/**
  * Called to change the status of the utils.ModulePlan class. Once this has been called by a valid
  * administrator, the utils.ModulePlan will be changed.
  *
  * @param csrfToken
  */
 public void doPost(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
   // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
   ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
   log.debug("*** servlets.Admin.SetOpenFloor ***");
   PrintWriter out = response.getWriter();
   out.print(getServletInfo());
   HttpSession ses = request.getSession(true);
   Cookie tokenCookie = Validate.getToken(request.getCookies());
   Object tokenParmeter = request.getParameter("csrfToken");
   if (Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) {
     ShepherdLogManager.setRequestIp(
         request.getRemoteAddr(),
         request.getHeader("X-Forwarded-For"),
         ses.getAttribute("userName").toString());
     if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
       ModulePlan.setOpenFloor();
       log.debug("Open Floor Plan enabled");
       out.write(
           "<h3 class='title'>Open Floor Plan Enabled</h3>"
               + "<p>Security Shepherd Users are now using an open floor plan. Refresh your browser to see these settings in effect.</p>");
     } else {
       out.write("Error Occurred!");
     }
   }
   log.debug("*** END servlets.Admin.SetOpenFloor ***");
 }
Exemplo n.º 2
0
 /**
  * This method validates input and then attempts to update the cheat sheet for the specified
  * module
  *
  * @param newSolution The new solution to store as a cheat sheet
  * @param moduleId[] The identifier of the module to update.
  * @param csrfToken
  */
 public void doPost(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
   // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
   ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
   log.debug("*** servlets.Admin.CreateCheat ***");
   Encoder encoder = ESAPI.encoder();
   PrintWriter out = response.getWriter();
   out.print(getServletInfo());
   HttpSession ses = request.getSession(true);
   Cookie tokenCookie = Validate.getToken(request.getCookies());
   Object tokenParmeter = request.getParameter("csrfToken");
   if (Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) {
     ShepherdLogManager.setRequestIp(
         request.getRemoteAddr(),
         request.getHeader("X-Forwarded-For"),
         ses.getAttribute("userName").toString());
     log.debug("Current User: "******"userName").toString());
     if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
       String errorMessage = null;
       String newSolution = request.getParameter("newSolution");
       log.debug("User submitted new solution - " + newSolution);
       String moduleId = request.getParameter("moduleId[]");
       log.debug("User submitted moduleId: " + moduleId);
       if (newSolution != null && !newSolution.isEmpty()) {
         String ApplicationRoot = getServletContext().getRealPath("");
         String moduleCheck = Getter.getModuleResult(ApplicationRoot, moduleId);
         if (moduleCheck != null) {
           if (!Setter.updateCheatSheet(
               ApplicationRoot, moduleId, encoder.encodeForHTML(newSolution)))
             errorMessage = "A database level error occurred. Please contact your administrator";
         } else {
           errorMessage = "Invalid Module submitted";
         }
       } else {
         errorMessage = "Invalid Module submitted";
       }
       String output = new String();
       if (errorMessage != null) {
         output =
             "<h2 class='title'>Create Cheat Sheet Failure</h2>"
                 + "<p>"
                 + encoder.encodeForHTML(errorMessage)
                 + "</p>";
       } else {
         output =
             "<h2 class='title'>Create Cheat Sheet Success</h2>"
                 + "<p>Cheat Sheet successfully created</p>";
       }
       out.write(output);
     }
   } else {
     out.write("<img src='css/images/loggedOutSheep.jpg'/>");
   }
   log.debug("*** END servlets.Admin.CreateCheat ***");
 }
 /**
  * Data is only validated on the client side. No Server Side Validation is Performed
  *
  * @param userdata data submitted by user
  */
 public void doPost(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
   // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
   ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
   // Attempting to recover username of session that made request
   HttpSession ses = request.getSession(true);
   if (Validate.validateSession(ses)) {
     ShepherdLogManager.setRequestIp(
         request.getRemoteAddr(),
         request.getHeader("X-Forwarded-For"),
         ses.getAttribute("userName").toString());
     log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
     PrintWriter out = response.getWriter();
     out.print(getServletInfo());
     try {
       String userData = request.getParameter("userdata");
       log.debug("User Submitted - " + userData);
       String htmlOutput = new String();
       int userNumber = Integer.parseInt(userData);
       if (userNumber < 0) {
         // Get key and add it to the output
         String userKey =
             Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"));
