main
project
JavaSource
org
owasp
webgoat
lessons
ClientSideFiltering
CrossSiteScripting
DBCrossSiteScripting
DBSQLInjection
GoatHillsFinancial
RoleBasedAccessControl
SQLInjection
admin
instructor
AbstractLesson.java
AccessControlMatrix.java
BackDoors.java
BasicAuthentication.java
BlindNumericSqlInjection.java
BlindStringSqlInjection.java
BufferOverflow.java
CSRF.java
Category.java
Challenge2Screen.java
ClientSideValidation.java
CommandInjection.java
ConcurrencyCart.java
CsrfPromptByPass.java
CsrfTokenByPass.java
DOMInjection.java
DOMXSS.java
DOS_Login.java
DangerousEval.java
Encoding.java
FailOpenAuthentication.java
ForcedBrowsing.java
ForgotPassword.java
HiddenFieldTampering.java
HowToWork.java
HtmlClues.java
HttpBasics.java
HttpOnly.java
HttpSplitting.java
InsecureLogin.java
JSONInjection.java
JavaScriptValidation.java
LessonAdapter.java
LogSpoofing.java
MaliciousFileExecution.java
MultiLevelLogin1.java
MultiLevelLogin2.java
NewLesson.java
PasswordStrength.java
PathBasedAccessControl.java
Phishing.java
RandomLessonAdapter.java
ReflectedXSS.java
RemoteAdminFlaw.java
SameOriginPolicyProtection.java
SequentialLessonAdapter.java
SessionFixation.java
SilentTransactions.java
SoapRequest.java
SqlNumericInjection.java
SqlStringInjection.java
StoredXss.java
ThreadSafetyProblem.java
TomcatSetup.java
TraceXSS.java
UncheckedEmail.java
UsefulTools.java
WSDLScanning.java
WeakAuthenticationCookie.java
WeakSessionID.java
WelcomeScreen.java
WsSAXInjection.java
WsSqlInjection.java
XMLInjection.java
XPATHInjection.java
servlets
session
util
Catcher.java
HammerHead.java
LessonSource.java
WebContent
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
pom.xml
a8db8989c8
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@287 4033779f-a91e-0410-96ef-6bf7bf53c507
238 lines
7.3 KiB
Java
238 lines
7.3 KiB
Java
/**
|
|
*
|
|
*/
|
|
|
|
package org.owasp.webgoat.lessons;
|
|
|
|
import java.io.File;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
import java.io.IOException;
|
|
import java.io.FileInputStream;
|
|
import org.xml.sax.InputSource;
|
|
import org.w3c.dom.NodeList;
|
|
import org.w3c.dom.Node;
|
|
import javax.xml.xpath.XPathConstants;
|
|
import javax.xml.xpath.XPath;
|
|
import javax.xml.xpath.XPathFactory;
|
|
import javax.xml.xpath.XPathExpressionException;
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.StringElement;
|
|
import org.apache.ecs.html.IMG;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.P;
|
|
import org.apache.ecs.html.TD;
|
|
import org.apache.ecs.html.TR;
|
|
import org.apache.ecs.html.TH;
|
|
import org.apache.ecs.html.Table;
|
|
import org.apache.ecs.html.H1;
|
|
import org.apache.ecs.html.BR;
|
|
import org.apache.ecs.html.B;
|
|
import org.apache.ecs.html.PRE;
|
|
import org.apache.ecs.HtmlColor;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
import org.owasp.webgoat.session.ECSFactory;
|
|
|
|
|
|
/***************************************************************************************************
|
|
*
|
|
*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
|
* please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at code.google.com, a repository for free software
|
|
* projects.
|
|
*
|
|
* For details, please see http://code.google.com/p/webgoat/
|
|
*
|
|
* @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
|
|
* @created November 28, 2006
|
|
*/
|
|
|
|
public class XPATHInjection extends LessonAdapter
|
|
{
|
|
|
|
private final static Integer DEFAULT_RANKING = new Integer(74);
|
|
|
|
private final static String USERNAME = "Username";
|
|
|
|
private final static String PASSWORD = "Password";
|
|
|
|
private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
|
|
.setBorder(0).setHspace(0).setVspace(0);
|
|
|
|
protected Element createContent(WebSession s)
|
|
{
|
|
|
|
NodeList nodes = null;
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
try
|
|
{
|
|
ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat employee intranet")));
|
|
ec.addElement(new BR());
|
|
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
|
|
|
|
TR tr = new TR();
|
|
tr.addElement(new TH().addElement("Please confirm your username and password before viewing your profile.")
