/** * Adds a feature to the Message attribute of the MessageBoardScreen object * * @param s The feature to be added to the Message attribute */ protected void addMessage(WebSession s) { try { String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, "")); String message = s.getParser().getRawParameter(MESSAGE, ""); Connection connection = DatabaseUtilities.getConnection(s); String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )"; PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); statement.setInt(1, count++); statement.setString(2, title); statement.setString(3, message); statement.setString(4, s.getUserName()); statement.setString(5, this.getClass().getName()); statement.execute(); } catch (Exception e) { // ignore the empty resultset on the insert. There are a few more SQL Injection errors // that could be trapped here but we will let them try. One error would be something // like "Characters found after end of SQL statement." if (e.getMessage().indexOf("No ResultSet was produced") == -1) { s.setMessage(WebGoatI18N.get("CouldNotAddMessage")); } e.printStackTrace(); } }
/** * Description of the Method * * @param s Description of the Parameter * @return Description of the Return Value */ protected Element createContent(WebSession s) { boolean logout = s.getParser().getBooleanParameter(LOGOUT, false); if (logout) { s.setMessage("Goodbye! Your password has been forgotten"); s.eatCookies(); return (makeLogin(s)); } try { String user = checkCookie(s); if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "COOKIE")); } user = checkParams(s); if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); } } catch (Exception e) { s.setMessage("Error generating " + this.getClass().getName()); e.printStackTrace(); } return (makeLogin(s)); }
/** * Description of the Method * * @param s Description of the Parameter * @return Description of the Return Value */ protected Element makeCurrent(WebSession s) { ElementContainer ec = new ElementContainer(); try { int messageNum = s.getParser().getIntParameter(NUMBER, 0); Connection connection = DatabaseUtilities.getConnection(s); // edit by Chuck Willis - Added logic to associate similar usernames // The idea is that users chuck-1, chuck-2, etc will see each other's messages // but not anyone elses. This allows users to try out XSS to grab another user's // cookies, but not get confused by other users scripts String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?"; PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); statement.setString(1, getNameroot(s.getUserName()) + "%"); statement.setInt(2, messageNum); statement.setString(3, this.getClass().getName()); ResultSet results = statement.executeQuery(); if ((results != null) && results.first()) { ec.addElement( new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL))); Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0); TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":")))); row1.addElement(new TD(new StringElement(results.getString(TITLE_COL)))); t.addElement(row1); String messageData = results.getString(MESSAGE_COL); TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":")))); row2.addElement(new TD(new StringElement(messageData))); t.addElement(row2); // Edited by Chuck Willis - added display of the user who posted the message, so // that // if users use a cross site request forgery or XSS to make another user post a // message, // they can see that the message is attributed to that user TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":"))); row3.addElement(new TD(new StringElement(results.getString(USER_COL)))); t.addElement(row3); ec.addElement(t); // Some sanity checks that the script may be correct if (messageData.toLowerCase().indexOf("<script>") != -1 && messageData.toLowerCase().indexOf("</script>") != -1 && messageData.toLowerCase().indexOf("alert") != -1) { makeSuccess(s); } } else { if (messageNum != 0) { ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum)); } } } catch (Exception e) { s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName()); e.printStackTrace(); } return (ec); }