         log.debug("Negative Number Submitted");
         htmlOutput =
             "<h2 class='title'>Validation Bypassed</h2><p>You defeated the lesson validation. Result Key: <a>"
                 + userKey
                 + "</a></p>";
       } else {
         log.debug("Valid Number Submitted");
         htmlOutput =
             "<h2 class='title'>Valid Number Submitted</h2><p>The Number "
                 + userNumber
                 + " is a valid number.";
       }
       log.debug("Outputting HTML");
       out.write(htmlOutput);
     } catch (Exception e) {
       out.write("An Error Occurred! You must be getting funky!");
       log.fatal(levelName + " - " + e.toString());
     }
   } else {
     log.error(levelName + " servlet accessed with no session");
   }
 }
 /**
  * If this method is called by a valid administrator the FeebackStatus will be set to turn
  * feedback on for all modules
  *
  * @param csrfToken
  */
 public void doPost(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
   // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
   ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
   log.debug("*** servlets.Admin.config.EnableFeedback ***");
   PrintWriter out = response.getWriter();
   out.print(getServletInfo());
   HttpSession ses = request.getSession(true);
   if (Validate.validateAdminSession(ses)) {
     log.debug("Current User: "******"userName").toString());
     Cookie tokenCookie = Validate.getToken(request.getCookies());
     Object tokenParmeter = request.getParameter("csrfToken");
     if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
       try {
         FeedbackStatus.setEnabled();
         out.print(
             "<h2 class=\"title\">Feedback Enabled</h2><br>"
                 + "<p>"
                 + "Users now have to submit a feedback form to complete a module."
                 + "<p>");
       } catch (Exception e) {
         log.error("Enable Feedback Error: " + e.toString());
         out.print(
             "<h2 class=\"title\">Enable Feedback Failure</h2><br>"
                 + "<p>"
                 + "<font color=\"red\">An error Occurred! Please try again.</font>"
                 + "<p>");
       }
     } else {
       log.debug("CSRF tokens did not match");
       out.print(
           "<h2 class=\"title\">Enable Feedback Failure</h2><br>"
               + "<p>"
               + "<font color=\"red\">An error Occurred! CSRF Tokens did not match.</font>"
               + "<p>");
     }
   } else {
     out.print(
         "<h2 class=\"title\">Enable Feedback Failure</h2><br>"
             + "<p>"
             + "<font color=\"red\">An error Occurred! Please log in or try non administrator functions!</font>"
             + "<p>");
   }
   log.debug("*** servlets.Admin.config.EnableFeedback END ***");
 }
 /**
  * Allows users to retrieve their CSRF token for the CSRF Challenge 6 module
  *
  * @param myMessage To Be stored as the users message for this module
  */
 public void doGet(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
   // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
   ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
   log.debug("Cross-SiteForegery Challenge Get Token Six Servlet");
   PrintWriter out = response.getWriter();
   out.print(getServletInfo());
   try {
     HttpSession ses = request.getSession(true);
     if (Validate.validateSession(ses)) {
       log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
       String htmlOutput = new String("Your csrf Token for this Challenge is: ");
       String userId = request.getParameter("userId").toString();
       Encoder encoder = ESAPI.encoder();
       Connection conn =
           Database.getChallengeConnection(
               getServletContext().getRealPath(""), "csrfChallengeSix");
       try {
         log.debug("Preparing setCsrfChallengeSixToken call");
         PreparedStatement callstmnt =
             conn.prepareStatement(
                 "SELECT csrfTokenscol FROM csrfchallengesix.csrfTokens WHERE userId LIKE ?");
         callstmnt.setString(1, userId);
         log.debug("Executing setCsrfChallengeSixTokenQuery");
         ResultSet rs = callstmnt.executeQuery();
         int i = 0;
         while (rs.next()) {
           i++;
           htmlOutput += encoder.encodeForHTML("\"" + rs.getString(1) + "\"") + " <br/>";
         }
         log.debug("Returned " + i + " CSRF Tokens for ID: " + userId);
         conn.close();
       } catch (Exception e) {
         log.debug("Could not retrieve Challenge CSRF Tokens");
         htmlOutput = "Was unable to retrieve CSRF Token. Funky";
       }
       out.write(htmlOutput);
     }
   } catch (Exception e) {
     out.write("An Error Occurred! You must be getting funky!");
   }
 }
  /**
   * A user with the submitted email address is set a new random password, the password is also
   * returned from the database procedure and is forwards through to the HTTP response. This
   * response is not consumed by the client interface by default, and the user will have to discover
   * it.
   *
   * @param subEmail Sub schema user email address
   */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    HttpSession ses = request.getSession(true);

