示例#1
0
  /**
   * Adds a feature to the Message attribute of the MessageBoardScreen object
   *
   * @param s The feature to be added to the Message attribute
   */
  protected void addMessage(WebSession s) {
    try {
      String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
      String message = s.getParser().getRawParameter(MESSAGE, "");

      Connection connection = DatabaseUtilities.getConnection(s);

      String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";

      PreparedStatement statement =
          connection.prepareStatement(
              query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
      statement.setInt(1, count++);
      statement.setString(2, title);
      statement.setString(3, message);
      statement.setString(4, s.getUserName());
      statement.setString(5, this.getClass().getName());
      statement.execute();
    } catch (Exception e) {
      // ignore the empty resultset on the insert. There are a few more SQL Injection errors
      // that could be trapped here but we will let them try. One error would be something
      // like "Characters found after end of SQL statement."
      if (e.getMessage().indexOf("No ResultSet was produced") == -1) {
        s.setMessage(WebGoatI18N.get("CouldNotAddMessage"));
      }
      e.printStackTrace();
    }
  }
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element createContent(WebSession s) {
    boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);

    if (logout) {
      s.setMessage("Goodbye!  Your password has been forgotten");
      s.eatCookies();

      return (makeLogin(s));
    }

    try {
      String user = checkCookie(s);

      if ((user != null) && (user.length() > 0)) {
        return (makeUser(s, user, "COOKIE"));
      }

      user = checkParams(s);

      if ((user != null) && (user.length() > 0)) {
        return (makeUser(s, user, "PARAMETERS"));
      }
    } catch (Exception e) {
      s.setMessage("Error generating " + this.getClass().getName());
      e.printStackTrace();
    }

    return (makeLogin(s));
  }
示例#3
0
  /**
   * Description of the Method
   *
   * @param s Description of the Parameter
   * @return Description of the Return Value
   */
  protected Element makeCurrent(WebSession s) {
    ElementContainer ec = new ElementContainer();

    try {
      int messageNum = s.getParser().getIntParameter(NUMBER, 0);

      Connection connection = DatabaseUtilities.getConnection(s);

      // edit by Chuck Willis - Added logic to associate similar usernames
      // The idea is that users chuck-1, chuck-2, etc will see each other's messages
      // but not anyone elses. This allows users to try out XSS to grab another user's
      // cookies, but not get confused by other users scripts

      String query =
          "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
      PreparedStatement statement =
          connection.prepareStatement(
              query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
      statement.setString(1, getNameroot(s.getUserName()) + "%");
      statement.setInt(2, messageNum);
      statement.setString(3, this.getClass().getName());
      ResultSet results = statement.executeQuery();

      if ((results != null) && results.first()) {
        ec.addElement(
            new H1(WebGoatI18N.get("MessageContentsFor") + ": " + results.getString(TITLE_COL)));
        Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
        TR row1 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Title") + ":"))));
        row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
        t.addElement(row1);

        String messageData = results.getString(MESSAGE_COL);
        TR row2 = new TR(new TD(new B(new StringElement(WebGoatI18N.get("Message") + ":"))));
        row2.addElement(new TD(new StringElement(messageData)));
        t.addElement(row2);

        // Edited by Chuck Willis - added display of the user who posted the message, so
        // that
        // if users use a cross site request forgery or XSS to make another user post a
        // message,
        // they can see that the message is attributed to that user

        TR row3 = new TR(new TD(new StringElement(WebGoatI18N.get("PostedBy") + ":")));
        row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
        t.addElement(row3);

        ec.addElement(t);

        // Some sanity checks that the script may be correct
        if (messageData.toLowerCase().indexOf("<script>") != -1
            && messageData.toLowerCase().indexOf("</script>") != -1
            && messageData.toLowerCase().indexOf("alert") != -1) {
          makeSuccess(s);
        }

      } else {
        if (messageNum != 0) {
          ec.addElement(new P().addElement(WebGoatI18N.get("CouldNotFindMessage") + messageNum));
        }
      }
    } catch (Exception e) {
      s.setMessage(WebGoatI18N.get("ErrorGenerating") + this.getClass().getName());
      e.printStackTrace();
    }

    return (ec);
  }