/**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element makeInput(WebSession s) {
    Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
    TR row1 = new TR();
    TR row2 = new TR();
    row1.addElement(new TD(new StringElement(WebGoatI18N.get("Title") + ": ")));

    Input inputTitle = new Input(Input.TEXT, TITLE, "");
    row1.addElement(new TD(inputTitle));

    TD item1 = new TD();
    item1.setVAlign("TOP");
    item1.addElement(new StringElement(WebGoatI18N.get("Message") + ": "));
    row2.addElement(item1);

    TD item2 = new TD();
    TextArea ta = new TextArea(MESSAGE, 5, 60);
    item2.addElement(ta);
    row2.addElement(item2);
    t.addElement(row1);
    t.addElement(row2);

    Element b = ECSFactory.makeButton(WebGoatI18N.get("Submit"));
    ElementContainer ec = new ElementContainer();
    ec.addElement(t);
    ec.addElement(new P().addElement(b));

    return (ec);
  }
Exemple #2
0
  public void setup(WebSession s) {
    // call createContent first so messages will go somewhere

    Form form = new Form("attack", Form.POST).setName("form").setEncType("");

    form.addElement(wrapForm(s));

    TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
    TR row = new TR().addElement(lowerright);
    Table layout =
        new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);

    layout.addElement(row);

    setContent(layout);
  }
Exemple #3
0
  protected Element wrapForm(WebSession s) {
    if (s == null) {
      return new StringElement("Invalid Session");
    }

    Table container =
        new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);

    // CreateContent can generate error messages so you MUST call it before makeMessages()
    Element content = createContent(s);
    container.addElement(
        new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
    container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
    container.addElement(new TR());

    return (container);
  }
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  public Element makeList(WebSession s) {
    Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);

    try {
      Connection connection = DatabaseUtilities.getConnection(s);

      // edit by Chuck Willis - Added logic to associate similar usernames
      // The idea is that users chuck-1, chuck-2, etc will see each other's messages
      // but not anyone elses. This allows users to try out XSS to grab another user's
      // cookies, but not get confused by other users scripts

      String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
      PreparedStatement statement =
          connection.prepareStatement(
              query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
      statement.setString(1, getNameroot(s.getUserName()) + "%");
      statement.setString(2, getClass().getName());
      ResultSet results = statement.executeQuery();

      if ((results != null) && (results.first() == true)) {
        results.beforeFirst();

        for (int i = 0; results.next(); i++) {
          A a = ECSFactory.makeLink(results.getString(TITLE_COL), NUMBER, results.getInt(NUM_COL));
          TD td = new TD().addElement(a);
          TR tr = new TR().addElement(td);
          t.addElement(tr);
        }
      }
    } catch (Exception e) {
      s.setMessage(WebGoatI18N.get("ErrorGeneratingMessageList"));
    }

    ElementContainer ec = new ElementContainer();
    ec.addElement(new H1(WebGoatI18N.get("MessageList")));
    ec.addElement(t);

    return (ec);
  }
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element makeLogin(WebSession s) {
    ElementContainer ec = new ElementContainer();

    ec.addElement(new H1().addElement("Sign In "));
    Table t =
        new Table()
            .setCellSpacing(0)
            .setCellPadding(2)
            .setBorder(0)
            .setWidth("90%")
            .setAlign("center");

    if (s.isColor()) {
      t.setBorder(1);
    }

    TR tr = new TR();
    tr.addElement(
        new TH()
            .addElement(
                "Please sign in to your account.  See the OWASP admin if you do not have an account.")
            .setColSpan(2)
            .setAlign("left"));
    t.addElement(tr);

    tr = new TR();
    tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
    t.addElement(tr);

    tr = new TR();
    tr.addElement(new TD().addElement(" ").setColSpan(2));
    t.addElement(tr);

    TR row1 = new TR();
    TR row2 = new TR();
    row1.addElement(new TD(new B(new StringElement("*User Name: "))));
    row2.addElement(new TD(new B(new StringElement("*Password: "******"");
    Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
    row1.addElement(new TD(input1));
    row2.addElement(new TD(input2));
    t.addElement(row1);
    t.addElement(row2);