    // Translation Stuff
    Locale locale = new Locale(Validate.validateLanguage(request.getSession()));
    ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale);
    ResourceBundle bundle =
        ResourceBundle.getBundle(
            "i18n.servlets.challenges.sessionManagement.sessionManagement2", locale);

    if (Validate.validateSession(ses)) {
      ShepherdLogManager.setRequestIp(
          request.getRemoteAddr(),
          request.getHeader("X-Forwarded-For"),
          ses.getAttribute("userName").toString());
      log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
      PrintWriter out = response.getWriter();
      out.print(getServletInfo());
      Encoder encoder = ESAPI.encoder();
      String htmlOutput = new String();
      log.debug(levelName + " Servlet accessed");
      try {
        log.debug("Getting Challenge Parameter");
        Object emailObj = request.getParameter("subEmail");
        String subEmail = new String();
        if (emailObj != null) subEmail = (String) emailObj;
        log.debug("subEmail = " + subEmail);

        log.debug("Getting ApplicationRoot");
        String ApplicationRoot = getServletContext().getRealPath("");

        String newPassword = Hash.randomString();
        try {
          Connection conn =
              Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalTwo");
          log.debug("Checking credentials");
          PreparedStatement callstmt =
              conn.prepareStatement("UPDATE users SET userPassword = SHA(?) WHERE userAddress = ?");
          callstmt.setString(1, newPassword);
          callstmt.setString(2, subEmail);
          log.debug("Executing resetPassword");
          callstmt.execute();
          log.debug("Statement executed");

          log.debug("Committing changes made to database");
          callstmt = conn.prepareStatement("COMMIT");
          callstmt.execute();
          log.debug("Changes committed.");

          htmlOutput = encoder.encodeForHTML(newPassword);
          Database.closeConnection(conn);
        } catch (SQLException e) {
          log.error(levelName + " SQL Error: " + e.toString());
        }
        log.debug("Outputting HTML");
        out.write(bundle.getString("response.changedTo") + " " + htmlOutput);
      } catch (Exception e) {
        out.write(errors.getString("error.funky"));
        log.fatal(levelName + " - " + e.toString());
      }
    } else {
      log.error(levelName + " servlet accessed with no session");
    }
  }
  /**
   * System users are insecurely directed by their user name in a post request parameter. Users can
   * abuse this to retrieve an administrator's information.
   *
   * @param username User name of profile to retrieve
   */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));

    // Translation Stuff
    Locale locale = new Locale(Validate.validateLanguage(request.getSession()));
    ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale);
    ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.directObject", locale);

    // Attempting to recover username of session that made request
    HttpSession ses = request.getSession(true);
    PrintWriter out = response.getWriter();
    out.print(getServletInfo());
    if (Validate.validateSession(ses)) {
      ShepherdLogManager.setRequestIp(
          request.getRemoteAddr(),
          request.getHeader("X-Forwarded-For"),
          ses.getAttribute("userName").toString());
      log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
      try {
        String userName = request.getParameter("username");
        log.debug("User Submitted - " + userName);
        String ApplicationRoot = getServletContext().getRealPath("");
        log.debug("Servlet root = " + ApplicationRoot);
        String htmlOutput = new String();
        if (userName.equalsIgnoreCase("guest")) {
          log.debug("Guest Profile Found");
          htmlOutput = htmlGuest(bundle);
        } else if (userName.equalsIgnoreCase("admin")) {
          // Get key and add it to the output
          String userKey =
              Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"));
          log.debug("Admin Profile Found");
          htmlOutput = htmlAdmin(bundle, userKey);
        } else {
          log.debug("No Profile Found");
          Encoder encoder = ESAPI.encoder();
          htmlOutput =
              "<h2 class='title'>"
                  + bundle.getString("response.user")
                  + ": "
                  + bundle.getString("response.notFound")
                  + "</h2><p>"
                  + bundle.getString("response.user")
                  + " '"
                  + encoder.encodeForHTML(userName)
                  + "' "
                  + bundle.getString("response.couldNotFind")
                  + ".</p>";
        }
        log.debug("Outputting HTML");
        out.write(htmlOutput);
      } catch (Exception e) {
        out.write(errors.getString("error.funky"));
        log.fatal("Insecure Direct Object Lesson Lesson - " + e.toString());
      }
    } else {
      out.write(errors.getString("error.noSession"));
      log.error(levelName + " servlet accessed with no session");
    }
  }
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    // Attempting to recover username of session that made request
    HttpSession ses = request.getSession(true);
    PrintWriter out = response.getWriter();
    out.print(getServletInfo());

