/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeInput(WebSession s) {
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title") + ": ")));
Input inputTitle = new Input(Input.TEXT, TITLE, "");
row1.addElement(new TD(inputTitle));
TD item1 = new TD();
item1.setVAlign("TOP");
item1.addElement(new StringElement(WebGoatI18N.get("Message") + ": "));
row2.addElement(item1);
TD item2 = new TD();
TextArea ta = new TextArea(MESSAGE, 5, 60);
item2.addElement(ta);
row2.addElement(item2);
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
ElementContainer ec = new ElementContainer();
ec.addElement(t);
ec.addElement(new P().addElement(b));
return (ec);
}
public void setup(WebSession s) {
// call createContent first so messages will go somewhere
Form form = new Form("attack", Form.POST).setName("form").setEncType("");
form.addElement(wrapForm(s));
TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
TR row = new TR().addElement(lowerright);
Table layout =
new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
layout.addElement(row);
setContent(layout);
}
protected Element wrapForm(WebSession s) {
if (s == null) {
return new StringElement("Invalid Session");
}
Table container =
new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
// CreateContent can generate error messages so you MUST call it before makeMessages()
Element content = createContent(s);
container.addElement(
new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
container.addElement(new TR());
return (container);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public Element makeList(WebSession s) {
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
try {
Connection connection = DatabaseUtilities.getConnection(s);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true)) {
results.beforeFirst();
for (int i = 0; results.next(); i++) {
A a = ECSFactory.makeLink(results.getString(TITLE_COL), NUMBER, results.getInt(NUM_COL));
TD td = new TD().addElement(a);
TR tr = new TR().addElement(td);
t.addElement(tr);
}
}
} catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
}
ElementContainer ec = new ElementContainer();
ec.addElement(new H1(WebGoatI18N.get("MessageList")));
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeLogin(WebSession s) {
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("Sign In "));
Table t =
new Table()
.setCellSpacing(0)
.setCellPadding(2)
.setBorder(0)
.setWidth("90%")
.setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(
new TH()
.addElement(
"Please sign in to your account. See the OWASP admin if you do not have an account.")
.setColSpan(2)
.setAlign("left"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: "))));
row2.addElement(new TD(new B(new StringElement("*Password: "******"");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
row1.addElement(new TD(input1));
row2.addElement(new TD(input2));
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton("Login");
t.addElement(new TR(new TD(b)));
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s) {
ElementContainer ec = new ElementContainer();
String regex1 = "^[0-9]{3}$"; // any three digits
Pattern pattern1 = Pattern.compile(regex1);
try {
checkSuccess(s);
String param1 = s.getParser().getRawParameter("field1", "111");
// String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214
// 0002 1999"));
float quantity = 1.0f;
float total = 0.0f;
float runningTotal = 0.0f;
// FIXME: encode output of field2, then s.setMessage( field2 );
ec.addElement("<script src='javascript/eval.js'> </script>");
// <script src='javascript/sameOrigin.js' language='JavaScript'></script>
ec.addElement(new HR().setWidth("90%"));
ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
Table t =
new Table()
.setCellSpacing(0)
.setCellPadding(2)
.setBorder(1)
.setWidth("90%")
.setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
tr.addElement(new TH().addElement("Price").setWidth("10%"));
tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
tr.addElement(new TH().addElement("Total").setWidth("7%"));
t.addElement(tr);
tr = new TR();
tr.addElement(
new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