    Element b = ECSFactory.makeButton("Login");
    t.addElement(new TR(new TD(b)));
    ec.addElement(t);

    return (ec);
  }
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element createContent(WebSession s) {
    ElementContainer ec = new ElementContainer();
    String regex1 = "^[0-9]{3}$"; // any three digits
    Pattern pattern1 = Pattern.compile(regex1);

    try {
      checkSuccess(s);

      String param1 = s.getParser().getRawParameter("field1", "111");
      // String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214
      // 0002 1999"));
      float quantity = 1.0f;
      float total = 0.0f;
      float runningTotal = 0.0f;

      // FIXME: encode output of field2, then s.setMessage( field2 );
      ec.addElement("<script src='javascript/eval.js'> </script>");
      // <script src='javascript/sameOrigin.js' language='JavaScript'></script>
      ec.addElement(new HR().setWidth("90%"));
      ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
      Table t =
          new Table()
              .setCellSpacing(0)
              .setCellPadding(2)
              .setBorder(1)
              .setWidth("90%")
              .setAlign("center");

      if (s.isColor()) {
        t.setBorder(1);
      }

      TR tr = new TR();
      tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
      tr.addElement(new TH().addElement("Price").setWidth("10%"));
      tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
      tr.addElement(new TH().addElement("Total").setWidth("7%"));
      t.addElement(tr);

      tr = new TR();
      tr.addElement(
          new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
      tr.addElement(new TD().addElement("69.99").setAlign("right"));
      tr.addElement(
          new TD()
              .addElement(
                  new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1")))
              .setAlign("right"));
      quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
      total = quantity * 69.99f;
      runningTotal += total;
      tr.addElement(new TD().addElement("$" + total));
      t.addElement(tr);
      tr = new TR();
      tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
      tr.addElement(new TD().addElement("27.99").setAlign("right"));
      tr.addElement(
          new TD()
              .addElement(
                  new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1")))
              .setAlign("right"));
      quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
      total = quantity * 27.99f;
      runningTotal += total;
      tr.addElement(new TD().addElement("$" + total));
      t.addElement(tr);
      tr = new TR();
      tr.addElement(
          new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
      tr.addElement(new TD().addElement("1599.99").setAlign("right"));
      tr.addElement(
          new TD()
              .addElement(
                  new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1")))
              .setAlign("right"));
      quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
      total = quantity * 1599.99f;
      runningTotal += total;
      tr.addElement(new TD().addElement("$" + total));
      t.addElement(tr);
      tr = new TR();
      tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
      tr.addElement(new TD().addElement("299.99").setAlign("right"));

      tr.addElement(
          new TD()
              .addElement(
                  new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1")))
              .setAlign("right"));
      quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
      total = quantity * 299.99f;
      runningTotal += total;
      tr.addElement(new TD().addElement("$" + total));
      t.addElement(tr);

      ec.addElement(t);

      t =
          new Table()
              .setCellSpacing(0)
              .setCellPadding(2)
              .setBorder(0)
              .setWidth("90%")
              .setAlign("center");

      if (s.isColor()) {
        t.setBorder(1);
      }

      ec.addElement(new BR());

      tr = new TR();
      tr.addElement(new TD().addElement("The total charged to your credit card:"));
      tr.addElement(new TD().addElement("$" + runningTotal));

      Input b = new Input();
      b.setType(Input.BUTTON);
      b.setValue("Update Cart");
      b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");

      tr.addElement(new TD().addElement(b));
      t.addElement(tr);
      tr = new TR();
      tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
      t.addElement(tr);
      tr = new TR();
      tr.addElement(new TD().addElement("Enter your credit card number:"));
      tr.addElement(
          new TD()
              .addElement(
                  "<input id='field2' name='field2' type='TEXT' value='4128 3214 0002 1999'>"));
      t.addElement(tr);
      tr = new TR();
      tr.addElement(new TD().addElement("Enter your three digit access code:"));
      tr.addElement(
          new TD().addElement("<input id='field1' name='field1' type='TEXT' value='123'>"));
      // tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
      t.addElement(tr);

      b = new Input();
      b.setType(Input.BUTTON);
      b.setValue("Purchase");
      b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");

      tr = new TR();
      tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
      t.addElement(tr);

      ec.addElement(t);
      ec.addElement(new BR());
      ec.addElement(new HR().setWidth("90%"));