    // Translation Stuff
    Locale locale = new Locale(Validate.validateLanguage(request.getSession()));
    ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale);
    ResourceBundle bundle =
        ResourceBundle.getBundle("i18n.servlets.lessons.securityMisconfig", locale);

    if (Validate.validateSession(ses)) {
      ShepherdLogManager.setRequestIp(
          request.getRemoteAddr(),
          request.getHeader("X-Forwarded-For"),
          ses.getAttribute("userName").toString());
      log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
      try {
        String userName = request.getParameter("userName");
        log.debug("User Name - " + userName);
        String userPass = request.getParameter("userPass");
        log.debug("User Pass - " + userName);
        boolean loggedIn = userName.contentEquals("admin") && userPass.contentEquals("password");
        String htmlOutput = new String();
        if (!loggedIn) {
          if (userName.contentEquals("admin"))
            htmlOutput = bundle.getString("response.incorrectPassword");
          else {
            Encoder encoder = ESAPI.encoder();
            htmlOutput =
                bundle.getString("response.noUserFound")
                    + " \""
                    + encoder.encodeForHTML(userName)
                    + "\"";
          }
          htmlOutput =
              "<h2 class='title'>"
                  + bundle.getString("response.authError")
                  + "</h2><p>"
                  + htmlOutput
                  + "</p>";
        } else {
          // Default username and password were used
          log.debug("User has signed in as admin");
          htmlOutput =
              "<h2 class='title'>"
                  + bundle.getString("response.authSuccess")
                  + "</h2><p>"
                  + bundle.getString("result.youDidIt")
                  + "<br><br>"
                  + bundle.getString("result.key")
                  + ": <a>"
                  + Hash.generateUserSolution(levelResult, ses.getAttribute("userName").toString())
                  + "</a>";
        }
        log.debug("Outputting HTML");
        out.write(htmlOutput);
      } catch (Exception e) {
        out.write(errors.getString("error.funky"));
        log.fatal(levelName + " - " + e.toString());
      }
    } else {
      log.error(levelName + " servlet accessed with no session");
      out.write(bundle.getString("error.noSession"));
    }
  }
  /**
   * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and
   * there fore only is executable against the person initiating the function.
   *
   * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context
   */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    log.debug("Cross-Site Scripting Challenge Four Servlet");
    PrintWriter out = response.getWriter();
    out.print(getServletInfo());

    // Translation Stuff
    Locale locale = new Locale(Validate.validateLanguage(request.getSession()));
    ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale);
    ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss4", locale);

    try {
      HttpSession ses = request.getSession(true);
      if (Validate.validateSession(ses)) {
        ShepherdLogManager.setRequestIp(
            request.getRemoteAddr(),
            request.getHeader("X-Forwarded-For"),
            ses.getAttribute("userName").toString());
        log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
        Cookie tokenCookie = Validate.getToken(request.getCookies());
        Object tokenParmeter = request.getParameter("csrfToken");
        if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
          String htmlOutput = new String();
          String userPost = new String();
          String searchTerm = request.getParameter("searchTerm");
          log.debug("User Submitted - " + searchTerm);
          if (!searchTerm.startsWith("http")) {
            searchTerm = "https://www.owasp.org/index.php/OWASP_Security_Shepherd";
            userPost =
                "<a href=\""
                    + searchTerm
                    + "\" alt=\"OWASP Security Shepherd\">"
                    + searchTerm
                    + "</a>";
          } else {

