From cf57dbfd7d5cf2d4f9d91d541ae88b995ecd87aa Mon Sep 17 00:00:00 2001 From: Paul Date: Tue, 15 Mar 2022 22:54:41 +0000 Subject: [PATCH] Setting Google Styleguide and adding Contributing.md (#572) (#13) * Setting Google Styleguide and adding Contributing.md (#572) * applying Google code style * applying Google code style * fixing badge for test Co-authored-by: Mark Denihan --- CONTRIBUTING.md | 33 + README.md | 4 +- pom.xml | 4 +- .../org.eclipse.e4.workbench/workbench.xmi | 8752 +++++++++---- .../org.eclipse.jdt.ui/OpenTypeHistory.xml | 2 +- .../QualifiedTypeNameHistory.xml | 2 +- .../org.eclipse.jdt.ui/dialog_settings.xml | 15 +- .../dialog_settings.xml | 4 +- .../org.eclipse.ui.workbench/workingsets.xml | 5 +- .../mobshep/brokencrypto/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 69 +- .../mobshep/brokencrypto/BrokenCrypto.java | 443 +- .../java/com/mobshep/brokencrypto/Splash.java | 90 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-hdpi/green.xml | 56 +- .../app/src/main/res/drawable-hdpi/purple.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/green.xml | 56 +- .../app/src/main/res/drawable-ldpi/purple.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/green.xml | 56 +- .../app/src/main/res/drawable-mdpi/purple.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-xhdpi/green.xml | 56 +- .../src/main/res/drawable-xhdpi/purple.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/green.xml | 56 +- .../src/main/res/drawable-xxhdpi/purple.xml | 56 +- .../app/src/main/res/layout/broken.xml | 133 +- .../app/src/main/res/layout/splash.xml | 14 +- .../src/main/res/values-sw600dp/dimens.xml | 6 +- .../main/res/values-sw720dp-land/dimens.xml | 8 +- .../app/src/main/res/values-v11/styles.xml | 12 +- .../app/src/main/res/values-v14/styles.xml | 15 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 14 +- .../app/src/main/res/values/styles.xml | 54 +- .../brokencrypto2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 82 +- .../mobshep/brokencrypto1/BrokenCrypto1.java | 331 +- .../com/mobshep/brokencrypto1/Splash.java | 90 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-hdpi/green.xml | 56 +- .../app/src/main/res/drawable-hdpi/purple.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/green.xml | 56 +- .../app/src/main/res/drawable-ldpi/purple.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-xhdpi/green.xml | 56 +- .../src/main/res/drawable-xhdpi/purple.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/green.xml | 56 +- .../src/main/res/drawable-xxhdpi/purple.xml | 56 +- .../app/src/main/res/layout/broken.xml | 101 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 10 +- .../app/src/main/res/values/styles.xml | 54 +- .../brokencrypto2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 84 +- .../mobshep/brokencrypto2/BrokenCrypto2.java | 405 +- .../com/mobshep/brokencrypto2/Splash.java | 63 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-hdpi/green.xml | 56 +- .../app/src/main/res/drawable-hdpi/purple.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/green.xml | 56 +- .../app/src/main/res/drawable-ldpi/purple.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-xhdpi/green.xml | 56 +- .../src/main/res/drawable-xhdpi/purple.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/green.xml | 56 +- .../src/main/res/drawable-xxhdpi/purple.xml | 56 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/layout/broken.xml | 86 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 10 +- .../app/src/main/res/values/styles.xml | 54 +- .../brokencrypto3/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 42 +- .../mobshep/brokencrypto3/BrokenCrypto3.java | 315 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../app/src/main/res/drawable/box.xml | 48 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../res/layout/activity_broken_crypto3.xml | 59 +- .../src/main/res/menu/menu_broken_crypto4.xml | 20 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 10 +- .../app/src/main/res/values/styles.xml | 9 +- .../com/somewhere/hidden/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 40 +- .../com/somewhere/hidden/MainActivity.java | 32 +- .../com/somewhere/hidden/SecretProvider.java | 286 +- .../app/src/main/res/layout/activity_main.xml | 52 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 4 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../app/src/main/AndroidManifest.xml | 40 +- .../java/com/app/module/MainActivity.java | 33 +- .../main/java/com/app/module/mProvider.java | 286 +- .../app/src/main/res/layout/activity_main.xml | 52 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 4 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../java/com/mobshep/csinjection/CSITest.java | 79 +- .../app/src/main/AndroidManifest.xml | 97 +- .../com/mobshep/csinjection/CSInjection.java | 466 +- .../java/com/mobshep/csinjection/Splash.java | 104 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/csi.xml | 210 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/menu/menu_main.xml | 15 +- .../src/main/res/values-sw600dp/dimens.xml | 6 +- .../main/res/values-sw720dp-land/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 85 +- .../app/src/main/res/values/styles.xml | 54 +- .../mobshep/csinjection1/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 80 +- .../mobshep/csinjection1/CSInjection1.java | 487 +- .../java/com/mobshep/csinjection1/Splash.java | 88 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/csi.xml | 208 +- .../app/src/main/res/layout/splash.xml | 14 +- .../src/main/res/values-sw600dp/dimens.xml | 6 +- .../main/res/values-sw720dp-land/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 68 +- .../app/src/main/res/values/styles.xml | 54 +- .../mobshep/csinjection2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 42 +- .../mobshep/csinjection2/CSInjection2.java | 435 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../main/res/layout/activity_csinjection3.xml | 21 +- .../app/src/main/res/layout/csi.xml | 208 +- .../src/main/res/menu/menu_csinjection3.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 44 +- .../app/src/main/res/values/styles.xml | 54 +- .../mobshep/insecuredata/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 82 +- .../insecuredata/Insecure_Data_Storage.java | 104 +- .../java/com/mobshep/insecuredata/Splash.java | 90 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../app/src/main/res/drawable/box.xml | 48 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/layout/ids.xml | 59 +- .../app/src/main/res/layout/splash.xml | 12 +- .../app/src/main/res/values/strings.xml | 28 +- .../app/src/main/res/values/styles.xml | 54 +- .../insecuredata1/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 81 +- .../app/src/main/drawable/edittext.xml | 41 +- .../insecuredata1/Insecure_Data_Storage1.java | 95 +- .../com/mobshep/insecuredata1/Splash.java | 90 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../app/src/main/res/drawable/box.xml | 48 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/layout/ids.xml | 59 +- .../app/src/main/res/layout/splash.xml | 12 +- .../app/src/main/res/values/strings.xml | 18 +- .../app/src/main/res/values/styles.xml | 54 +- .../insecuredata2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 82 +- .../insecuredata2/Insecure_Data_Storage2.java | 96 +- .../com/mobshep/insecuredata2/Splash.java | 90 +- .../app/src/main/res/drawable/box.xml | 48 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/layout/ids.xml | 59 +- .../app/src/main/res/layout/splash.xml | 14 +- .../src/main/res/menu/menu_insecure_data3.