    } catch (Exception e) {
      s.setMessage("Error generating " + this.getClass().getName());
      e.printStackTrace();
    }
    return (ec);
  }
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element createContent(WebSession s) {
    ElementContainer ec = new ElementContainer();

    try {
      Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");

      if (s.isColor()) {
        t.setBorder(1);
      }
      List<File> htmlFiles = findHtmlFiles(LessonUtil.getLessonDirectory(s, this).getParentFile());
      List<String> htmlFilenames =
          Lists.newArrayList(
              Iterables.transform(
                  htmlFiles,
                  new Function<File, String>() {
                    @Override
                    public String apply(File input) {
                      return input.getName();
                    }
                  }));
      String[] list = htmlFilenames.toArray(new String[htmlFilenames.size()]);
      String listing =
          " <p><B>"
              + getLabelManager().get("CurrentDirectory")
              + "</B> "
              + Encoding.urlDecode(htmlFiles.get(0).getParent())
              + "<br><br>"
              + getLabelManager().get("ChooseFileToView")
              + "</p>";

      TR tr = new TR();
      tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
      t.addElement(tr);

      tr = new TR();
      tr.addElement(
          new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
      tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("ViewFile"))));
      t.addElement(tr);

      ec.addElement(t);

      // FIXME: would be cool to allow encodings here -- hex, percent,
      // url, etc...
      final String file = s.getParser().getRawParameter(FILE, "");

      if (!file.equals("")) // first time in or missing parameter - just kick out
      {
        // defuse file searching
        boolean illegalCommand = true;
        // allow them to look at any file in the webgoat hierachy.
        // Don't allow them to look about the webgoat root,
        // except to see the LICENSE file
        if (upDirCount(file) == 3 && !file.endsWith("LICENSE")) {
          s.setMessage(getLabelManager().get("AccessDenied"));
          s.setMessage(getLabelManager().get("ItAppears1"));
        } else {
          if (upDirCount(file) > 5) {
            s.setMessage(getLabelManager().get("AccessDenied"));
            s.setMessage(getLabelManager().get("ItAppears2"));
          } else {
            illegalCommand = false;
          }
        }

        // provide a little guidance to help them along.  If the allowed file comes back as
        // null we have the potential for a real attack vector
        File allowedFile = guideTheAtack(s, file, htmlFiles);

        if (!illegalCommand) {
          File attemptedFile =
              new File(LessonUtil.getLessonDirectory(s, this) + "/lessonPlans/en/" + file);
          if (allowedFile == null) {
            // We have a potential attack
            if (file != null && attemptedFile.isFile() && attemptedFile.exists()) {
              // They have accessed something meaningful
              s.setMessage(
                  getLabelManager().get("CongratsAccessToFileAllowed")
                      + " ==> "
                      + Encoding.urlDecode(attemptedFile.getCanonicalPath()));
              makeSuccess(s);
            } else if (file != null && file.length() != 0) {
              s.setMessage(
                  getLabelManager().get("AccessToFileDenied1")
                      + Encoding.urlDecode(file)
                      + getLabelManager().get("AccessToFileDenied2"));
            } else {
              // do nothing, probably entry screen
            }
          } else {
            attemptedFile = allowedFile;
          }

          displayAttemptedFile(ec, attemptedFile);
        }
      }

    } catch (Exception e) {
      s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
      e.printStackTrace();
    }
    return (ec);
  }
  /** output HTML for button */
  protected void endHTML(PrintWriter out) {
    Span span = new Span();
    Table table = new Table();
    TR top = new TR();
    TD topLeft = new TD();
    TD topCenter = new TD();
    TD topRight = new TD();
    TR middle = new TR();
    TD midLeft = new TD();
    TD midCenter = new TD();
    TD midRight = new TD();
    TR bottom = new TR();
    TD botLeft = new TD();
    TD botCenter = new TD();
    TD botRight = new TD();
    Span textContainer = new Span();
    org.apache.ecs.html.Button button = new org.apache.ecs.html.Button();
    boolean disabled = getContext().processBool(getId() + ".disabled");