            searchTerm = XssFilter.encodeForHtml(searchTerm);
            userPost =
                "<a href=\"" + searchTerm + "\" alt=\"" + searchTerm + "\">" + searchTerm + "</a>";
            log.debug("After Encoding - " + searchTerm);
            if (FindXSS.search(userPost)) {
              htmlOutput =
                  "<h2 class='title'>"
                      + bundle.getString("result.wellDone")
                      + "</h2>"
                      + "<p>"
                      + bundle.getString("result.youDidIt")
                      + "<br />"
                      + bundle.getString("result.resultKey")
                      + " <a>"
                      + Hash.generateUserSolution(
                          Getter.getModuleResultFromHash(
                              getServletContext().getRealPath(""), levelHash),
                          (String) ses.getAttribute("userName"))
                      + "</a>";
            }
          }
          log.debug("Adding searchTerm to Html: " + searchTerm);
          htmlOutput +=
              "<h2 class='title'>"
                  + bundle.getString("response.yourPost")
                  + "</h2>"
                  + "<p>"
                  + bundle.getString("response.linkPosted")
                  + "</p> "
                  + userPost
                  + "</p>";
          out.write(htmlOutput);
        }
      } else {
        log.error(levelName + " servlet was accessed without a valid session");
        out.write(errors.getString("error.noSession"));
      }
    } catch (Exception e) {
      out.write(errors.getString("error.funky"));
      log.fatal("Cross Site Scripting Challenge 4 - " + e.toString());
    }
  }
Exemplo n.º 10
0
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    log.debug("&&& servlets.module.SolutionSubmit &&&");
    PrintWriter out = response.getWriter();
    out.print(getServletInfo());
    HttpSession ses = request.getSession(true);
    if (Validate.validateSession(ses)) {
      ShepherdLogManager.setRequestIp(
          request.getRemoteAddr(),
          request.getHeader("X-Forwarded-For"),
          ses.getAttribute("userName").toString());
      log.debug("Current User: "******"userName").toString());
      Cookie tokenCookie = Validate.getToken(request.getCookies());
      Object tokenParmeter = request.getParameter("csrfToken");
      if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
        boolean notNull = false;
        String storedResult = null;
        try {
          log.debug("Getting ApplicationRoot");
          String ApplicationRoot = getServletContext().getRealPath("");
          log.debug("Servlet root = " + ApplicationRoot);

          log.debug("Getting Parameters");
          String moduleId = (String) request.getParameter("moduleId");
          ;
          log.debug("moduleId = " + moduleId.toString());
          String solutionKey = (String) request.getParameter("solutionKey");
          ;
          log.debug("solutionKey = " + solutionKey.toString());

          log.debug("Getting session parameters");
          String userId = (String) ses.getAttribute("userStamp");
          String userName = (String) ses.getAttribute("userName");
          log.debug("userId = " + userId);