tr.addElement(new TD().addElement("69.99").setAlign("right"));
tr.addElement(
new TD()
.addElement(
new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
total = quantity * 69.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
tr.addElement(new TD().addElement("27.99").setAlign("right"));
tr.addElement(
new TD()
.addElement(
new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
total = quantity * 27.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
tr = new TR();
tr.addElement(
new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
tr.addElement(new TD().addElement("1599.99").setAlign("right"));
tr.addElement(
new TD()
.addElement(
new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
total = quantity * 1599.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
tr.addElement(new TD().addElement("299.99").setAlign("right"));
tr.addElement(
new TD()
.addElement(
new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1")))
.setAlign("right"));
quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
total = quantity * 299.99f;
runningTotal += total;
tr.addElement(new TD().addElement("$" + total));
t.addElement(tr);
ec.addElement(t);
t =
new Table()
.setCellSpacing(0)
.setCellPadding(2)
.setBorder(0)
.setWidth("90%")
.setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
ec.addElement(new BR());
tr = new TR();
tr.addElement(new TD().addElement("The total charged to your credit card:"));
tr.addElement(new TD().addElement("$" + runningTotal));
Input b = new Input();
b.setType(Input.BUTTON);
b.setValue("Update Cart");
b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
tr.addElement(new TD().addElement(b));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setColSpan(2));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your credit card number:"));
tr.addElement(
new TD()
.addElement(
"<input id='field2' name='field2' type='TEXT' value='4128 3214 0002 1999'>"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Enter your three digit access code:"));
tr.addElement(
new TD().addElement("<input id='field1' name='field1' type='TEXT' value='123'>"));
// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
t.addElement(tr);
b = new Input();
b.setType(Input.BUTTON);
b.setValue("Purchase");
b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
tr = new TR();
tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
t.addElement(tr);
ec.addElement(t);
ec.addElement(new BR());
ec.addElement(new HR().setWidth("90%"));
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
List<File> htmlFiles = findHtmlFiles(LessonUtil.getLessonDirectory(s, this).getParentFile());
List<String> htmlFilenames =
Lists.newArrayList(
Iterables.transform(
htmlFiles,
new Function<File, String>() {
@Override
public String apply(File input) {
return input.getName();
}
}));
String[] list = htmlFilenames.toArray(new String[htmlFilenames.size()]);
String listing =
" <p><B>"
+ getLabelManager().get("CurrentDirectory")
+ "</B> "
+ Encoding.urlDecode(htmlFiles.get(0).getParent())
+ "<br><br>"
+ getLabelManager().get("ChooseFileToView")
+ "</p>";
TR tr = new TR();
tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
t.addElement(tr);
tr = new TR();
tr.addElement(
new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("ViewFile"))));
t.addElement(tr);
ec.addElement(t);
// FIXME: would be cool to allow encodings here -- hex, percent,
// url, etc...
final String file = s.getParser().getRawParameter(FILE, "");
if (!file.equals("")) // first time in or missing parameter - just kick out
{
// defuse file searching
boolean illegalCommand = true;
// allow them to look at any file in the webgoat hierachy.
// Don't allow them to look about the webgoat root,
// except to see the LICENSE file
if (upDirCount(file) == 3 && !file.endsWith("LICENSE")) {
s.setMessage(getLabelManager().get("AccessDenied"));
s.setMessage(getLabelManager().get("ItAppears1"));
} else {
if (upDirCount(file) > 5) {
s.setMessage(getLabelManager().get("AccessDenied"));
s.setMessage(getLabelManager().get("ItAppears2"));
} else {
illegalCommand = false;
}
}