|
|
.setColSpan(2).setAlign("left"));
|
|
t1.addElement(tr);
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%").setColSpan(2).setAlign("left"));
|
|
t1.addElement(tr);
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD().addElement(" ").setWidth("30%").setColSpan(2).setAlign("left"));
|
|
t1.addElement(tr);
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD(new B(new StringElement("*User Name: "))));
|
|
|
|
Input input1 = new Input(Input.TEXT, USERNAME, "");
|
|
tr.addElement(new TD(input1));
|
|
t1.addElement(tr);
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD(new B(new StringElement("*Password: "))));
|
|
|
|
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
|
|
tr.addElement(new TD(input2));
|
|
t1.addElement(tr);
|
|
|
|
Element b = ECSFactory.makeButton("Submit");
|
|
t1.addElement(new TR(new TD(b)));
|
|
ec.addElement(t1);
|
|
|
|
String username = s.getParser().getRawParameter(USERNAME, "");
|
|
if (username == null || username.length() == 0)
|
|
{
|
|
ec.addElement(new P().addElement(new StringElement("Username is a required field")));
|
|
return ec;
|
|
}
|
|
|
|
String password = s.getParser().getRawParameter(PASSWORD, "");
|
|
if (password == null || password.length() == 0)
|
|
{
|
|
ec.addElement(new P().addElement(new StringElement("Password is a required field")));
|
|
return ec;
|
|
}
|
|
|
|
String dir = s.getContext().getRealPath("/lessons/XPATHInjection/EmployeesData.xml");
|
|
File d = new File(dir);
|
|
XPathFactory factory = XPathFactory.newInstance();
|
|
XPath xPath = factory.newXPath();
|
|
InputSource inputSource = new InputSource(new FileInputStream(d));
|
|
String expression = "/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password
|
|
+ "']";
|
|
nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET);
|
|
int nodesLength = nodes.getLength();
|
|
|
|
Table t2 = null;
|
|
if (nodesLength > 0)
|
|
{
|
|
t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("90%").setAlign("center");
|
|
tr = new TR();
|
|
tr.setBgColor(HtmlColor.GRAY);
|
|
tr.addElement(new TD().addElement("Username"));
|
|
tr.addElement(new TD().addElement("Account No."));
|
|
tr.addElement(new TD().addElement("Salary"));
|
|
t2.addElement(tr);
|
|
}
|
|
|
|
for (int i = 0; i < nodesLength; i++)
|
|
{
|
|
Node node = nodes.item(i);
|
|
String[] arrTokens = node.getTextContent().split("[\\t\\s\\n]+");
|
|
|
|
tr = new TR();
|
|
tr.addElement(new TD().addElement(arrTokens[1]));
|
|
tr.addElement(new TD().addElement(arrTokens[2]));
|
|
tr.addElement(new TD().addElement(arrTokens[4]));
|
|
t2.addElement(tr);
|
|
|
|
}
|
|
if (nodes.getLength() > 1)
|
|
{
|
|
makeSuccess(s);
|
|
}
|
|
if (t2 != null)
|
|
{
|
|
ec.addElement(new PRE());
|
|
ec.addElement(t2);
|
|
}
|
|
|
|
} catch (IOException e)
|
|
{
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
} catch (IllegalArgumentException e)
|
|
{
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
} catch (XPathExpressionException e)
|
|
{
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
}
|
|
return ec;
|
|
}
|
|
|
|
public Element getCredits()
|
|
{
|
|
return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
|
|
}
|
|
|
|
protected Category getDefaultCategory()
|
|
{
|
|
|
|
return Category.INJECTION;
|
|
}
|
|
|
|
protected boolean getDefaultHidden()
|
|
{
|
|
// TODO Auto-generated method stub
|
|
return false;
|
|
}
|
|
|
|
protected Integer getDefaultRanking()
|
|
{
|
|
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
protected List<String> getHints(WebSession s)
|
|
{
|
|
// TODO Auto-generated method stub
|
|
List<String> hints = new ArrayList<String>();
|
|
hints.add("Remember that the data is stored in XML format.");
|
|
hints.add("The system is using XPath to query.");
|
|
hints.add("XPath is almost the same thing as SQL, the same hacking techniques apply too.");
|
|
hints.add("Try username: Smith' or 1=1 or 'a'='a and a password: anything ");
|
|
return hints;
|
|
}
|
|
|
|
public String getTitle()
|
|
{
|
|
|
|
return "XPATH Injection";
|
|
}
|
|
|
|
} |