          // Validation
          notNull = (moduleId != null && solutionKey != null);
          if (notNull) {
            storedResult = Getter.getModuleResult(ApplicationRoot, moduleId);
          }
          if (notNull && storedResult != null) {
            boolean validKey = false;
            // Identify if solution is a user Specific key (Does it need to be decrypted?)
            if (Getter.getModuleKeyType(ApplicationRoot, moduleId))
              validKey = storedResult.compareTo(solutionKey) == 0;
            else {
              String decryptedKey = new String();
              try {
                // Encrypted Solution key,  must be decrypted before compare
                decryptedKey =
                    Hash.decryptUserSpecificSolution(
                        Validate.validateEncryptionKey(userName), solutionKey);
              } catch (Exception e) {
                log.error("Could not decrypt result key: " + e.toString());
                // Key likely could not be decrypted because somebody submitted a string that could
                // not be decrypted.
                // This is a bad submission so they should be warned. String will continue from this
                // point as an empty value and will cause the function to run the Bad Submission
                // procedure
              }
              storedResult +=
                  Hash.getCurrentSalt(); // Add server solution salt to base key before compare with
              // decrypted key
              validKey = storedResult.compareTo(decryptedKey) == 0;
              log.debug("Decrypted Submitted Key: " + decryptedKey);
              log.debug("Stored Expected Key    : " + storedResult);
            }
            if (validKey) {
              log.debug("Correct key submitted, checking that module not already completed");
              String result = Getter.checkPlayerResult(ApplicationRoot, moduleId, userId);
              if (result != null) {
                // If Feedback is enabled, the user must complete another step. This step is
                // continued in FeedbackSubmit.java
                if (FeedbackStatus.isEnabled()) {
                  log.debug("Returning Feedback Form for module: " + result);
                  out.write(
                      "<h2 class=\"title\">Solution Submission Success</h2><br>"
                          + "<p> You are one step away from completing <a>"
                          + encoder.encodeForHTML(result)
                          + "</a>! To complete the level please submit your feedback!"
                          + "</p><br/>"
                          + generateFeedbackForm(moduleId, (String) tokenParmeter, solutionKey));
                } else // Feedback is disabled
                {
                  log.debug("Feedback is disabled, Marking as completed");
                  String htmlOutput = new String();
                  result =
                      Setter.updatePlayerResult(
                          ApplicationRoot, moduleId, userId, "Feedback is Disabled", 1, 1, 1);
                  if (result != null) {
                    ResourceBundle bundle =
                        ResourceBundle.getBundle(
                            "i18n.moduleGenerics.moduleNames",
                            new Locale(Validate.validateLanguage(request.getSession())));
                    String compltedModuleLocalName = bundle.getString(result);
                    log.debug(
                        "Solution Submission for module " + compltedModuleLocalName + " succeeded");
                    htmlOutput =
                        new String(
                            "<h2 class=\"title\">Solution Submission Success</h2><br>"
                                + "<p>"
                                + compltedModuleLocalName
                                + " completed! Congratulations.");
                    htmlOutput += "</p>";
                    // Refresh Side Menu
                    htmlOutput +=
                        FeedbackSubmit.refreshMenuScript(
                            encoder.encodeForHTML((String) tokenParmeter), "Refresh Error");
                    log.debug("Resetting user's Bad Submisison count to 0");
                    Setter.resetBadSubmission(ApplicationRoot, userId);
                    out.write(htmlOutput);
                  } else {
                    htmlOutput = new String("Could not update user result");
                    out.print(
                        "<h2 class=\"title\">Solution Submission Failure</h2><br>"
                            + "<p><font color=\"red\">"
                            + "Sorry but an error Occurred!"
                            + "</font></p>");
                  }
                }
              } else {
                log.error("User has completed this module before. Returning Error");
                out.write(
                    "<h2 class=\"title\">Haven't You Done This Already?</h2><br>"
                        + "<p>"
                        + "Our records say you have already completed this module! Go try another one!"
                        + "</p>");
              }
            } else {
              log.error("Incorrect key submitted, returning error");
              out.print(
                  "<h2 class=\"title\">Solution Submission Failure</h2><br>"
                      + "<p><font color=\"red\">"
                      + "Incorrect Solution Key Submitted.<br><br>You have limited amounts of incorrect key submissions before you will loose 10% of your points. Contact the OWASP Security Shepherd if you think you have found the correct key but it is failing you."
                      + "</font></p>");

              log.error("Invoking Bad Submission procedure...");
              Setter.incrementBadSubmission(ApplicationRoot, userId);
              log.error(userName + " has been warned and potentially has lost points");
            }
          } else {
            // Validation Error Responses
            String errorMessage = "An Error Occurred: ";
            if (!notNull) {
              log.error("Null values detected");
              errorMessage += "Invalid Request. Please try again";
            } else if (storedResult == null) {
              log.error("Module not found");
              errorMessage += "Module Not Found. Please try again";
            }
            out.print(
                "<h2 class=\"title\">Solution Submission Failure</h2><br>"
                    + "<p><font color=\"red\">"
                    + encoder.encodeForHTML(errorMessage)
                    + "</font><p>");
          }
        } catch (Exception e) {
          log.error("Solution Submission Error: " + e.toString());
          out.print(
              "<h2 class=\"title\">Solution Submission Failure</h2><br>"
                  + "<p>"
                  + "<font color=\"red\">An error Occurred! Please try again.</font>"
                  + "<p>");
        }
      } else {
        log.debug("CSRF Tokens did not match");
        out.print(
            "<h2 class=\"title\">Solution Submission Failure</h2><br>"
                + "<p>"
                + "<font color=\"red\">An error Occurred! Please try again.</font>"
                + "<p>");
      }
    } else {
      out.print(
          "<h2 class=\"title\">Solution Submission Failure</h2><br>"
              + "<p>"
              + "<font color=\"red\">An error Occurred! Please Log in!</font>"
              + "<p>");
    }
    log.debug("&&& END SolutionSubmit &&&");
  }
Exemplo n.º 11
0
  /**
   * Shopping cart addition algorithm is vulnerable to integer overflow. If the cost is high enough,
   * the final value will go negative.
   */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    HttpSession ses = request.getSession(true);
    if (Validate.validateSession(ses)) {
      // Translation Stuff
      Locale locale = new Locale(Validate.validateLanguage(request.getSession()));
      ResourceBundle bundle =
          ResourceBundle.getBundle(
              "i18n.servlets.challenges.poorValidation.poorValidationStrings", locale);

