/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
* @exception Exception Description of the Exception
*/
protected String checkParams(WebSession s) throws Exception {
String username = s.getParser().getStringParameter(USERNAME, "");
String password = s.getParser().getStringParameter(PASSWORD, "");
if ((username.length() > 0) && (password.length() > 0)) {
String loginID = "";
if (username.equals("webgoat") && password.equals("webgoat")) {
loginID = encode("webgoat12345");
} else if (username.equals("aspect") && password.equals("aspect")) {
loginID = encode("aspect12345");
}
if (loginID != "") {
Cookie newCookie = new Cookie(AUTHCOOKIE, loginID);
s.setMessage("Your identity has been remembered");
s.getResponse().addCookie(newCookie);
return (username);
} else {
s.setMessage("Invalid username and password entered.");
}
}
return (null);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s) {
boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
if (logout) {
s.setMessage("Goodbye! Your password has been forgotten");
s.eatCookies();
return (makeLogin(s));
}
try {
String user = checkCookie(s);
if ((user != null) && (user.length() > 0)) {
return (makeUser(s, user, "COOKIE"));
}
user = checkParams(s);
if ((user != null) && (user.length() > 0)) {
return (makeUser(s, user, "PARAMETERS"));
}
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (makeLogin(s));
}
/**
* Adds a feature to the Message attribute of the MessageBoardScreen object
*
* @param s The feature to be added to the Message attribute
*/
protected void addMessage(WebSession s) {
try {
String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
String message = s.getParser().getRawParameter(MESSAGE, "");
Connection connection = DatabaseUtilities.getConnection(s);
String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setInt(1, count++);
statement.setString(2, title);
statement.setString(3, message);
statement.setString(4, s.getUserName());
statement.setString(5, this.getClass().getName());
statement.execute();
} catch (Exception e) {
// ignore the empty resultset on the insert. There are a few more SQL Injection errors
// that could be trapped here but we will let them try. One error would be something
// like "Characters found after end of SQL statement."
if (e.getMessage().indexOf("No ResultSet was produced") == -1) {
s.setMessage(WebGoatI18N.get("CouldNotAddMessage"));
}
e.printStackTrace();
}
}
private User getUserFromSession(String sessionId) {
WebSession ws = WebSessionManager.getInstance().getSession(sessionId);
if (ws == null) {
throw new RuntimeException("Session verification failed:" + sessionId);
}
User user;
try {
user = EuareWebBackend.getUser(ws.getUserName(), ws.getAccountName());
} catch (EucalyptusServiceException ex) {
throw new RuntimeException("Session verification failed", ex);
}
return user;
}
@Override
public DataTransferObject startConversation(int conversationNumber) {
log.debug("startConversation");
WebSession session = (WebSession) getSession();
GwtConversation conversation = session.getGwtConversation(-1);
ilarkesto.di.Context context = ilarkesto.di.Context.get();
context.setName("gwt-srv:startSession");
context.bindCurrentThread();
try {
onStartConversation(conversation);
onServiceMethodExecuted(context);
} catch (Throwable t) {
handleServiceMethodException(conversation.getNumber(), "startSession", t);
}
return (scrum.client.DataTransferObject) conversation.popNextData();
}
/**
* Gets the cookie attribute of the CookieScreen object
*
* @param s Description of the Parameter
* @return The cookie value
*/
protected String getCookie(WebSession s) {
Cookie[] cookies = s.getRequest().getCookies();
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE)) {
return (cookies[i].getValue());
}
}
return (null);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
public Element makeList(WebSession s) {
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
try {
Connection connection = DatabaseUtilities.getConnection(s);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setString(2, getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first() == true)) {
results.beforeFirst();
for (int i = 0; results.next(); i++) {
A a = ECSFactory.makeLink(results.getString(TITLE_COL), NUMBER, results.getInt(NUM_COL));
TD td = new TD().addElement(a);
TR tr = new TR().addElement(td);
t.addElement(tr);
}
}
} catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
}
ElementContainer ec = new ElementContainer();
ec.addElement(new H1(WebGoatI18N.get("MessageList")));
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeLogin(WebSession s) {
ElementContainer ec = new ElementContainer();
ec.addElement(new H1().addElement("Sign In "));
Table t =
new Table()
.setCellSpacing(0)
.setCellPadding(2)
.setBorder(0)
.setWidth("90%")
.setAlign("center");
if (s.isColor()) {
t.setBorder(1);
}
TR tr = new TR();
tr.addElement(
new TH()
.addElement(
"Please sign in to your account. See the OWASP admin if you do not have an account.")
.setColSpan(2)
.setAlign("left"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setColSpan(2));
t.addElement(tr);
TR row1 = new TR();
TR row2 = new TR();
row1.addElement(new TD(new B(new StringElement("*User Name: "))));
row2.addElement(new TD(new B(new StringElement("*Password: "******"");
Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
row1.addElement(new TD(input1));
row2.addElement(new TD(input2));
t.addElement(row1);
t.addElement(row2);
Element b = ECSFactory.makeButton("Login");
t.addElement(new TR(new TD(b)));
ec.addElement(t);
return (ec);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
* @exception Exception Description of the Exception
*/
protected String checkCookie(WebSession s) throws Exception {
String cookie = getCookie(s);
if (cookie != null) {
if (cookie.equals(encode("webgoat12345"))) {
return ("webgoat");
}
if (cookie.equals(encode("aspect12345"))) {
return ("aspect");
}
if (cookie.equals(encode("alice12345"))) {
makeSuccess(s);
return ("alice");
} else {
s.setMessage("Invalid cookie");
s.eatCookies();
}
}
return (null);
}
/**
* Description of the Method
*
* @param s Description of the Parameter
* @return Description of the Return Value
*/
protected Element makeCurrent(WebSession s) {
ElementContainer ec = new ElementContainer();
try {
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
Connection connection = DatabaseUtilities.getConnection(s);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
// but not anyone elses. This allows users to try out XSS to grab another user's
// cookies, but not get confused by other users scripts
String query =
"SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, getNameroot(s.getUserName()) + "%");
statement.setInt(2, messageNum);
statement.setString(3, this.getClass().getName());
ResultSet results = statement.executeQuery();
if ((results != null) && results.first()) {
ec.addElement(
new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL)));
Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":"))));
row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
t.addElement(row1);
String messageData = results.getString(MESSAGE_COL);
TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":"))));
row2.addElement(new TD(new StringElement(messageData)));
t.addElement(row2);
// Edited by Chuck Willis - added display of the user who posted the message, so
// that
// if users use a cross site request forgery or XSS to make another user post a
// message,
// they can see that the message is attributed to that user
TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":")));
row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
t.addElement(row3);
ec.addElement(t);
// Some sanity checks that the script may be correct
if (messageData.toLowerCase().indexOf("<script>") != -1
&& messageData.toLowerCase().indexOf("</script>") != -1
&& messageData.toLowerCase().indexOf("alert") != -1) {
makeSuccess(s);
}
} else {
if (messageNum != 0) {
ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
}
}
} catch (Exception e) {
s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
