Files
webgoat
main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
lesson_template
lessons
ConfManagement
CrossSiteScripting
DBCrossSiteScripting
images
DBCrossSiteScripting.css
DBCrossSiteScripting.jsp
EditProfile.jsp
ListStaff.jsp
Login.jsp
SearchStaff.jsp
ViewProfile.jsp
error.jsp
DBSQLInjection
General
GoatHillsFinancial
RoleBasedAccessControl
SQLInjection
XPATHInjection
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
doc
build.xml
HOW TO create the WebGoat workspace.txt
WAR Installation Instructions.txt
build.xml
eclipse.bat
readme.txt
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
rogan.dawes d1fe861a75 Add a DB Cross Site Scripting lesson
git-svn-id: http://webgoat.googlecode.com/svn/trunk@173 4033779f-a91e-0410-96ef-6bf7bf53c507
2007-07-11 12:56:13 +00:00

37 lines
1.6 KiB
Plaintext
Executable File

<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.DBCrossSiteScripting.DBCrossSiteScripting"
errorPage="" %>
<div id="lesson_login">
<div id="lesson_login_txt">
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
%>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<label>
<select name="<%=DBCrossSiteScripting.EMPLOYEE_ID%>">
<%
Vector attrs = new Vector();
Enumeration ee = session.getAttributeNames();
while (ee.hasMoreElements())
attrs.add(ee.nextElement());
//System.out.println("Login.jsp inspecting session attributes: " + attrs);
//System.out.println("Retrieving employees list");
List employees = (List) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.STAFF_ATTRIBUTE_KEY);
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();
%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName() + " (" + stub.getRole() + ")"%></option>
<%}%>
</select>
</label>
<br>
<label>Password
<input name="password" type="password" size="10" maxlength="8" />
</label>
<br>
<input type="submit" name="action" value="<%=DBCrossSiteScripting.LOGIN_ACTION%>"/>
</form>
</div>
</div>