attack, pass them **/
|
|
if(field1.indexOf("');") != -1 && field1.indexOf("alert") != -1 && field1.indexOf("document.cookie") != -1)
|
|
{
|
|
session.setAttribute(DangerousEval.PASSED, "true");
|
|
}
|
|
|
|
out.write("alert('Whoops: You entered an incorrect access code of \"" + field1 + "\"');");
|
|
}
|
|
else
|
|
{
|
|
out.write("alert('Purchase completed successfully with credit card \"" + field2 + "\" and access code \"" + field1 + "\"');");
|
|
}
|
|
}
|
|
%>
|