      String currentUser = ses.getAttribute("userName").toString();
      ShepherdLogManager.setRequestIp(
          request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), currentUser);
      log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
      PrintWriter out = response.getWriter();
      out.print(getServletInfo());
      String htmlOutput = new String();
      try {
        int megustaAmount = validateAmount(Integer.parseInt(request.getParameter("megustaAmount")));
        log.debug("megustaAmount - " + megustaAmount);
        int trollAmount = validateAmount(Integer.parseInt(request.getParameter("trollAmount")));
        log.debug("trollAmount - " + trollAmount);
        int rageAmount = validateAmount(Integer.parseInt(request.getParameter("rageAmount")));
        log.debug("rageAmount - " + rageAmount);
        int notBadAmount = validateAmount(Integer.parseInt(request.getParameter("notBadAmount")));
        log.debug("notBadAmount - " + notBadAmount);

        // Working out costs
        int megustaCost = megustaAmount * 30;
        int trollCost = trollAmount * 3000;
        int rageCost = rageAmount * 45;
        int notBadCost = notBadAmount * 15;

        htmlOutput = new String();

        // Work Out Final Cost
        int finalCost = megustaCost + rageCost + notBadCost + trollCost;

        // Output Order
        htmlOutput =
            "<h3 class='title'>"
                + bundle.getString("poorValidation.orderComplete")
                + "</h3>"
                + "<p>"
                + bundle.getString("poorValidation.orderComplete.message")
                + "</p><br/>"
                + "<p>"
                + bundle.getString("poorValidation.orderTotal")
                + " <a><strong>$"
                + finalCost
                + "</strong></a></p>";
        if (finalCost <= 0 && trollAmount > 0) {
          htmlOutput +=
              "<br><p>"
                  + bundle.getString("poorValidation.freeTrolls")
                  + " - "
                  + Hash.generateUserSolution(levelSolution, currentUser)
                  + "</p>";
        }
      } catch (Exception e) {
        log.debug("Didn't complete order: " + e.toString());
        htmlOutput += "<p>" + bundle.getString("poorValidation.badOrder") + "</p>";
      }
      try {
        Thread.sleep(1000);
      } catch (Exception e) {
        log.error("Failed to Pause: " + e.toString());
      }
      out.write(htmlOutput);
    } else {
      log.error(levelName + " servlet accessed with no session");
    }
  }
  /**
   * Uses user input in an insecure fashion when executing queries in database. Vulnerable to SQL
   * injection.
   *
   * @param aUserName User submitted filter for database results
   */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    PrintWriter out = response.getWriter();
    out.print(getServletInfo());

    // Translation Stuff
    Locale locale = new Locale(Validate.validateLanguage(request.getSession()));
    ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale);
    ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.sqlInjection", locale);

    try {
      HttpSession ses = request.getSession(true);
      if (Validate.validateSession(ses)) {
        ShepherdLogManager.setRequestIp(
            request.getRemoteAddr(),
            request.getHeader("X-Forwarded-For"),
            ses.getAttribute("userName").toString());
        log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString());
        String aUserName = request.getParameter("aUserName");
        log.debug("User Submitted - " + aUserName);
        String ApplicationRoot = getServletContext().getRealPath("");
        log.debug("Servlet root = " + ApplicationRoot);
        String[][] output = getSqlInjectionResult(ApplicationRoot, aUserName);
        log.debug("output returned. [0][0] is " + output[0][0]);
        String htmlOutput =
            "<h2 class='title'>" + bundle.getString("response.searchResults") + "</h2>";
        if (output[0][0] == null) {
          htmlOutput += "<p>" + bundle.getString("response.noResults") + "</p>";
        } else if (output[0][0].equalsIgnoreCase("error")) {
          log.debug("Setting Error Message");
          htmlOutput +=
              "<p>" + errors.getString("error.detected") + "</p>" + "<p>" + output[0][1] + "</p>";
        } else {
          log.debug("Adding table");
          int i = 0;
          log.debug("outputLength = " + output.length);
          htmlOutput +=
              "<table><tr><th>"
                  + bundle.getString("response.userId")
                  + "</th><th>"
                  + bundle.getString("response.userName")
                  + "</th><th>"
                  + bundle.getString("response.comment")
                  + "</th></tr>";
          do {
            log.debug("Adding User " + output[i][1]);
            htmlOutput +=
                "<tr><td>"
                    + output[i][0]
                    + "</td><td>"
                    + output[i][1]
                    + "</td><td>"
                    + output[i][2]
                    + "</td></tr>";
            i++;