    // build table
    table.addElement(top);
    top.addElement(topLeft);
    top.addElement(topCenter);
    top.addElement(topRight);

    table.addElement(middle);
    middle.addElement(midLeft);
    middle.addElement(midCenter);
    middle.addElement(midRight);

    table.addElement(bottom);
    bottom.addElement(botLeft);
    bottom.addElement(botCenter);
    bottom.addElement(botRight);

    // set pixels
    IMG spacer = new IMG("./images/wgt/1.gif");
    spacer.setWidth(1);
    spacer.setHeight(1);
    topLeft.addElement(new IMG("./images/wgt/1.gif"));
    topCenter.addElement(new IMG("./images/wgt/1.gif"));
    topRight.addElement(new IMG("./images/wgt/1.gif"));
    midLeft.addElement(new IMG("./images/wgt/1.gif"));
    midRight.addElement(new IMG("./images/wgt/1.gif"));
    botLeft.addElement(new IMG("./images/wgt/1.gif"));
    botCenter.addElement(new IMG("./images/wgt/1.gif"));
    botRight.addElement(new IMG("./images/wgt/1.gif"));

    // format table
    table.setCellPadding(0);
    table.setCellSpacing(0);
    table.setBorder(0);

    // set classes
    topLeft.setClass("btn_lt");
    topCenter.setClass("btn_ct");
    topRight.setClass("btn_rt");
    midLeft.setClass("btn_lm");
    midCenter.setClass("btn_cm");
    midRight.setClass("btn_rm");
    botLeft.setClass("btn_lb");
    botCenter.setClass("btn_cb");
    botRight.setClass("btn_rb");

    button.setClass("btn_btn");
    button.setID(getId() + "_btn");
    midCenter.addElement(button);
    textContainer.setID(id4Text());
    textContainer.setClass("btn_txt");

    if (StringUtils.isNotEmpty(getSrc())) {
      if (StringUtils.isEmpty(this.getLabel())) {
        button.setStyle(
            "width:"
                + iconWidth
                + "px;height:"
                + iconHeight
                + "px;background: transparent url("
                + getSrc()
                + ") no-repeat; background-position: center;");
      } else {
        button.setStyle("background: transparent url(" + getSrc() + ") no-repeat;");
      }
    }

    if (StringUtils.isNotEmpty(this.getLabel())) {
      if (StringUtils.isNotEmpty(getSrc()) && iconWidth > -1) {
        if (displayMode == DISPLAY_MODE_VERTICAL) {
          // image top
          String s = button.getAttribute("style");
          s =
              s
                  + "background-position: center top;padding-top:"
                  + String.valueOf(iconHeight)
                  + "px;";
          button.setStyle(s);
        } else {
          // image left
          textContainer.setStyle("padding-left: " + String.valueOf(iconWidth) + "px;");
        }
      }
      textContainer.addElement(this.getLabel());
      button.addElement(textContainer);
    }

    // this.getStyle().add("table-layout", "fixed");

    if (this.hasStyle()) {
      table.setStyle(this.getStyleAsString());
    }

    midCenter.setID(getId());
    // midCenter.setOnClick(JSUtil.jsFireEvent(getId(),
    //		ClientEvent.TYPE_ACTION)
    //		+ " return false;");
    button.setOnClick(JSUtil.jsFireEvent(getId(), ClientEvent.TYPE_ACTION) + " return false;");
    // action goes to onClick handler
    if (getConfirmMsg() != null) {
      button.setOnClick(
          JSUtil.jsConfirm(
              TextService.getString(getConfirmMsg()),
              JSUtil.jsFireEvent(getId(), ClientEvent.TYPE_ACTION)));
    } else {
      button.setOnClick(JSUtil.jsFireEvent(getId(), ClientEvent.TYPE_ACTION) + " return false;");
    }

    // table.output(out);
    span.addElement(table);
    span.setID(getId() + "_sspan");
    if (block && isVisible()) {
      span.setStyle("display:block;");
    }

    span.output(out);

    this.initJaveScript();
  }
  protected Element createContent(WebSession s) {
    ElementContainer ec = new ElementContainer();

