diff --git a/README.MD b/README.MD index cd4392434d..c2567610cc 100644 --- a/README.MD +++ b/README.MD @@ -1,3 +1,6 @@ + +Report for assignment is on [THIS WIKI](https://github.com/alifanuraniputri/WebGoat/wiki/Report-of-Final-Assignment-IF5192-Secure-Programming) + # WebGoat: A deliberately insecure Web Application [![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg)](https://travis-ci.org/WebGoat/WebGoat) diff --git a/screenshots/bugs.PNG b/screenshots/bugs.PNG new file mode 100644 index 0000000000..ce776e6a33 Binary files /dev/null and b/screenshots/bugs.PNG differ diff --git a/screenshots/setting.PNG b/screenshots/setting.PNG new file mode 100644 index 0000000000..1f1e6172b8 Binary files /dev/null and b/screenshots/setting.PNG differ diff --git a/webgoat-container/src/WebGoat - Shortcut.lnk b/webgoat-container/src/WebGoat - Shortcut.lnk new file mode 100644 index 0000000000..f7ef8457d5 Binary files /dev/null and b/webgoat-container/src/WebGoat - Shortcut.lnk differ diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java index 70522a37fe..4714c0851b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java @@ -75,6 +75,7 @@ public class HammerHead extends HttpServlet { /** * Description of the Field */ + // ISSUE 5 protected static SimpleDateFormat httpDateFormat; /** diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java index 391edbeab7..ccd095e7fb 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java @@ -1,5 +1,21 @@ package org.owasp.webgoat.lessons; +import java.io.BufferedReader; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.InputStreamReader; +import java.io.StringReader; +import java.net.HttpURLConnection; +import java.net.URL; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; + import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.StringElement; @@ -20,21 +36,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.BufferedReader; -import java.io.FileNotFoundException; -import java.io.FileReader; -import java.io.InputStreamReader; -import java.io.StringReader; -import java.net.HttpURLConnection; -import java.net.URL; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; - /** ************************************************************************************************* * @@ -724,11 +725,16 @@ public boolean isAuthorized(WebSession s, String role, String functionId) { logger.info("Checking if " + role + " authorized for: " + functionId); boolean authorized = false; try { - String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'"; + String query = "SELECT * FROM auth WHERE role = ? and functionid = ?"; try { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); + + //ISSUE 3 + PreparedStatement updateemp = WebSession.getConnection(s).prepareStatement + (query); + updateemp.setString(1,role); + updateemp.setString(2,functionId); + + ResultSet answer_results = updateemp.executeQuery(); authorized = answer_results.first(); logger.info("authorized: " + authorized); } catch (SQLException sqle) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java index 3a41fcded5..0f28ef9d40 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java @@ -67,6 +67,7 @@ public class Course { private final List lessons = new LinkedList(); + //ISSUE 4 private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath; private WebgoatProperties properties = null; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java index 0d6ceef2f1..2e53f6b73b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java @@ -2,6 +2,7 @@ package org.owasp.webgoat.session; import java.sql.Connection; +import java.sql.PreparedStatement; import java.sql.SQLException; import java.sql.Statement; import org.owasp.webgoat.lessons.AbstractLesson; @@ -953,6 +954,7 @@ private void createOwnershipTable(Connection connection) throws SQLException /** * Start creation of data for WebServices labs */ + private void createTransactionTable(Connection connection) throws SQLException { @@ -980,6 +982,8 @@ private void createTransactionTable(Connection connection) throws SQLException System.out.println("Error: unable to create transactions table: " + e.getLocalizedMessage()); throw e; } + + String[] data = new String[] { "'dave', 0, '238-4723-4024', '324-7635-9867', '2008-02-06 21:40:00', 'Mortgage', '150'", @@ -995,7 +999,10 @@ private void createTransactionTable(Connection connection) throws SQLException { for (int i = 0; i < data.length; i++) { - statement.executeUpdate("INSERT INTO Transactions VALUES (" + data[i] + ");"); + PreparedStatement prep = connection.prepareStatement + ("INSERT INTO Transactions VALUES ( ? );"); + prep.setString(1,data[i]); + prep.executeQuery(); } } catch (SQLException sqle) { diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java index 79b56858c0..725298183e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java @@ -1,6 +1,9 @@ package org.owasp.webgoat.session; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; import java.io.IOException; import java.sql.Connection; import java.sql.DriverManager; @@ -9,6 +12,8 @@ import java.sql.SQLException; import java.util.HashMap; import java.util.Map; +import java.util.Properties; + import org.apache.ecs.MultiPartElement; import org.apache.ecs.html.B; import org.apache.ecs.html.TD; @@ -131,7 +136,14 @@ private static Connection getHsqldbConnection(String user, WebgoatContext contex SQLException { String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user); - return DriverManager.getConnection(url, "sa", ""); + + //ISSUE 1 + + Properties info = new Properties( ); + info.put( "username", "sa" ); + info.put( "password", "" ); + + return DriverManager.getConnection(url, info); } /** diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java index 40bc3a6d18..f20760aa0c 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java @@ -50,6 +50,7 @@ public abstract class Screen { /** * Description of the Field */ + // ISSUE 6 public static int MAIN_SIZE = 375; // private Head head; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java index 25867223ca..18680ebe49 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserDatabase.java @@ -3,6 +3,7 @@ import java.sql.*; import java.util.ArrayList; import java.util.Iterator; +import java.util.Properties; import java.io.File; class UserDatabase { @@ -18,7 +19,7 @@ class UserDatabase { private final String QUERY_ALL_USERS = "SELECT username FROM users;"; private final String QUERY_ALL_ROLES_FOR_USERNAME = "SELECT rolename FROM roles, user_roles, users WHERE roles.id = user_roles.role_id AND user_roles.user_id = users.id AND users.username = ?;"; - private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM table;"; + private final String QUERY_TABLE_COUNT = "SELECT count(id) AS count FROM ?;"; private final String DELETE_ALL_ROLES_FOR_USER = "DELETE FROM user_roles WHERE user_id IN (SELECT id FROM users WHERE username = ?);"; private final String DELETE_USER = "DELETE FROM users WHERE username = ?;"; @@ -48,7 +49,13 @@ public boolean open() { try { if (userDB == null || userDB.isClosed()) { Class.forName("org.h2.Driver"); - userDB = DriverManager.getConnection(USER_DB_URI, "webgoat_admin", ""); + + //ISSUE 2 + + Properties info = new Properties( ); + info.put( "username", "webgoat_admin" ); + info.put( "password", "" ); + userDB = DriverManager.getConnection(USER_DB_URI, info); } } catch (SQLException e) { e.printStackTrace(); @@ -86,13 +93,14 @@ public int getTableCount(String tableName) { int count = 0; try { open(); - Statement statement = userDB.createStatement(); - ResultSet countResult = statement.executeQuery(QUERY_TABLE_COUNT.replace("table", tableName)); + PreparedStatement prep = userDB.prepareStatement(QUERY_TABLE_COUNT); + prep.setString(1, tableName); + ResultSet countResult = prep.executeQuery(); if (countResult.next()) { count = countResult.getInt("count"); } countResult.close(); - statement.close(); + prep.close(); close(); } catch (SQLException e) { e.printStackTrace(); diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java index 82b74e34b0..271b1a5175 100644 --- a/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java +++ b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java @@ -1,16 +1,16 @@ package org.owasp.webgoat.lessons; +import static org.junit.Assert.*; + +import java.util.Arrays; +import java.util.List; + import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.hamcrest.CoreMatchers; import org.junit.Test; import org.owasp.webgoat.session.WebSession; -import java.util.Arrays; -import java.util.List; - -import static org.junit.Assert.assertThat; - public class AbstractLessonTest { private AbstractLesson lesson = new AbstractLesson() { @@ -57,6 +57,19 @@ public void testLinks() { assertThat(srvLink, CoreMatchers.startsWith("attack?Screen=")); assertThat(srvLink, CoreMatchers.endsWith("&menu=900")); } + /* + @Test + public void tesIsAuthorized() { + WebSession s = null; + boolean auth = lesson.isAuthorized(s, "a OR 1=1", "a OR 1=1"); + assertEquals(auth, false); + + auth = lesson.isAuthorized(s, "", ""); + assertEquals(auth, false); + + auth = lesson.isAuthorized(s, " ", " "); + assertEquals(auth, false); + } */ } diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTestTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTestTest.java new file mode 100644 index 0000000000..21c9385eca --- /dev/null +++ b/webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTestTest.java @@ -0,0 +1,14 @@ +package org.owasp.webgoat.lessons; + +import static org.junit.Assert.*; + +import org.junit.Test; + +public class AbstractLessonTestTest { + + @Test + public void test() { + fail("Not yet implemented"); + } + +}