          } while (i < output.length && output[i][0] != null);
          htmlOutput += "</table>";
        }
        log.debug("Outputting HTML");
        out.write(htmlOutput);
      } else {
        log.error(levelName + " accessed with no session");
        out.write(errors.getString("error.noSession"));
      }
    } catch (Exception e) {
      out.write(errors.getString("error.funky"));
      log.fatal(levelName + " - " + e.toString());
    }
  }
Exemplo n.º 13
0
  /**
   * Initiated by index.jsp, getStarted.jsp. This changes a users password. If the user gets it
   * wrong 3 times in a row, they'll be locked out (This is handed by database)
   *
   * @param csrfToken
   * @param currentPassword User's current password
   * @param newPassword Submitted new password
   * @param passwordConfirmation Confirmation of the new password
   */
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    log.debug("*** servlets.ChangePassword ***");
    try {
      HttpSession ses = request.getSession(true);
      if (Validate.validateSession(ses)) {
        ShepherdLogManager.setRequestIp(
            request.getRemoteAddr(),
            request.getHeader("X-Forwarded-For"),
            ses.getAttribute("userName").toString());
        log.debug("Current User: "******"userName").toString());
        Cookie tokenCookie = Validate.getToken(request.getCookies());
        Object tokenParmeter = request.getParameter("csrfToken");
        if (Validate.validateTokens(tokenCookie, tokenParmeter)) {
          log.debug("Getting Parameters");
          String userName = (String) ses.getAttribute("userName");
          String currentPassword = (String) request.getParameter("currentPassword");
          String newPassword = (String) request.getParameter("newPassword");
          String passwordConfirm = (String) request.getParameter("passwordConfirmation");
          String ApplicationRoot = getServletContext().getRealPath("");

          boolean validData = false;
          boolean passwordChange = false;
          boolean validPassword = false;
          validData =
              newPassword.equalsIgnoreCase(passwordConfirm)
                  && !newPassword.isEmpty()
                  && newPassword != null;
          passwordChange = !currentPassword.equalsIgnoreCase(newPassword);
          validPassword = newPassword.length() > 4 && newPassword.length() <= 512;
          if (validData && passwordChange && validPassword) {
            log.debug("Validating Current Password");
            String user[] = Getter.authUser(ApplicationRoot, userName, currentPassword);
            if (user != null) {
              log.debug("User Credentials were good! Password Change gets the go ahead");
              Setter.updatePassword(ApplicationRoot, userName, currentPassword, newPassword);
              ses.setAttribute("ChangePassword", "false");
            } else {
              log.error("Incorrect Password");
              ses.setAttribute("errorMessage", "Incorrect Password... Don't lock yourself out!");
              response.sendRedirect("index.jsp");
            }
          } else {
            if (validData && passwordChange) {
              try {
                // User Account is Locked
                log.debug("The user account is locked. Logging the user out");
                Cookie cookieToken = Validate.getToken(request.getCookies());
                BigInteger temp = new BigInteger(cookieToken.getValue());
                response.sendRedirect("logout?csrfToken=" + temp);
              } catch (Exception e) {
                log.error(
                    "Cant Log the user out because they dont have a valid CSRF token : "
                        + e.toString());
                response.sendRedirect("login.jsp");
              }
            }
            // Return error message
            else if (!validData) {
              log.error("Bad Data Received");
              ses.setAttribute("errorMessage", "Invalid Request! Please try again.");
            } else if (!validPassword) {
              log.error("Invalid Password Submitted (Too Short/Long)");
              ses.setAttribute("errorMessage", "Invalid Password! Please try again.");
            } else {
              log.error("No password Change Detected");
              ses.setAttribute(
                  "errorMessage", "You have to CHANGE your password! Please try again.");
            }
          }
        } else {
          log.error("CSRF Attack Detected");
        }
      } else {
        log.error("Change Password Function Called with no valid session");
        response.sendRedirect("login.jsp");
      }
    } catch (Exception e) {
      log.fatal("ChangePassword Error: " + e.toString());
    }
    log.debug("*** END ChangePassword ***");
    response.sendRedirect("index.jsp");
  }
 public static void logEvent(Object theIp, String theForwardedIp, String theMessage) {
   setRequestIp(theIp, theForwardedIp);
   log.debug(theMessage);
 }