    Table t1 = new Table().setCellSpacing(0).setCellPadding(2);

    if (s.isColor()) {
      t1.setBorder(1);
    }
    TR tr = new TR();
    tr.addElement(new TD("Enter your account number: "));
    tr.addElement(new TD(new Input(Input.TEXT, "id", "101")));
    t1.addElement(tr);

    tr = new TR();
    tr.addElement(new TD("Select the fields to return: "));
    tr.addElement(
        new TD(
            new Select("field")
                .setMultiple(true)
                .addElement(new Option(firstName).addElement("First Name"))
                .addElement(new Option(lastName).addElement("Last Name"))
                .addElement(new Option(loginCount).addElement("Login Count"))));
    t1.addElement(tr);

    tr = new TR();
    Element b = ECSFactory.makeButton("Submit");
    tr.addElement(new TD(b).setAlign("CENTER").setColSpan(2));
    t1.addElement(tr);

    ec.addElement(t1);

    try {
      String[] fields = s.getParser().getParameterValues("field");
      int id = s.getParser().getIntParameter("id");

      Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);

      if (s.isColor()) {
        t.setBorder(1);
      }
      TR header = new TR();
      TR results = new TR();
      int port = s.getRequest().getServerPort();
      for (int i = 0; i < fields.length; i++) {
        header.addElement(new TD().addElement(fields[i]));
        results.addElement(
            new TD()
                .addElement(
                    (String)
                        accessWGService(
                            s, "WSDLScanning", port, fields[i], "acct_num", new Integer(id))));
      }
      if (fields.length == 0) {
        s.setMessage("Please select a value to return.");
      }
      t.addElement(header);
      t.addElement(results);
      ec.addElement(new P().addElement(t));
    } catch (Exception e) {

    }
    try {
      A a = new A("services/WSDLScanning?WSDL", "WebGoat WSDL File");
      ec.addElement(
          new P()
              .addElement(
                  "View the web services definition language (WSDL) to see the complete API:"));
      ec.addElement(new BR());
      ec.addElement(a);
      // getLessonTracker( s ).setCompleted( completed );

      if (completed && !getLessonTracker(s).getCompleted() && !beenRestartedYet) {
        makeSuccess(s);
        beenRestartedYet = true;
      } else if (completed && !getLessonTracker(s).getCompleted() && beenRestartedYet) {
        completed = false;
        beenRestartedYet = false;
      }

      // accessWGService("WSDLScanning", "getCreditCard", "acct_num", new Integer(101));
    } catch (Exception e) {
      s.setMessage("Error generating " + this.getClass().getName());
      e.printStackTrace();
    }
    return (ec);
  }
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element makeCurrent(WebSession s) {
    ElementContainer ec = new ElementContainer();

    try {
      int messageNum = s.getParser().getIntParameter(NUMBER, 0);

      Connection connection = DatabaseUtilities.getConnection(s);

      // edit by Chuck Willis - Added logic to associate similar usernames
      // The idea is that users chuck-1, chuck-2, etc will see each other's messages
      // but not anyone elses. This allows users to try out XSS to grab another user's
      // cookies, but not get confused by other users scripts

      String query =
          "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
      PreparedStatement statement =
          connection.prepareStatement(
              query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
      statement.setString(1, getNameroot(s.getUserName()) + "%");
      statement.setInt(2, messageNum);
      statement.setString(3, this.getClass().getName());
      ResultSet results = statement.executeQuery();

      if ((results != null) && results.first()) {
        ec.addElement(
            new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL)));
        Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
        TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":"))));
        row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
        t.addElement(row1);

        String messageData = results.getString(MESSAGE_COL);
        TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":"))));
        row2.addElement(new TD(new StringElement(messageData)));
        t.addElement(row2);

        // Edited by Chuck Willis - added display of the user who posted the message, so
        // that
        // if users use a cross site request forgery or XSS to make another user post a
        // message,
        // they can see that the message is attributed to that user

        TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":")));
        row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
        t.addElement(row3);

        ec.addElement(t);

        // Some sanity checks that the script may be correct
        if (messageData.toLowerCase().indexOf("<script>") != -1
            && messageData.toLowerCase().indexOf("</script>") != -1
            && messageData.toLowerCase().indexOf("alert") != -1) {
          makeSuccess(s);
        }

      } else {
        if (messageNum != 0) {
          ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
        }
      }
    } catch (Exception e) {
      s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
      e.printStackTrace();
    }

    return (ec);
  }