// provide a little guidance to help them along. If the allowed file comes back as
// null we have the potential for a real attack vector
File allowedFile = guideTheAtack(s, file, htmlFiles);
if (!illegalCommand) {
File attemptedFile =
new File(LessonUtil.getLessonDirectory(s, this) + "/lessonPlans/en/" + file);
if (allowedFile == null) {
// We have a potential attack
if (file != null && attemptedFile.isFile() && attemptedFile.exists()) {
// They have accessed something meaningful
s.setMessage(
getLabelManager().get("CongratsAccessToFileAllowed")
+ " ==> "
+ Encoding.urlDecode(attemptedFile.getCanonicalPath()));
makeSuccess(s);
} else if (file != null && file.length() != 0) {
s.setMessage(
getLabelManager().get("AccessToFileDenied1")
+ Encoding.urlDecode(file)
+ getLabelManager().get("AccessToFileDenied2"));
} else {
// do nothing, probably entry screen
}
} else {
attemptedFile = allowedFile;
}
displayAttemptedFile(ec, attemptedFile);
}
}
} catch (Exception e) {
s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/** output HTML for button */
protected void endHTML(PrintWriter out) {
Span span = new Span();
Table table = new Table();
TR top = new TR();
TD topLeft = new TD();
TD topCenter = new TD();
TD topRight = new TD();
TR middle = new TR();
TD midLeft = new TD();
TD midCenter = new TD();
TD midRight = new TD();
TR bottom = new TR();
TD botLeft = new TD();
TD botCenter = new TD();
TD botRight = new TD();
Span textContainer = new Span();
org.apache.ecs.html.Button button = new org.apache.ecs.html.Button();
boolean disabled = getContext().processBool(getId() + ".disabled");
// build table
table.addElement(top);
top.addElement(topLeft);
top.addElement(topCenter);
top.addElement(topRight);
table.addElement(middle);
middle.addElement(midLeft);
middle.addElement(midCenter);
middle.addElement(midRight);
table.addElement(bottom);
bottom.addElement(botLeft);
bottom.addElement(botCenter);
bottom.addElement(botRight);
// set pixels
IMG spacer = new IMG("./images/wgt/1.gif");
spacer.setWidth(1);
spacer.setHeight(1);
topLeft.addElement(new IMG("./images/wgt/1.gif"));
topCenter.addElement(new IMG("./images/wgt/1.gif"));
topRight.addElement(new IMG("./images/wgt/1.gif"));
midLeft.addElement(new IMG("./images/wgt/1.gif"));
midRight.addElement(new IMG("./images/wgt/1.gif"));
botLeft.addElement(new IMG("./images/wgt/1.gif"));
botCenter.addElement(new IMG("./images/wgt/1.gif"));
botRight.addElement(new IMG("./images/wgt/1.gif"));
// format table
table.setCellPadding(0);
table.setCellSpacing(0);
table.setBorder(0);
// set classes
topLeft.setClass("btn_lt");
topCenter.setClass("btn_ct");
topRight.setClass("btn_rt");
midLeft.setClass("btn_lm");
midCenter.setClass("btn_cm");
midRight.setClass("btn_rm");
botLeft.setClass("btn_lb");
botCenter.setClass("btn_cb");
botRight.setClass("btn_rb");
button.setClass("btn_btn");
button.setID(getId() + "_btn");
midCenter.addElement(button);
textContainer.setID(id4Text());
textContainer.setClass("btn_txt");
if (StringUtils.isNotEmpty(getSrc())) {
if (StringUtils.isEmpty(this.getLabel())) {
button.setStyle(
"width:"
+ iconWidth
+ "px;height:"
+ iconHeight
+ "px;background: transparent url("
+ getSrc()
+ ") no-repeat; background-position: center;");
} else {
button.setStyle("background: transparent url(" + getSrc() + ") no-repeat;");
}
}
if (StringUtils.isNotEmpty(this.getLabel())) {
if (StringUtils.isNotEmpty(getSrc()) && iconWidth > -1) {
if (displayMode == DISPLAY_MODE_VERTICAL) {
// image top
String s = button.getAttribute("style");
s =
s
+ "background-position: center top;padding-top:"
+ String.valueOf(iconHeight)
+ "px;";
button.setStyle(s);
} else {
// image left
textContainer.setStyle("padding-left: " + String.valueOf(iconWidth) + "px;");
}
}
textContainer.addElement(this.getLabel());
button.addElement(textContainer);
}
// this.getStyle().add("table-layout", "fixed");
if (this.hasStyle()) {
table.setStyle(this.getStyleAsString());
}
midCenter.setID(getId());
// midCenter.setOnClick(JSUtil.jsFireEvent(getId(),
// ClientEvent.TYPE_ACTION)
// + " return false;");
button.setOnClick(JSUtil.jsFireEvent(getId(), ClientEvent.TYPE_ACTION) + " return false;");
// action goes to onClick handler
if (getConfirmMsg() != null) {
button.setOnClick(
JSUtil.jsConfirm(
TextService.getString(getConfirmMsg()),
JSUtil.jsFireEvent(getId(), ClientEvent.TYPE_ACTION)));
} else {
button.setOnClick(JSUtil.jsFireEvent(getId(), ClientEvent.TYPE_ACTION) + " return false;");
}
// table.output(out);
span.addElement(table);
span.setID(getId() + "_sspan");
if (block && isVisible()) {
span.setStyle("display:block;");
}
span.output(out);
this.initJaveScript();
}
protected Element createContent(WebSession s) {
ElementContainer ec = new ElementContainer();
Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
if (s.isColor()) {
t1.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TD("Enter your account number: "));
tr.addElement(new TD(new Input(Input.TEXT, "id", "101")));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD("Select the fields to return: "));
tr.addElement(
new TD(
new Select("field")
.setMultiple(true)
.addElement(new Option(firstName).addElement("First Name"))
.addElement(new Option(lastName).addElement("Last Name"))
.addElement(new Option(loginCount).addElement("Login Count"))));
t1.addElement(tr);
tr = new TR();
Element b = ECSFactory.makeButton("Submit");
tr.addElement(new TD(b).setAlign("CENTER").setColSpan(2));
t1.addElement(tr);
ec.addElement(t1);
try {
String[] fields = s.getParser().getParameterValues("field");
int id = s.getParser().getIntParameter("id");
Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
if (s.isColor()) {
t.setBorder(1);
}
TR header = new TR();
TR results = new TR();
int port = s.getRequest().getServerPort();
for (int i = 0; i < fields.length; i++) {
header.addElement(new TD().addElement(fields[i]));
results.addElement(
new TD()
.addElement(
(String)
accessWGService(
s, "WSDLScanning", port, fields[i], "acct_num", new Integer(id))));
}
if (fields.length == 0) {
s.setMessage("Please select a value to return.");
}
t.addElement(header);
t.addElement(results);
ec.addElement(new P().addElement(t));
} catch (Exception e) {
}
try {
A a = new A("services/WSDLScanning?WSDL", "WebGoat WSDL File");
ec.addElement(
new P()
.addElement(
"View the web services definition language (WSDL) to see the complete API:"));
ec.addElement(new BR());
ec.addElement(a);
// getLessonTracker( s ).setCompleted( completed );
if (completed && !getLessonTracker(s).getCompleted() && !beenRestartedYet) {
makeSuccess(s);
beenRestartedYet = true;
} else if (completed && !getLessonTracker(s).getCompleted() && beenRestartedYet) {
completed = false;
beenRestartedYet = false;
}
// accessWGService("WSDLScanning", "getCreditCard", "acct_num", new Integer(101));
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeCurrent(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
Connection connection = DatabaseUtilities.getConnection(s);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query =
"SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first()) {
ec.addElement(
new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL)));
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":"))));
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
t.addElement(row1);
String messageData = results.getString(MESSAGE_COL);
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":"))));
row2.addElement(new TD(new StringElement(messageData)));
t.addElement(row2);
// Edited by Chuck Willis - added display of the user who posted the message, so
// that
// if users use a cross site request forgery or XSS to make another user post a
// message,
// they can see that the message is attributed to that user
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":")));
row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
t.addElement(row3);
ec.addElement(t);
// Some sanity checks that the script may be correct
if (messageData.toLowerCase().indexOf("<script>") != -1
&& messageData.toLowerCase().indexOf("</script>") != -1
&& messageData.toLowerCase().indexOf("alert") != -1) {
makeSuccess(s);
}
} else {
if (messageNum != 0) {
ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
}
}
} catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}