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 22 +- .../app/src/main/res/values/styles.xml | 54 +- .../insecuredata3/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 71 +- .../com/mobshep/insecuredata3/LoggedIn.java | 29 +- .../mobshep/insecuredata3/MainActivity.java | 160 +- .../src/main/res/layout/activity_login.xml | 128 +- .../app/src/main/res/layout/activity_main.xml | 65 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 6 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/checkbox.xml | 9 +- .../app/src/main/res/xml/checked.xml | 5 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../app/src/main/res/xml/unchecked.xml | 5 +- .../insufficienttls/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 43 +- .../insufficienttls/CustomHttpClient.java | 186 +- .../mobshep/insufficienttls/MainActivity.java | 264 +- .../mobshep/insufficienttls/Preferences.java | 64 +- .../app/src/main/res/layout/activity_main.xml | 25 +- .../app/src/main/res/layout/preferences.xml | 52 +- .../app/src/main/res/menu/menu_main.xml | 15 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/colors.xml | 6 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 46 +- .../app/src/main/res/values/styles.xml | 15 +- .../insufficienttls/ExampleUnitTest.java | 19 +- .../InsufficientTLS2/AndroidManifest.xml | 112 +- src/MobileShepherd/InsufficientTLS2/lint.xml | 6 +- .../res/drawable-hdpi/button.xml | 56 +- .../res/drawable-hdpi/edittext.xml | 41 +- .../res/drawable-ldpi/button.xml | 56 +- .../res/drawable-ldpi/edittext.xml | 41 +- .../res/drawable-mdpi/button.xml | 56 +- .../res/drawable-mdpi/edittext.xml | 41 +- .../res/drawable-xhdpi/button.xml | 56 +- .../res/drawable-xhdpi/edittext.xml | 41 +- .../res/drawable-xxhdpi/button.xml | 56 +- .../res/drawable-xxhdpi/edittext.xml | 41 +- .../InsufficientTLS2/res/layout/layout.xml | 102 +- .../res/layout/preferences.xml | 70 +- .../InsufficientTLS2/res/layout/splash.xml | 14 +- .../res/values-sw600dp/dimens.xml | 6 +- .../res/values-sw720dp-land/dimens.xml | 8 +- .../res/values-v11/styles.xml | 12 +- .../res/values-v14/styles.xml | 15 +- .../InsufficientTLS2/res/values/dimens.xml | 6 +- .../InsufficientTLS2/res/values/strings.xml | 44 +- .../InsufficientTLS2/res/values/styles.xml | 54 +- .../com/mobshep/ITLS2/InsufficientTLS2.java | 277 +- .../src/com/mobshep/ITLS2/Splash.java | 90 +- .../com/mobshep/template/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 79 +- .../com/mobshep/template/Preferences.java | 64 +- .../java/com/mobshep/template/Splash.java | 96 +- .../java/com/mobshep/template/template.java | 309 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/mobilelayout.xml | 259 +- .../app/src/main/res/layout/preferences.xml | 70 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/menu/menu_main.xml | 20 +- .../src/main/res/values-sw600dp/dimens.xml | 6 +- .../main/res/values-sw720dp-land/dimens.xml | 8 +- .../app/src/main/res/values-v11/styles.xml | 9 +- .../app/src/main/res/values-v14/styles.xml | 9 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 53 +- .../app/src/main/res/values/styles.xml | 9 +- .../mobileshepherd/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 350 +- .../mobshep/mobileshepherd/BrokenCrypto.java | 510 +- .../mobshep/mobileshepherd/BrokenCrypto1.java | 396 +- .../mobshep/mobileshepherd/BrokenCrypto2.java | 593 +- .../mobshep/mobileshepherd/BrokenCrypto3.java | 431 +- .../mobshep/mobileshepherd/CSInjection.java | 523 +- .../mobshep/mobileshepherd/CSInjection1.java | 550 +- .../mobshep/mobileshepherd/CSInjection2.java | 489 +- .../mobileshepherd/CustomHttpClient.java | 88 +- .../mobileshepherd/Insecure_Data_Storage.java | 257 +- .../Insecure_Data_Storage1.java | 246 +- .../Insecure_Data_Storage2.java | 177 +- .../mobileshepherd/InsufficientTLS.java | 92 +- .../mobshep/mobileshepherd/MainActivity.java | 443 +- .../mobshep/mobileshepherd/PoorAuth_Main.java | 160 +- .../mobshep/mobileshepherd/Preferences.java | 62 +- .../mobileshepherd/SecretProvider.java | 286 +- .../com/mobshep/mobileshepherd/Splash.java | 90 +- .../mobshep/mobileshepherd/UDataLeakage.java | 306 +- .../mobshep/mobileshepherd/UDataLeakage1.java | 362 +- .../UnintendedDataLeakage2.java | 137 +- .../annoyingObfuscationUtil.java | 94 +- .../mobileshepherd/ids3Authenticated.java | 41 +- .../com/mobshep/mobileshepherd/ids3Login.java | 189 +- .../com/mobshep/mobileshepherd/poorAuth.java | 279 +- .../mobileshepherd/poorAuth2_LoggedIn.java | 31 +- .../mobileshepherd/poorAuth2_Main.java | 274 +- .../mobileshepherd/poorAuth_Reset.java | 117 +- .../mobileshepherd/providerLeakage.java | 34 +- .../mobileshepherd/untrustedInput.java | 34 +- .../mobileshepherd/untrustedInput_admin.java | 91 +- .../main/res/drawable-v21/ic_menu_camera.xml | 19 +- .../main/res/drawable-v21/ic_menu_gallery.xml | 14 +- .../main/res/drawable-v21/ic_menu_manage.xml | 14 +- .../main/res/drawable-v21/ic_menu_send.xml | 14 +- .../main/res/drawable-v21/ic_menu_share.xml | 14 +- .../res/drawable-v21/ic_menu_slideshow.xml | 14 +- .../src/main/res/drawable/side_nav_bar.xml | 11 +- .../app/src/main/res/layout/activity_main.xml | 35 +- .../main/res/layout/activity_main_ids3.xml | 65 +- .../activity_unintended__data__leakage.xml | 42 +- .../app/src/main/res/layout/app_bar_main.xml | 43 +- .../src/main/res/layout/broken1_content.xml | 112 +- .../src/main/res/layout/broken2_content.xml | 93 +- .../src/main/res/layout/broken3_content.xml | 66 +- .../src/main/res/layout/broken_content.xml | 127 +- .../app/src/main/res/layout/broken_layout.xml | 35 +- .../src/main/res/layout/broken_layout1.xml | 35 +- .../src/main/res/layout/broken_layout2.xml | 35 +- .../src/main/res/layout/broken_layout3.xml | 35 +- .../app/src/main/res/layout/content_main.xml | 47 +- .../app/src/main/res/layout/csi1_content.xml | 249 +- .../app/src/main/res/layout/csi1_layout.xml | 35 +- .../app/src/main/res/layout/csi2_content.xml | 274 +- .../app/src/main/res/layout/csi2_layout.xml | 35 +- .../app/src/main/res/layout/csi_content.xml | 253 +- .../app/src/main/res/layout/csi_layout.xml | 35 +- .../app/src/main/res/layout/drawer.xml | 35 +- .../main/res/layout/ids3_login_content.xml | 138 +- .../src/main/res/layout/ids3login_layout.xml | 35 +- .../app/src/main/res/layout/ids_content.xml | 139 +- .../app/src/main/res/layout/ids_layout.xml | 35 +- .../app/src/main/res/layout/main.xml | 12 +- .../src/main/res/layout/nav_header_main.xml | 53 +- .../res/layout/pa2_content_activity_key.xml | 64 +- .../res/layout/pa2_content_activity_main.xml | 142 +- .../src/main/res/layout/pa2_key_layout.xml | 35 +- .../src/main/res/layout/pa2_main_layout.xml | 35 +- .../src/main/res/layout/pa_forgot_content.xml | 132 +- .../src/main/res/layout/pa_login_content.xml | 131 +- .../app/src/main/res/layout/preferences.xml | 31 +- .../src/main/res/layout/provider_content.xml | 52 +- .../app/src/main/res/layout/splash.xml | 12 +- .../app/src/main/res/layout/submitquery.xml | 112 +- .../src/main/res/layout/sumbitfeedback.xml | 76 +- .../app/src/main/res/layout/toolbar_main.xml | 13 +- .../app/src/main/res/layout/udl1_content.xml | 122 +- .../app/src/main/res/layout/udl1_layout.xml | 35 +- .../app/src/main/res/layout/udl2_content.xml | 104 +- .../app/src/main/res/layout/udl2_layout.xml | 35 +- .../app/src/main/res/layout/udl_content.xml | 49 +- .../app/src/main/res/layout/udl_layout.xml | 35 +- .../res/layout/untrusted_activity_admin.xml | 93 +- .../res/layout/untrusted_content_admin.xml | 25 +- .../res/layout/untrusted_content_main.xml | 39 +- .../main/res/layout/untrusted_main_layout.xml | 35 +- .../main/res/menu/activity_main_drawer.xml | 268 +- .../app/src/main/res/menu/main.xml | 25 +- .../app/src/main/res/values-v21/styles.xml | 39 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/colors.xml | 6 +- .../app/src/main/res/values/dimens.xml | 14 +- .../app/src/main/res/values/drawables.xml | 15 +- .../app/src/main/res/values/strings.xml | 117 +- .../app/src/main/res/values/styles.xml | 103 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/box2.xml | 13 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/checkbox.xml | 9 +- .../app/src/main/res/xml/checked.xml | 5 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../app/src/main/res/xml/edittext2.xml | 15 +- .../app/src/main/res/xml/green.xml | 56 +- .../app/src/main/res/xml/purple.xml | 56 +- .../app/src/main/res/xml/tab.xml | 56 +- .../app/src/main/res/xml/unchecked.xml | 5 +- .../mobileshepherd/ExampleUnitTest.java | 19 +- .../mobshep/PoorAuthentication/UDL2Test.java | 85 +- .../app/src/main/AndroidManifest.xml | 129 +- .../mobshep/PoorAuthentication/Forgotton.java | 116 +- .../com/mobshep/PoorAuthentication/Main.java | 160 +- .../PoorAuthentication.java | 292 +- .../mobshep/PoorAuthentication/Splash.java | 83 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../activity_unintended__data__leakage.xml | 42 +- .../app/src/main/res/layout/broken.xml | 125 +- .../app/src/main/res/layout/forgot.xml | 133 +- .../app/src/main/res/layout/main.xml | 12 +- .../app/src/main/res/layout/splash.xml | 16 +- .../res/menu/unintended__data__leakage.xml | 6 +- .../app/src/main/res/values-v11/styles.xml | 54 +- .../app/src/main/res/values-v14/styles.xml | 54 +- .../app/src/main/res/values-w820dp/dimens.xml | 10 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 4 +- .../app/src/main/res/values/styles.xml | 54 +- .../poorauthentication1/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 59 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 4 +- .../app/src/main/res/values/styles.xml | 54 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../poorauthentication2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 44 +- .../poorauthentication2/Authenticated.java | 86 +- .../mobshep/poorauthentication2/DBHelper.java | 247 +- .../poorauthentication2/MainActivity.java | 197 +- .../mobshep/poorauthentication2/Register.java | 97 +- .../app/src/main/res/layout/activity_main.xml | 136 +- .../main/res/layout/authenticated_layout.xml | 116 +- .../src/main/res/layout/register_layout.xml | 136 +- .../app/src/main/res/menu/global.xml | 20 +- .../app/src/main/res/menu/menu_main.xml | 15 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 42 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../reverseengineer/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 72 +- .../reverseengineer/Reverse_Engineering.java | 57 +- .../com/mobshep/reverseengineer/Splash.java | 90 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/layout/reverse.xml | 32 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 17 +- .../app/src/main/res/values/styles.xml | 79 +- .../reverseengineer1/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 30 +- .../reverseengineer1/MainActivity.java | 54 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../app/src/main/res/drawable/box.xml | 48 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../app/src/main/res/layout/activity_main.xml | 62 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 4 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/res/drawable-hdpi/button.xml | 56 +- .../app/res/drawable-hdpi/edittext.xml | 41 +- .../app/res/drawable-ldpi/button.xml | 56 +- .../app/res/drawable-ldpi/edittext.xml | 41 +- .../app/res/drawable-mdpi/button.xml | 56 +- .../app/res/drawable-mdpi/edittext.xml | 41 +- .../app/res/drawable-xhdpi/button.xml | 56 +- .../app/res/drawable-xhdpi/edittext.xml | 41 +- .../app/res/drawable-xxhdpi/button.xml | 56 +- .../app/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/res/layout/reverse.xml | 90 +- .../app/res/layout/splash.xml | 14 +- .../app/res/values-sw600dp/dimens.xml | 6 +- .../app/res/values-sw720dp-land/dimens.xml | 8 +- .../app/res/values-v11/styles.xml | 12 +- .../app/res/values-v14/styles.xml | 15 +- .../app/res/values/dimens.xml | 6 +- .../app/res/values/strings.xml | 4 +- .../app/res/values/styles.xml | 79 +- .../reverseengineer2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 69 +- .../com/mobshep/reverseengineer2/Camera.java | 99 +- .../mobshep/reverseengineer2/Triangle.java | 91 +- .../mobshep/reverseengineer2/rectangle.java | 41 +- .../com/mobshep/reverseengineer2/sound.java | 60 +- .../com/mobshep/reverseengineer2/splash.java | 91 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/reverse.xml | 90 +- .../app/src/main/res/layout/splash.xml | 14 +- .../src/main/res/values-sw600dp/dimens.xml | 6 +- .../main/res/values-sw720dp-land/dimens.xml | 8 +- .../app/src/main/res/values-v11/styles.xml | 12 +- .../app/src/main/res/values-v14/styles.xml | 15 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 10 +- .../app/src/main/res/values/styles.xml | 79 +- .../reverseengineer3/test/BuildConfig.java | 5 +- .../mobshep/reverseengineer3/BuildConfig.java | 5 +- .../mobshep/reverseengineer3/BuildConfig.java | 5 +- .../reverseengineer3/test/BuildConfig.java | 5 +- .../debug/android/support/v7/appcompat/R.java | 2161 ++-- .../mobshep/reverseengineer3/Manifest.java | 8 +- .../debug/com/mobshep/reverseengineer3/R.java | 10784 ++++++++-------- .../android/support/v7/appcompat/R.java | 2161 ++-- .../mobshep/reverseengineer3/Manifest.java | 8 +- .../com/mobshep/reverseengineer3/R.java | 10784 ++++++++-------- .../appcompat-v7/21.0.3/AndroidManifest.xml | 28 +- .../21.0.3/res/anim/abc_fade_in.xml | 27 +- .../21.0.3/res/anim/abc_fade_out.xml | 27 +- .../21.0.3/res/anim/abc_slide_in_bottom.xml | 30 +- .../21.0.3/res/anim/abc_slide_in_top.xml | 30 +- .../21.0.3/res/anim/abc_slide_out_bottom.xml | 30 +- .../21.0.3/res/anim/abc_slide_out_top.xml | 30 +- ...ound_cache_hint_selector_material_dark.xml | 31 +- ...und_cache_hint_selector_material_light.xml | 31 +- ...rimary_text_disable_only_material_dark.xml | 31 +- ...imary_text_disable_only_material_light.xml | 31 +- .../color/abc_primary_text_material_dark.xml | 29 +- .../color/abc_primary_text_material_light.xml | 29 +- .../21.0.3/res/color/abc_search_url_text.xml | 32 +- .../abc_secondary_text_material_dark.xml | 29 +- .../abc_secondary_text_material_light.xml | 29 +- .../res/drawable/abc_btn_check_material.xml | 31 +- .../res/drawable/abc_btn_radio_material.xml | 31 +- .../abc_cab_background_internal_bg.xml | 32 +- .../abc_cab_background_top_material.xml | 31 +- .../res/drawable/abc_edit_text_material.xml | 45 +- .../abc_item_background_holo_dark.xml | 45 +- .../abc_item_background_holo_light.xml | 45 +- ...lector_background_transition_holo_dark.xml | 30 +- ...ector_background_transition_holo_light.xml | 30 +- .../drawable/abc_list_selector_holo_dark.xml | 46 +- .../drawable/abc_list_selector_holo_light.xml | 46 +- .../drawable/abc_switch_thumb_material.xml | 31 +- .../drawable/abc_tab_indicator_material.xml | 31 +- .../abc_textfield_search_material.xml | 36 +- .../layout-v11/abc_screen_content_include.xml | 33 +- .../res/layout/abc_action_bar_title_item.xml | 53 +- .../layout/abc_action_bar_up_container.xml | 33 +- .../abc_action_bar_view_list_nav_layout.xml | 34 +- .../layout/abc_action_menu_item_layout.xml | 44 +- .../res/layout/abc_action_menu_layout.xml | 34 +- .../21.0.3/res/layout/abc_action_mode_bar.xml | 35 +- .../abc_action_mode_close_item_material.xml | 38 +- .../res/layout/abc_activity_chooser_view.xml | 39 +- .../abc_activity_chooser_view_include.xml | 93 +- .../abc_activity_chooser_view_list_item.xml | 82 +- .../res/layout/abc_expanded_menu_layout.xml | 31 +- .../layout/abc_list_menu_item_checkbox.xml | 35 +- .../res/layout/abc_list_menu_item_icon.xml | 40 +- .../res/layout/abc_list_menu_item_layout.xml | 96 +- .../res/layout/abc_list_menu_item_radio.xml | 35 +- .../res/layout/abc_popup_menu_item_layout.xml | 98 +- .../res/layout/abc_screen_content_include.xml | 33 +- .../21.0.3/res/layout/abc_screen_simple.xml | 45 +- .../abc_screen_simple_overlay_action_mode.xml | 52 +- .../21.0.3/res/layout/abc_screen_toolbar.xml | 82 +- .../abc_search_dropdown_item_icons_2line.xml | 130 +- .../21.0.3/res/layout/abc_search_view.xml | 221 +- .../res/layout/abc_simple_dropdown_hint.xml | 36 +- .../support_simple_spinner_dropdown_item.xml | 39 +- .../21.0.3/res/values-af/values.xml | 44 +- .../21.0.3/res/values-am/values.xml | 44 +- .../21.0.3/res/values-ar/values.xml | 44 +- .../21.0.3/res/values-bg/values.xml | 44 +- .../21.0.3/res/values-bn-rBD/values.xml | 44 +- .../21.0.3/res/values-ca/values.xml | 44 +- .../21.0.3/res/values-cs/values.xml | 44 +- .../21.0.3/res/values-da/values.xml | 44 +- .../21.0.3/res/values-de/values.xml | 44 +- .../21.0.3/res/values-el/values.xml | 44 +- .../21.0.3/res/values-en-rGB/values.xml | 44 +- .../21.0.3/res/values-en-rIN/values.xml | 44 +- .../21.0.3/res/values-es-rUS/values.xml | 44 +- .../21.0.3/res/values-es/values.xml | 44 +- .../21.0.3/res/values-et-rEE/values.xml | 44 +- .../21.0.3/res/values-eu-rES/values.xml | 44 +- .../21.0.3/res/values-fa/values.xml | 44 +- .../21.0.3/res/values-fi/values.xml | 44 +- .../21.0.3/res/values-fr-rCA/values.xml | 44 +- .../21.0.3/res/values-fr/values.xml | 44 +- .../21.0.3/res/values-gl-rES/values.xml | 44 +- .../21.0.3/res/values-hi/values.xml | 44 +- .../21.0.3/res/values-hr/values.xml | 44 +- .../21.0.3/res/values-hu/values.xml | 44 +- .../21.0.3/res/values-hy-rAM/values.xml | 44 +- .../21.0.3/res/values-in/values.xml | 44 +- .../21.0.3/res/values-is-rIS/values.xml | 44 +- .../21.0.3/res/values-it/values.xml | 44 +- .../21.0.3/res/values-iw/values.xml | 44 +- .../21.0.3/res/values-ja/values.xml | 44 +- .../21.0.3/res/values-ka-rGE/values.xml | 44 +- .../21.0.3/res/values-kk-rKZ/values.xml | 44 +- .../21.0.3/res/values-km-rKH/values.xml | 44 +- .../21.0.3/res/values-kn-rIN/values.xml | 44 +- .../21.0.3/res/values-ko/values.xml | 44 +- .../21.0.3/res/values-ky-rKG/values.xml | 44 +- .../21.0.3/res/values-land/values.xml | 14 +- .../21.0.3/res/values-large/values.xml | 24 +- .../21.0.3/res/values-lo-rLA/values.xml | 44 +- .../21.0.3/res/values-lt/values.xml | 44 +- .../21.0.3/res/values-lv/values.xml | 44 +- .../21.0.3/res/values-mk-rMK/values.xml | 38 +- .../21.0.3/res/values-ml-rIN/values.xml | 44 +- .../21.0.3/res/values-mn-rMN/values.xml | 44 +- .../21.0.3/res/values-mr-rIN/values.xml | 44 +- .../21.0.3/res/values-ms-rMY/values.xml | 44 +- .../21.0.3/res/values-my-rMM/values.xml | 44 +- .../21.0.3/res/values-nb/values.xml | 44 +- .../21.0.3/res/values-ne-rNP/values.xml | 44 +- .../21.0.3/res/values-nl/values.xml | 44 +- .../21.0.3/res/values-pl/values.xml | 44 +- .../21.0.3/res/values-port/values.xml | 2 +- .../21.0.3/res/values-pt-rPT/values.xml | 44 +- .../21.0.3/res/values-pt/values.xml | 44 +- .../21.0.3/res/values-ro/values.xml | 44 +- .../21.0.3/res/values-ru/values.xml | 44 +- .../21.0.3/res/values-si-rLK/values.xml | 44 +- .../21.0.3/res/values-sk/values.xml | 44 +- .../21.0.3/res/values-sl/values.xml | 44 +- .../21.0.3/res/values-sr/values.xml | 44 +- .../21.0.3/res/values-sv/values.xml | 44 +- .../21.0.3/res/values-sw/values.xml | 44 +- .../21.0.3/res/values-sw600dp/values.xml | 12 +- .../21.0.3/res/values-ta-rIN/values.xml | 44 +- .../21.0.3/res/values-te-rIN/values.xml | 44 +- .../21.0.3/res/values-th/values.xml | 44 +- .../21.0.3/res/values-tl/values.xml | 44 +- .../21.0.3/res/values-tr/values.xml | 44 +- .../21.0.3/res/values-uk/values.xml | 44 +- .../21.0.3/res/values-ur-rPK/values.xml | 44 +- .../21.0.3/res/values-uz-rUZ/values.xml | 41 +- .../21.0.3/res/values-v11/values.xml | 758 +- .../21.0.3/res/values-v14/values.xml | 86 +- .../21.0.3/res/values-v17/values.xml | 119 +- .../21.0.3/res/values-v21/values.xml | 697 +- .../21.0.3/res/values-vi/values.xml | 44 +- .../21.0.3/res/values-w360dp/values.xml | 2 +- .../21.0.3/res/values-w480dp/values.xml | 4 +- .../21.0.3/res/values-w500dp/values.xml | 2 +- .../21.0.3/res/values-w600dp/values.xml | 4 +- .../21.0.3/res/values-w720dp/values.xml | 2 +- .../21.0.3/res/values-xlarge-land/values.xml | 2 +- .../21.0.3/res/values-xlarge/values.xml | 14 +- .../21.0.3/res/values-zh-rCN/values.xml | 44 +- .../21.0.3/res/values-zh-rHK/values.xml | 44 +- .../21.0.3/res/values-zh-rTW/values.xml | 44 +- .../21.0.3/res/values-zu/values.xml | 44 +- .../appcompat-v7/21.0.3/res/values/values.xml | 4415 +++---- .../support-v4/21.0.3/AndroidManifest.xml | 28 +- .../incremental/mergeAssets/debug/merger.xml | 19 +- .../mergeAssets/release/merger.xml | 19 +- .../mergeAssets/test/debug/merger.xml | 7 +- .../mergeDebugAndroidTestAssets/merger.xml | 7 +- .../mergeDebugAndroidTestResources/merger.xml | 20 +- .../incremental/mergeDebugAssets/merger.xml | 19 +- .../mergeDebugResources/merger.xml | 9054 +++++++++---- .../incremental/mergeReleaseAssets/merger.xml | 19 +- .../mergeReleaseJniLibFolders/merger.xml | 11 +- .../mergeReleaseResources/merger.xml | 9054 +++++++++---- .../mergeResources/debug/merger.xml | 9034 +++++++++---- .../mergeResources/release/merger.xml | 9034 +++++++++---- .../mergeResources/test/debug/merger.xml | 12 +- .../androidTest/debug/AndroidManifest.xml | 24 +- .../manifests/full/debug/AndroidManifest.xml | 70 +- .../full/release/AndroidManifest.xml | 70 +- .../manifests/test/debug/AndroidManifest.xml | 24 +- .../res/debug/anim/abc_fade_in.xml | 27 +- .../res/debug/anim/abc_fade_out.xml | 27 +- .../res/debug/anim/abc_slide_in_bottom.xml | 30 +- .../res/debug/anim/abc_slide_in_top.xml | 30 +- .../res/debug/anim/abc_slide_out_bottom.xml | 30 +- .../res/debug/anim/abc_slide_out_top.xml | 30 +- ...ound_cache_hint_selector_material_dark.xml | 29 +- ...und_cache_hint_selector_material_light.xml | 29 +- ...rimary_text_disable_only_material_dark.xml | 29 +- ...imary_text_disable_only_material_light.xml | 29 +- .../color/abc_primary_text_material_dark.xml | 29 +- .../color/abc_primary_text_material_light.xml | 29 +- .../res/debug/color/abc_search_url_text.xml | 32 +- .../abc_secondary_text_material_dark.xml | 29 +- .../abc_secondary_text_material_light.xml | 29 +- .../res/debug/drawable-hdpi-v4/button.xml | 56 +- .../res/debug/drawable-hdpi-v4/edittext.xml | 41 +- .../res/debug/drawable-ldpi-v4/button.xml | 56 +- .../res/debug/drawable-ldpi-v4/edittext.xml | 41 +- .../res/debug/drawable-mdpi-v4/button.xml | 56 +- .../res/debug/drawable-mdpi-v4/edittext.xml | 41 +- .../res/debug/drawable-xhdpi-v4/button.xml | 56 +- .../res/debug/drawable-xhdpi-v4/edittext.xml | 41 +- .../res/debug/drawable-xxhdpi-v4/button.xml | 56 +- .../res/debug/drawable-xxhdpi-v4/edittext.xml | 41 +- .../debug/drawable/abc_btn_check_material.xml | 31 +- .../debug/drawable/abc_btn_radio_material.xml | 31 +- .../abc_cab_background_internal_bg.xml | 32 +- .../abc_cab_background_top_material.xml | 31 +- .../debug/drawable/abc_edit_text_material.xml | 45 +- .../abc_item_background_holo_dark.xml | 45 +- .../abc_item_background_holo_light.xml | 45 +- ...lector_background_transition_holo_dark.xml | 30 +- ...ector_background_transition_holo_light.xml | 30 +- .../drawable/abc_list_selector_holo_dark.xml | 46 +- .../drawable/abc_list_selector_holo_light.xml | 46 +- .../drawable/abc_switch_thumb_material.xml | 31 +- .../drawable/abc_tab_indicator_material.xml | 29 +- .../abc_textfield_search_material.xml | 36 +- .../layout-v11/abc_screen_content_include.xml | 33 +- .../layout/abc_action_bar_title_item.xml | 53 +- .../layout/abc_action_bar_up_container.xml | 33 +- .../abc_action_bar_view_list_nav_layout.xml | 34 +- .../layout/abc_action_menu_item_layout.xml | 44 +- .../debug/layout/abc_action_menu_layout.xml | 34 +- .../res/debug/layout/abc_action_mode_bar.xml | 35 +- .../abc_action_mode_close_item_material.xml | 38 +- .../layout/abc_activity_chooser_view.xml | 39 +- .../abc_activity_chooser_view_include.xml | 93 +- .../abc_activity_chooser_view_list_item.xml | 82 +- .../debug/layout/abc_expanded_menu_layout.xml | 31 +- .../layout/abc_list_menu_item_checkbox.xml | 35 +- .../debug/layout/abc_list_menu_item_icon.xml | 40 +- .../layout/abc_list_menu_item_layout.xml | 96 +- .../debug/layout/abc_list_menu_item_radio.xml | 35 +- .../layout/abc_popup_menu_item_layout.xml | 98 +- .../layout/abc_screen_content_include.xml | 33 +- .../res/debug/layout/abc_screen_simple.xml | 45 +- .../abc_screen_simple_overlay_action_mode.xml | 52 +- .../res/debug/layout/abc_screen_toolbar.xml | 82 +- .../abc_search_dropdown_item_icons_2line.xml | 130 +- .../res/debug/layout/abc_search_view.xml | 221 +- .../debug/layout/abc_simple_dropdown_hint.xml | 36 +- .../res/debug/layout/reverse.xml | 61 +- .../intermediates/res/debug/layout/splash.xml | 14 +- .../support_simple_spinner_dropdown_item.xml | 39 +- .../intermediates/res/debug/menu/firstkey.xml | 27 +- .../res/debug/values-af/values.xml | 48 +- .../res/debug/values-am/values.xml | 48 +- .../res/debug/values-ar/values.xml | 48 +- .../res/debug/values-bg/values.xml | 48 +- .../res/debug/values-bn-rBD/values.xml | 48 +- .../res/debug/values-ca/values.xml | 48 +- .../res/debug/values-cs/values.xml | 48 +- .../res/debug/values-da/values.xml | 48 +- .../res/debug/values-de/values.xml | 48 +- .../res/debug/values-el/values.xml | 48 +- .../res/debug/values-en-rGB/values.xml | 48 +- .../res/debug/values-en-rIN/values.xml | 48 +- .../res/debug/values-es-rUS/values.xml | 48 +- .../res/debug/values-es/values.xml | 48 +- .../res/debug/values-et-rEE/values.xml | 48 +- .../res/debug/values-eu-rES/values.xml | 48 +- .../res/debug/values-fa/values.xml | 48 +- .../res/debug/values-fi/values.xml | 48 +- .../res/debug/values-fr-rCA/values.xml | 48 +- .../res/debug/values-fr/values.xml | 48 +- .../res/debug/values-gl-rES/values.xml | 48 +- .../res/debug/values-hi/values.xml | 48 +- .../res/debug/values-hr/values.xml | 48 +- .../res/debug/values-hu/values.xml | 48 +- .../res/debug/values-hy-rAM/values.xml | 48 +- .../res/debug/values-in/values.xml | 48 +- .../res/debug/values-is-rIS/values.xml | 48 +- .../res/debug/values-it/values.xml | 48 +- .../res/debug/values-iw/values.xml | 48 +- .../res/debug/values-ja/values.xml | 48 +- .../res/debug/values-ka-rGE/values.xml | 48 +- .../res/debug/values-kk-rKZ/values.xml | 48 +- .../res/debug/values-km-rKH/values.xml | 48 +- .../res/debug/values-kn-rIN/values.xml | 48 +- .../res/debug/values-ko/values.xml | 48 +- .../res/debug/values-ky-rKG/values.xml | 48 +- .../res/debug/values-land/values.xml | 18 +- .../res/debug/values-large-v4/values.xml | 28 +- .../res/debug/values-lo-rLA/values.xml | 48 +- .../res/debug/values-lt/values.xml | 48 +- .../res/debug/values-lv/values.xml | 48 +- .../res/debug/values-mk-rMK/values.xml | 42 +- .../res/debug/values-ml-rIN/values.xml | 48 +- .../res/debug/values-mn-rMN/values.xml | 48 +- .../res/debug/values-mr-rIN/values.xml | 48 +- .../res/debug/values-ms-rMY/values.xml | 48 +- .../res/debug/values-my-rMM/values.xml | 48 +- .../res/debug/values-nb/values.xml | 48 +- .../res/debug/values-ne-rNP/values.xml | 48 +- .../res/debug/values-nl/values.xml | 48 +- .../res/debug/values-pl/values.xml | 48 +- .../res/debug/values-port/values.xml | 6 +- .../res/debug/values-pt-rPT/values.xml | 48 +- .../res/debug/values-pt/values.xml | 48 +- .../res/debug/values-ro/values.xml | 48 +- .../res/debug/values-ru/values.xml | 48 +- .../res/debug/values-si-rLK/values.xml | 48 +- .../res/debug/values-sk/values.xml | 48 +- .../res/debug/values-sl/values.xml | 48 +- .../res/debug/values-sr/values.xml | 48 +- .../res/debug/values-sv/values.xml | 48 +- .../res/debug/values-sw/values.xml | 48 +- .../res/debug/values-sw600dp-v13/values.xml | 16 +- .../debug/values-sw720dp-land-v13/values.xml | 6 +- .../res/debug/values-ta-rIN/values.xml | 48 +- .../res/debug/values-te-rIN/values.xml | 48 +- .../res/debug/values-th/values.xml | 48 +- .../res/debug/values-tl/values.xml | 48 +- .../res/debug/values-tr/values.xml | 48 +- .../res/debug/values-uk/values.xml | 48 +- .../res/debug/values-ur-rPK/values.xml | 48 +- .../res/debug/values-uz-rUZ/values.xml | 45 +- .../res/debug/values-v11/values.xml | 686 +- .../res/debug/values-v14/values.xml | 87 +- .../res/debug/values-v17/values.xml | 101 +- .../res/debug/values-v21/values.xml | 585 +- .../res/debug/values-vi/values.xml | 48 +- .../res/debug/values-w360dp-v13/values.xml | 6 +- .../res/debug/values-w480dp-v13/values.xml | 8 +- .../res/debug/values-w500dp-v13/values.xml | 6 +- .../res/debug/values-w600dp-v13/values.xml | 8 +- .../res/debug/values-w720dp-v13/values.xml | 6 +- .../debug/values-xlarge-land-v4/values.xml | 6 +- .../res/debug/values-xlarge-v4/values.xml | 18 +- .../res/debug/values-zh-rCN/values.xml | 48 +- .../res/debug/values-zh-rHK/values.xml | 48 +- .../res/debug/values-zh-rTW/values.xml | 48 +- .../res/debug/values-zu/values.xml | 48 +- .../intermediates/res/debug/values/values.xml | 2884 +++-- .../res/merged/debug/anim/abc_fade_in.xml | 27 +- .../res/merged/debug/anim/abc_fade_out.xml | 27 +- .../merged/debug/anim/abc_slide_in_bottom.xml | 30 +- .../merged/debug/anim/abc_slide_in_top.xml | 30 +- .../debug/anim/abc_slide_out_bottom.xml | 30 +- .../merged/debug/anim/abc_slide_out_top.xml | 30 +- ...ound_cache_hint_selector_material_dark.xml | 31 +- ...und_cache_hint_selector_material_light.xml | 31 +- ...rimary_text_disable_only_material_dark.xml | 31 +- ...imary_text_disable_only_material_light.xml | 31 +- .../color/abc_primary_text_material_dark.xml | 29 +- .../color/abc_primary_text_material_light.xml | 29 +- .../debug/color/abc_search_url_text.xml | 32 +- .../abc_secondary_text_material_dark.xml | 29 +- .../abc_secondary_text_material_light.xml | 29 +- .../merged/debug/drawable-hdpi-v4/button.xml | 56 +- .../debug/drawable-hdpi-v4/edittext.xml | 41 +- .../merged/debug/drawable-ldpi-v4/button.xml | 56 +- .../debug/drawable-ldpi-v4/edittext.xml | 41 +- .../merged/debug/drawable-mdpi-v4/button.xml | 56 +- .../debug/drawable-mdpi-v4/edittext.xml | 41 +- .../merged/debug/drawable-xhdpi-v4/button.xml | 56 +- .../debug/drawable-xhdpi-v4/edittext.xml | 41 +- .../debug/drawable-xxhdpi-v4/button.xml | 56 +- .../debug/drawable-xxhdpi-v4/edittext.xml | 41 +- .../debug/drawable/abc_btn_check_material.xml | 31 +- .../debug/drawable/abc_btn_radio_material.xml | 31 +- .../abc_cab_background_internal_bg.xml | 32 +- .../abc_cab_background_top_material.xml | 31 +- .../debug/drawable/abc_edit_text_material.xml | 45 +- .../abc_item_background_holo_dark.xml | 45 +- .../abc_item_background_holo_light.xml | 45 +- ...lector_background_transition_holo_dark.xml | 30 +- ...ector_background_transition_holo_light.xml | 30 +- .../drawable/abc_list_selector_holo_dark.xml | 46 +- .../drawable/abc_list_selector_holo_light.xml | 46 +- .../drawable/abc_switch_thumb_material.xml | 31 +- .../drawable/abc_tab_indicator_material.xml | 31 +- .../abc_textfield_search_material.xml | 36 +- .../layout-v11/abc_screen_content_include.xml | 33 +- .../layout/abc_action_bar_title_item.xml | 53 +- .../layout/abc_action_bar_up_container.xml | 33 +- .../abc_action_bar_view_list_nav_layout.xml | 34 +- .../layout/abc_action_menu_item_layout.xml | 44 +- .../debug/layout/abc_action_menu_layout.xml | 34 +- .../debug/layout/abc_action_mode_bar.xml | 35 +- .../abc_action_mode_close_item_material.xml | 38 +- .../layout/abc_activity_chooser_view.xml | 39 +- .../abc_activity_chooser_view_include.xml | 93 +- .../abc_activity_chooser_view_list_item.xml | 82 +- .../debug/layout/abc_expanded_menu_layout.xml | 31 +- .../layout/abc_list_menu_item_checkbox.xml | 35 +- .../debug/layout/abc_list_menu_item_icon.xml | 40 +- .../layout/abc_list_menu_item_layout.xml | 96 +- .../debug/layout/abc_list_menu_item_radio.xml | 35 +- .../layout/abc_popup_menu_item_layout.xml | 98 +- .../layout/abc_screen_content_include.xml | 33 +- .../merged/debug/layout/abc_screen_simple.xml | 45 +- .../abc_screen_simple_overlay_action_mode.xml | 52 +- .../debug/layout/abc_screen_toolbar.xml | 82 +- .../abc_search_dropdown_item_icons_2line.xml | 130 +- .../merged/debug/layout/abc_search_view.xml | 221 +- .../debug/layout/abc_simple_dropdown_hint.xml | 36 +- .../res/merged/debug/layout/reverse.xml | 61 +- .../res/merged/debug/layout/splash.xml | 14 +- .../support_simple_spinner_dropdown_item.xml | 39 +- .../res/merged/debug/menu/firstkey.xml | 27 +- .../res/merged/debug/values-af/values-af.xml | 44 +- .../res/merged/debug/values-am/values-am.xml | 44 +- .../res/merged/debug/values-ar/values-ar.xml | 44 +- .../res/merged/debug/values-bg/values-bg.xml | 44 +- .../debug/values-bn-rBD/values-bn-rBD.xml | 44 +- .../res/merged/debug/values-ca/values-ca.xml | 44 +- .../res/merged/debug/values-cs/values-cs.xml | 44 +- .../res/merged/debug/values-da/values-da.xml | 44 +- .../res/merged/debug/values-de/values-de.xml | 44 +- .../res/merged/debug/values-el/values-el.xml | 44 +- .../debug/values-en-rGB/values-en-rGB.xml | 44 +- .../debug/values-en-rIN/values-en-rIN.xml | 44 +- .../debug/values-es-rUS/values-es-rUS.xml | 44 +- .../res/merged/debug/values-es/values-es.xml | 44 +- .../debug/values-et-rEE/values-et-rEE.xml | 44 +- .../debug/values-eu-rES/values-eu-rES.xml | 44 +- .../res/merged/debug/values-fa/values-fa.xml | 44 +- .../res/merged/debug/values-fi/values-fi.xml | 44 +- .../debug/values-fr-rCA/values-fr-rCA.xml | 44 +- .../res/merged/debug/values-fr/values-fr.xml | 44 +- .../debug/values-gl-rES/values-gl-rES.xml | 44 +- .../res/merged/debug/values-hi/values-hi.xml | 44 +- .../res/merged/debug/values-hr/values-hr.xml | 44 +- .../res/merged/debug/values-hu/values-hu.xml | 44 +- .../debug/values-hy-rAM/values-hy-rAM.xml | 44 +- .../res/merged/debug/values-in/values-in.xml | 44 +- .../debug/values-is-rIS/values-is-rIS.xml | 44 +- .../res/merged/debug/values-it/values-it.xml | 44 +- .../res/merged/debug/values-iw/values-iw.xml | 44 +- .../res/merged/debug/values-ja/values-ja.xml | 44 +- .../debug/values-ka-rGE/values-ka-rGE.xml | 44 +- .../debug/values-kk-rKZ/values-kk-rKZ.xml | 44 +- .../debug/values-km-rKH/values-km-rKH.xml | 44 +- .../debug/values-kn-rIN/values-kn-rIN.xml | 44 +- .../res/merged/debug/values-ko/values-ko.xml | 44 +- .../debug/values-ky-rKG/values-ky-rKG.xml | 44 +- .../merged/debug/values-land/values-land.xml | 14 +- .../debug/values-large-v4/values-large-v4.xml | 24 +- .../debug/values-lo-rLA/values-lo-rLA.xml | 44 +- .../res/merged/debug/values-lt/values-lt.xml | 44 +- .../res/merged/debug/values-lv/values-lv.xml | 44 +- .../debug/values-mk-rMK/values-mk-rMK.xml | 38 +- .../debug/values-ml-rIN/values-ml-rIN.xml | 44 +- .../debug/values-mn-rMN/values-mn-rMN.xml | 44 +- .../debug/values-mr-rIN/values-mr-rIN.xml | 44 +- .../debug/values-ms-rMY/values-ms-rMY.xml | 44 +- .../debug/values-my-rMM/values-my-rMM.xml | 44 +- .../res/merged/debug/values-nb/values-nb.xml | 44 +- .../debug/values-ne-rNP/values-ne-rNP.xml | 44 +- .../res/merged/debug/values-nl/values-nl.xml | 44 +- .../res/merged/debug/values-pl/values-pl.xml | 44 +- .../merged/debug/values-port/values-port.xml | 2 +- .../debug/values-pt-rPT/values-pt-rPT.xml | 44 +- .../res/merged/debug/values-pt/values-pt.xml | 44 +- .../res/merged/debug/values-ro/values-ro.xml | 44 +- .../res/merged/debug/values-ru/values-ru.xml | 44 +- .../debug/values-si-rLK/values-si-rLK.xml | 44 +- .../res/merged/debug/values-sk/values-sk.xml | 44 +- .../res/merged/debug/values-sl/values-sl.xml | 44 +- .../res/merged/debug/values-sr/values-sr.xml | 44 +- .../res/merged/debug/values-sv/values-sv.xml | 44 +- .../res/merged/debug/values-sw/values-sw.xml | 44 +- .../values-sw600dp-v13/values-sw600dp-v13.xml | 12 +- .../values-sw720dp-land-v13.xml | 2 +- .../debug/values-ta-rIN/values-ta-rIN.xml | 44 +- .../debug/values-te-rIN/values-te-rIN.xml | 44 +- .../res/merged/debug/values-th/values-th.xml | 44 +- .../res/merged/debug/values-tl/values-tl.xml | 44 +- .../res/merged/debug/values-tr/values-tr.xml | 44 +- .../res/merged/debug/values-uk/values-uk.xml | 44 +- .../debug/values-ur-rPK/values-ur-rPK.xml | 44 +- .../debug/values-uz-rUZ/values-uz-rUZ.xml | 41 +- .../merged/debug/values-v11/values-v11.xml | 678 +- .../merged/debug/values-v14/values-v14.xml | 79 +- .../merged/debug/values-v17/values-v17.xml | 97 +- .../merged/debug/values-v21/values-v21.xml | 581 +- .../res/merged/debug/values-vi/values-vi.xml | 44 +- .../values-w360dp-v13/values-w360dp-v13.xml | 2 +- .../values-w480dp-v13/values-w480dp-v13.xml | 4 +- .../values-w500dp-v13/values-w500dp-v13.xml | 2 +- .../values-w600dp-v13/values-w600dp-v13.xml | 4 +- .../values-w720dp-v13/values-w720dp-v13.xml | 2 +- .../values-xlarge-land-v4.xml | 2 +- .../values-xlarge-v4/values-xlarge-v4.xml | 14 +- .../debug/values-zh-rCN/values-zh-rCN.xml | 44 +- .../debug/values-zh-rHK/values-zh-rHK.xml | 44 +- .../debug/values-zh-rTW/values-zh-rTW.xml | 44 +- .../res/merged/debug/values-zu/values-zu.xml | 44 +- .../res/merged/debug/values/values.xml | 2844 ++-- .../res/merged/release/anim/abc_fade_in.xml | 27 +- .../res/merged/release/anim/abc_fade_out.xml | 27 +- .../release/anim/abc_slide_in_bottom.xml | 30 +- .../merged/release/anim/abc_slide_in_top.xml | 30 +- .../release/anim/abc_slide_out_bottom.xml | 30 +- .../merged/release/anim/abc_slide_out_top.xml | 30 +- ...ound_cache_hint_selector_material_dark.xml | 31 +- ...und_cache_hint_selector_material_light.xml | 31 +- ...rimary_text_disable_only_material_dark.xml | 31 +- ...imary_text_disable_only_material_light.xml | 31 +- .../color/abc_primary_text_material_dark.xml | 29 +- .../color/abc_primary_text_material_light.xml | 29 +- .../release/color/abc_search_url_text.xml | 32 +- .../abc_secondary_text_material_dark.xml | 29 +- .../abc_secondary_text_material_light.xml | 29 +- .../release/drawable-hdpi-v4/button.xml | 56 +- .../release/drawable-hdpi-v4/edittext.xml | 41 +- .../release/drawable-ldpi-v4/button.xml | 56 +- .../release/drawable-ldpi-v4/edittext.xml | 41 +- .../release/drawable-mdpi-v4/button.xml | 56 +- .../release/drawable-mdpi-v4/edittext.xml | 41 +- .../release/drawable-xhdpi-v4/button.xml | 56 +- .../release/drawable-xhdpi-v4/edittext.xml | 41 +- .../release/drawable-xxhdpi-v4/button.xml | 56 +- .../release/drawable-xxhdpi-v4/edittext.xml | 41 +- .../drawable/abc_btn_check_material.xml | 31 +- .../drawable/abc_btn_radio_material.xml | 31 +- .../abc_cab_background_internal_bg.xml | 32 +- .../abc_cab_background_top_material.xml | 31 +- .../drawable/abc_edit_text_material.xml | 45 +- .../abc_item_background_holo_dark.xml | 45 +- .../abc_item_background_holo_light.xml | 45 +- ...lector_background_transition_holo_dark.xml | 30 +- ...ector_background_transition_holo_light.xml | 30 +- .../drawable/abc_list_selector_holo_dark.xml | 46 +- .../drawable/abc_list_selector_holo_light.xml | 46 +- .../drawable/abc_switch_thumb_material.xml | 31 +- .../drawable/abc_tab_indicator_material.xml | 31 +- .../abc_textfield_search_material.xml | 36 +- .../layout-v11/abc_screen_content_include.xml | 33 +- .../layout/abc_action_bar_title_item.xml | 53 +- .../layout/abc_action_bar_up_container.xml | 33 +- .../abc_action_bar_view_list_nav_layout.xml | 34 +- .../layout/abc_action_menu_item_layout.xml | 44 +- .../release/layout/abc_action_menu_layout.xml | 34 +- .../release/layout/abc_action_mode_bar.xml | 35 +- .../abc_action_mode_close_item_material.xml | 38 +- .../layout/abc_activity_chooser_view.xml | 39 +- .../abc_activity_chooser_view_include.xml | 93 +- .../abc_activity_chooser_view_list_item.xml | 82 +- .../layout/abc_expanded_menu_layout.xml | 31 +- .../layout/abc_list_menu_item_checkbox.xml | 35 +- .../layout/abc_list_menu_item_icon.xml | 40 +- .../layout/abc_list_menu_item_layout.xml | 96 +- .../layout/abc_list_menu_item_radio.xml | 35 +- .../layout/abc_popup_menu_item_layout.xml | 98 +- .../layout/abc_screen_content_include.xml | 33 +- .../release/layout/abc_screen_simple.xml | 45 +- .../abc_screen_simple_overlay_action_mode.xml | 52 +- .../release/layout/abc_screen_toolbar.xml | 82 +- .../abc_search_dropdown_item_icons_2line.xml | 130 +- .../merged/release/layout/abc_search_view.xml | 221 +- .../layout/abc_simple_dropdown_hint.xml | 36 +- .../res/merged/release/layout/reverse.xml | 61 +- .../res/merged/release/layout/splash.xml | 14 +- .../support_simple_spinner_dropdown_item.xml | 39 +- .../res/merged/release/menu/firstkey.xml | 27 +- .../merged/release/values-af/values-af.xml | 44 +- .../merged/release/values-am/values-am.xml | 44 +- .../merged/release/values-ar/values-ar.xml | 44 +- .../merged/release/values-bg/values-bg.xml | 44 +- .../release/values-bn-rBD/values-bn-rBD.xml | 44 +- .../merged/release/values-ca/values-ca.xml | 44 +- .../merged/release/values-cs/values-cs.xml | 44 +- .../merged/release/values-da/values-da.xml | 44 +- .../merged/release/values-de/values-de.xml | 44 +- .../merged/release/values-el/values-el.xml | 44 +- .../release/values-en-rGB/values-en-rGB.xml | 44 +- .../release/values-en-rIN/values-en-rIN.xml | 44 +- .../release/values-es-rUS/values-es-rUS.xml | 44 +- .../merged/release/values-es/values-es.xml | 44 +- .../release/values-et-rEE/values-et-rEE.xml | 44 +- .../release/values-eu-rES/values-eu-rES.xml | 44 +- .../merged/release/values-fa/values-fa.xml | 44 +- .../merged/release/values-fi/values-fi.xml | 44 +- .../release/values-fr-rCA/values-fr-rCA.xml | 44 +- .../merged/release/values-fr/values-fr.xml | 44 +- .../release/values-gl-rES/values-gl-rES.xml | 44 +- .../merged/release/values-hi/values-hi.xml | 44 +- .../merged/release/values-hr/values-hr.xml | 44 +- .../merged/release/values-hu/values-hu.xml | 44 +- .../release/values-hy-rAM/values-hy-rAM.xml | 44 +- .../merged/release/values-in/values-in.xml | 44 +- .../release/values-is-rIS/values-is-rIS.xml | 44 +- .../merged/release/values-it/values-it.xml | 44 +- .../merged/release/values-iw/values-iw.xml | 44 +- .../merged/release/values-ja/values-ja.xml | 44 +- .../release/values-ka-rGE/values-ka-rGE.xml | 44 +- .../release/values-kk-rKZ/values-kk-rKZ.xml | 44 +- .../release/values-km-rKH/values-km-rKH.xml | 44 +- .../release/values-kn-rIN/values-kn-rIN.xml | 44 +- .../merged/release/values-ko/values-ko.xml | 44 +- .../release/values-ky-rKG/values-ky-rKG.xml | 44 +- .../release/values-land/values-land.xml | 14 +- .../values-large-v4/values-large-v4.xml | 24 +- .../release/values-lo-rLA/values-lo-rLA.xml | 44 +- .../merged/release/values-lt/values-lt.xml | 44 +- .../merged/release/values-lv/values-lv.xml | 44 +- .../release/values-mk-rMK/values-mk-rMK.xml | 38 +- .../release/values-ml-rIN/values-ml-rIN.xml | 44 +- .../release/values-mn-rMN/values-mn-rMN.xml | 44 +- .../release/values-mr-rIN/values-mr-rIN.xml | 44 +- .../release/values-ms-rMY/values-ms-rMY.xml | 44 +- .../release/values-my-rMM/values-my-rMM.xml | 44 +- .../merged/release/values-nb/values-nb.xml | 44 +- .../release/values-ne-rNP/values-ne-rNP.xml | 44 +- .../merged/release/values-nl/values-nl.xml | 44 +- .../merged/release/values-pl/values-pl.xml | 44 +- .../release/values-port/values-port.xml | 2 +- .../release/values-pt-rPT/values-pt-rPT.xml | 44 +- .../merged/release/values-pt/values-pt.xml | 44 +- .../merged/release/values-ro/values-ro.xml | 44 +- .../merged/release/values-ru/values-ru.xml | 44 +- .../release/values-si-rLK/values-si-rLK.xml | 44 +- .../merged/release/values-sk/values-sk.xml | 44 +- .../merged/release/values-sl/values-sl.xml | 44 +- .../merged/release/values-sr/values-sr.xml | 44 +- .../merged/release/values-sv/values-sv.xml | 44 +- .../merged/release/values-sw/values-sw.xml | 44 +- .../values-sw600dp-v13/values-sw600dp-v13.xml | 12 +- .../values-sw720dp-land-v13.xml | 2 +- .../release/values-ta-rIN/values-ta-rIN.xml | 44 +- .../release/values-te-rIN/values-te-rIN.xml | 44 +- .../merged/release/values-th/values-th.xml | 44 +- .../merged/release/values-tl/values-tl.xml | 44 +- .../merged/release/values-tr/values-tr.xml | 44 +- .../merged/release/values-uk/values-uk.xml | 44 +- .../release/values-ur-rPK/values-ur-rPK.xml | 44 +- .../release/values-uz-rUZ/values-uz-rUZ.xml | 41 +- .../merged/release/values-v11/values-v11.xml | 678 +- .../merged/release/values-v14/values-v14.xml | 79 +- .../merged/release/values-v17/values-v17.xml | 97 +- .../merged/release/values-v21/values-v21.xml | 581 +- .../merged/release/values-vi/values-vi.xml | 44 +- .../values-w360dp-v13/values-w360dp-v13.xml | 2 +- .../values-w480dp-v13/values-w480dp-v13.xml | 4 +- .../values-w500dp-v13/values-w500dp-v13.xml | 2 +- .../values-w600dp-v13/values-w600dp-v13.xml | 4 +- .../values-w720dp-v13/values-w720dp-v13.xml | 2 +- .../values-xlarge-land-v4.xml | 2 +- .../values-xlarge-v4/values-xlarge-v4.xml | 14 +- .../release/values-zh-rCN/values-zh-rCN.xml | 44 +- .../release/values-zh-rHK/values-zh-rHK.xml | 44 +- .../release/values-zh-rTW/values-zh-rTW.xml | 44 +- .../merged/release/values-zu/values-zu.xml | 44 +- .../res/merged/release/values/values.xml | 2844 ++-- .../res/release/anim/abc_fade_in.xml | 27 +- .../res/release/anim/abc_fade_out.xml | 27 +- .../res/release/anim/abc_slide_in_bottom.xml | 30 +- .../res/release/anim/abc_slide_in_top.xml | 30 +- .../res/release/anim/abc_slide_out_bottom.xml | 30 +- .../res/release/anim/abc_slide_out_top.xml | 30 +- ...ound_cache_hint_selector_material_dark.xml | 29 +- ...und_cache_hint_selector_material_light.xml | 29 +- ...rimary_text_disable_only_material_dark.xml | 29 +- ...imary_text_disable_only_material_light.xml | 29 +- .../color/abc_primary_text_material_dark.xml | 29 +- .../color/abc_primary_text_material_light.xml | 29 +- .../res/release/color/abc_search_url_text.xml | 32 +- .../abc_secondary_text_material_dark.xml | 29 +- .../abc_secondary_text_material_light.xml | 29 +- .../res/release/drawable-hdpi-v4/button.xml | 56 +- .../res/release/drawable-hdpi-v4/edittext.xml | 41 +- .../res/release/drawable-ldpi-v4/button.xml | 56 +- .../res/release/drawable-ldpi-v4/edittext.xml | 41 +- .../res/release/drawable-mdpi-v4/button.xml | 56 +- .../res/release/drawable-mdpi-v4/edittext.xml | 41 +- .../res/release/drawable-xhdpi-v4/button.xml | 56 +- .../release/drawable-xhdpi-v4/edittext.xml | 41 +- .../res/release/drawable-xxhdpi-v4/button.xml | 56 +- .../release/drawable-xxhdpi-v4/edittext.xml | 41 +- .../drawable/abc_btn_check_material.xml | 31 +- .../drawable/abc_btn_radio_material.xml | 31 +- .../abc_cab_background_internal_bg.xml | 32 +- .../abc_cab_background_top_material.xml | 31 +- .../drawable/abc_edit_text_material.xml | 45 +- .../abc_item_background_holo_dark.xml | 45 +- .../abc_item_background_holo_light.xml | 45 +- ...lector_background_transition_holo_dark.xml | 30 +- ...ector_background_transition_holo_light.xml | 30 +- .../drawable/abc_list_selector_holo_dark.xml | 46 +- .../drawable/abc_list_selector_holo_light.xml | 46 +- .../drawable/abc_switch_thumb_material.xml | 31 +- .../drawable/abc_tab_indicator_material.xml | 29 +- .../abc_textfield_search_material.xml | 36 +- .../layout-v11/abc_screen_content_include.xml | 33 +- .../layout/abc_action_bar_title_item.xml | 53 +- .../layout/abc_action_bar_up_container.xml | 33 +- .../abc_action_bar_view_list_nav_layout.xml | 34 +- .../layout/abc_action_menu_item_layout.xml | 44 +- .../release/layout/abc_action_menu_layout.xml | 34 +- .../release/layout/abc_action_mode_bar.xml | 35 +- .../abc_action_mode_close_item_material.xml | 38 +- .../layout/abc_activity_chooser_view.xml | 39 +- .../abc_activity_chooser_view_include.xml | 93 +- .../abc_activity_chooser_view_list_item.xml | 82 +- .../layout/abc_expanded_menu_layout.xml | 31 +- .../layout/abc_list_menu_item_checkbox.xml | 35 +- .../layout/abc_list_menu_item_icon.xml | 40 +- .../layout/abc_list_menu_item_layout.xml | 96 +- .../layout/abc_list_menu_item_radio.xml | 35 +- .../layout/abc_popup_menu_item_layout.xml | 98 +- .../layout/abc_screen_content_include.xml | 33 +- .../res/release/layout/abc_screen_simple.xml | 45 +- .../abc_screen_simple_overlay_action_mode.xml | 52 +- .../res/release/layout/abc_screen_toolbar.xml | 82 +- .../abc_search_dropdown_item_icons_2line.xml | 130 +- .../res/release/layout/abc_search_view.xml | 221 +- .../layout/abc_simple_dropdown_hint.xml | 36 +- .../res/release/layout/reverse.xml | 61 +- .../res/release/layout/splash.xml | 14 +- .../support_simple_spinner_dropdown_item.xml | 39 +- .../res/release/menu/firstkey.xml | 27 +- .../res/release/values-af/values.xml | 48 +- .../res/release/values-am/values.xml | 48 +- .../res/release/values-ar/values.xml | 48 +- .../res/release/values-bg/values.xml | 48 +- .../res/release/values-bn-rBD/values.xml | 48 +- .../res/release/values-ca/values.xml | 48 +- .../res/release/values-cs/values.xml | 48 +- .../res/release/values-da/values.xml | 48 +- .../res/release/values-de/values.xml | 48 +- .../res/release/values-el/values.xml | 48 +- .../res/release/values-en-rGB/values.xml | 48 +- .../res/release/values-en-rIN/values.xml | 48 +- .../res/release/values-es-rUS/values.xml | 48 +- .../res/release/values-es/values.xml | 48 +- .../res/release/values-et-rEE/values.xml | 48 +- .../res/release/values-eu-rES/values.xml | 48 +- .../res/release/values-fa/values.xml | 48 +- .../res/release/values-fi/values.xml | 48 +- .../res/release/values-fr-rCA/values.xml | 48 +- .../res/release/values-fr/values.xml | 48 +- .../res/release/values-gl-rES/values.xml | 48 +- .../res/release/values-hi/values.xml | 48 +- .../res/release/values-hr/values.xml | 48 +- .../res/release/values-hu/values.xml | 48 +- .../res/release/values-hy-rAM/values.xml | 48 +- .../res/release/values-in/values.xml | 48 +- .../res/release/values-is-rIS/values.xml | 48 +- .../res/release/values-it/values.xml | 48 +- .../res/release/values-iw/values.xml | 48 +- .../res/release/values-ja/values.xml | 48 +- .../res/release/values-ka-rGE/values.xml | 48 +- .../res/release/values-kk-rKZ/values.xml | 48 +- .../res/release/values-km-rKH/values.xml | 48 +- .../res/release/values-kn-rIN/values.xml | 48 +- .../res/release/values-ko/values.xml | 48 +- .../res/release/values-ky-rKG/values.xml | 48 +- .../res/release/values-land/values.xml | 18 +- .../res/release/values-large-v4/values.xml | 28 +- .../res/release/values-lo-rLA/values.xml | 48 +- .../res/release/values-lt/values.xml | 48 +- .../res/release/values-lv/values.xml | 48 +- .../res/release/values-mk-rMK/values.xml | 42 +- .../res/release/values-ml-rIN/values.xml | 48 +- .../res/release/values-mn-rMN/values.xml | 48 +- .../res/release/values-mr-rIN/values.xml | 48 +- .../res/release/values-ms-rMY/values.xml | 48 +- .../res/release/values-my-rMM/values.xml | 48 +- .../res/release/values-nb/values.xml | 48 +- .../res/release/values-ne-rNP/values.xml | 48 +- .../res/release/values-nl/values.xml | 48 +- .../res/release/values-pl/values.xml | 48 +- .../res/release/values-port/values.xml | 6 +- .../res/release/values-pt-rPT/values.xml | 48 +- .../res/release/values-pt/values.xml | 48 +- .../res/release/values-ro/values.xml | 48 +- .../res/release/values-ru/values.xml | 48 +- .../res/release/values-si-rLK/values.xml | 48 +- .../res/release/values-sk/values.xml | 48 +- .../res/release/values-sl/values.xml | 48 +- .../res/release/values-sr/values.xml | 48 +- .../res/release/values-sv/values.xml | 48 +- .../res/release/values-sw/values.xml | 48 +- .../res/release/values-sw600dp-v13/values.xml | 16 +- .../values-sw720dp-land-v13/values.xml | 6 +- .../res/release/values-ta-rIN/values.xml | 48 +- .../res/release/values-te-rIN/values.xml | 48 +- .../res/release/values-th/values.xml | 48 +- .../res/release/values-tl/values.xml | 48 +- .../res/release/values-tr/values.xml | 48 +- .../res/release/values-uk/values.xml | 48 +- .../res/release/values-ur-rPK/values.xml | 48 +- .../res/release/values-uz-rUZ/values.xml | 45 +- .../res/release/values-v11/values.xml | 686 +- .../res/release/values-v14/values.xml | 87 +- .../res/release/values-v17/values.xml | 101 +- .../res/release/values-v21/values.xml | 585 +- .../res/release/values-vi/values.xml | 48 +- .../res/release/values-w360dp-v13/values.xml | 6 +- .../res/release/values-w480dp-v13/values.xml | 8 +- .../res/release/values-w500dp-v13/values.xml | 6 +- .../res/release/values-w600dp-v13/values.xml | 8 +- .../res/release/values-w720dp-v13/values.xml | 6 +- .../release/values-xlarge-land-v4/values.xml | 6 +- .../res/release/values-xlarge-v4/values.xml | 18 +- .../res/release/values-zh-rCN/values.xml | 48 +- .../res/release/values-zh-rHK/values.xml | 48 +- .../res/release/values-zh-rTW/values.xml | 48 +- .../res/release/values-zu/values.xml | 48 +- .../res/release/values/values.xml | 2884 +++-- .../outputs/lint-results-release-fatal.html | 20 +- .../hololike.css | 256 +- .../reverseengineer3/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 72 +- .../Reverse_Engineering4.java | 126 +- .../com/mobshep/reverseengineer3/Splash.java | 90 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/reverse.xml | 61 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/menu/firstkey.xml | 27 +- .../src/main/res/values-sw600dp/dimens.xml | 6 +- .../main/res/values-sw720dp-land/dimens.xml | 8 +- .../app/src/main/res/values-v11/styles.xml | 12 +- .../app/src/main/res/values-v14/styles.xml | 15 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 6 +- .../app/src/main/res/values/styles.xml | 79 +- .../sessionmanagement/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 46 +- .../sessionmanagement/CustomHttpClient.java | 186 +- .../sessionmanagement/MainActivity.java | 154 +- .../sessionmanagement/Preferences.java | 56 +- .../app/src/main/res/layout/activity_main.xml | 63 +- .../app/src/main/res/layout/preferences.xml | 31 +- .../app/src/main/res/menu/menu_main.xml | 20 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 48 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../shepherdlogin/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 93 +- .../com/mobshep/shepherdlogin/LoggedIn.java | 146 +- .../mobshep/shepherdlogin/MainActivity.java | 304 +- .../shepherdlogin/SessionProvider.java | 327 +- .../app/src/main/res/drawable/button.xml | 56 +- .../app/src/main/res/drawable/edittext.xml | 41 +- .../main/res/layout-xlarge/activity_main.xml | 128 +- .../app/src/main/res/layout/activity_main.xml | 141 +- .../app/src/main/res/layout/loggedin.xml | 94 +- .../app/src/main/res/layout/preferences.xml | 52 +- .../app/src/main/res/menu/menu_main.xml | 20 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 46 +- .../app/src/main/res/values/styles.xml | 9 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../shepherdresolver/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 30 +- .../shepherdresolver/MainActivity.java | 138 +- .../app/src/main/res/layout/activity_main.xml | 30 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 6 +- .../app/src/main/res/values/styles.xml | 9 +- .../com/mobshep/udataleakage/UDLTest.java | 67 +- .../app/src/main/AndroidManifest.xml | 86 +- .../java/com/mobshep/udataleakage/Splash.java | 91 +- .../mobshep/udataleakage/UDataLeakage.java | 373 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/splash.xml | 14 +- .../app/src/main/res/layout/udl.xml | 42 +- .../app/src/main/res/menu/menu_main.xml | 20 +- .../res/menu/unintended__data__leakage.xml | 6 +- .../app/src/main/res/values-v11/styles.xml | 33 +- .../app/src/main/res/values-v14/styles.xml | 33 +- .../app/src/main/res/values-w820dp/dimens.xml | 10 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 10 +- .../app/src/main/res/values/styles.xml | 33 +- .../app/src/main/AndroidManifest.xml | 42 +- .../mobshep/UDataLeakage1/UDataLeakage1.java | 437 +- .../app/src/main/res/drawable-hdpi/box.xml | 48 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/checkbox.xml | 9 +- .../src/main/res/drawable-xxhdpi/checked.xml | 5 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../main/res/drawable-xxhdpi/unchecked.xml | 5 +- .../app/src/main/res/layout/activity_main.xml | 132 +- .../app/src/main/res/menu/menu_main.xml | 20 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 40 +- .../app/src/main/res/values/styles.xml | 35 +- .../udataleakage2/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 100 +- .../com/mobshep/udataleakage2/Feedback.java | 51 +- .../mobshep/udataleakage2/MainActivity.java | 218 +- .../java/com/mobshep/udataleakage2/Query.java | 63 +- .../com/mobshep/udataleakage2/Splash.java | 92 +- .../app/src/main/res/drawable-hdpi/box.xml | 48 +- .../app/src/main/res/drawable-hdpi/button.xml | 56 +- .../src/main/res/drawable-hdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-ldpi/button.xml | 56 +- .../src/main/res/drawable-ldpi/edittext.xml | 41 +- .../app/src/main/res/drawable-mdpi/box.xml | 48 +- .../app/src/main/res/drawable-mdpi/button.xml | 56 +- .../src/main/res/drawable-mdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-xhdpi/box.xml | 48 +- .../src/main/res/drawable-xhdpi/button.xml | 56 +- .../src/main/res/drawable-xhdpi/edittext.xml | 41 +- .../app/src/main/res/drawable-xxhdpi/box.xml | 48 +- .../src/main/res/drawable-xxhdpi/button.xml | 56 +- .../src/main/res/drawable-xxhdpi/edittext.xml | 41 +- .../app/src/main/res/layout/activity_main.xml | 42 +- .../app/src/main/res/layout/functions.xml | 117 +- .../app/src/main/res/layout/splash.xml | 16 +- .../app/src/main/res/layout/submitquery.xml | 112 +- .../src/main/res/layout/sumbitfeedback.xml | 76 +- .../app/src/main/res/menu/menu_main.xml | 42 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 50 +- .../app/src/main/res/values/styles.xml | 33 +- .../udataleakage3/MainActivity.java.html | 166 +- .../untrustedinput/ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 86 +- .../untrustedinput/CustomHttpClient.java | 88 +- .../mobshep/untrustedinput/MainActivity.java | 95 +- .../mobshep/untrustedinput/Preferences.java | 64 +- .../com/mobshep/untrustedinput/admin.java | 95 +- .../src/main/res/layout/activity_admin.xml | 93 +- .../app/src/main/res/layout/activity_main.xml | 53 +- .../app/src/main/res/layout/content_admin.xml | 25 +- .../app/src/main/res/layout/content_main.xml | 39 +- .../app/src/main/res/layout/preferences.xml | 31 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-v21/styles.xml | 15 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/colors.xml | 6 +- .../app/src/main/res/values/dimens.xml | 8 +- .../app/src/main/res/values/strings.xml | 42 +- .../app/src/main/res/values/styles.xml | 29 +- .../app/src/main/res/xml/box.xml | 48 +- .../app/src/main/res/xml/button.xml | 56 +- .../app/src/main/res/xml/edittext.xml | 41 +- .../untrustedinput/ExampleUnitTest.java | 19 +- .../ApplicationTest.java | 13 +- .../app/src/main/AndroidManifest.xml | 33 +- .../CustomHttpClient.java | 174 +- .../weakserversidecontrols/LoginLayout.java | 85 +- .../app/src/main/res/layout/activity_main.xml | 105 +- .../app/src/main/res/menu/menu_main.xml | 10 +- .../app/src/main/res/values-w820dp/dimens.xml | 8 +- .../app/src/main/res/values/dimens.xml | 6 +- .../app/src/main/res/values/strings.xml | 6 +- .../app/src/main/res/values/styles.xml | 9 +- src/it/java/servlets/LoginIT.java | 844 +- src/it/java/servlets/LogoutIT.java | 371 +- src/it/java/servlets/SetupIT.java | 307 +- .../admin/config/DisableCheatsIT.java | 345 +- .../admin/config/DisableFeedbackIT.java | 311 +- .../admin/config/DisableScoreboardIT.java | 416 +- .../servlets/admin/config/EnableCheatsIT.java | 439 +- .../admin/config/EnableFeedbackIT.java | 399 +- .../admin/config/EnableScoreboardIT.java | 725 +- .../servlets/admin/config/SetCtfModeIT.java | 428 +- .../admin/config/SetOpenFloorModeIT.java | 426 +- .../admin/config/SetTournamentModeIT.java | 415 +- .../admin/config/ToggleRegistrationIT.java | 449 +- .../CloseAllModulesTestIT.java | 314 +- .../moduleManagement/EnableModuleBlockIT.java | 508 +- .../admin/moduleManagement/GetFeedbackIT.java | 454 +- .../moduleManagement/GetJsonProgressIT.java | 336 +- .../moduleManagement/OpenAllModulesIT.java | 309 +- .../OpenOrCloseByCategoryIT.java | 390 +- .../admin/userManagement/DeletePlayersIT.java | 398 +- .../userManagement/DowngradeAdminsIT.java | 396 +- src/it/java/servlets/api/LevelsIT.java | 492 +- src/it/java/servlets/module/GetModuleIT.java | 740 +- .../challenge/BrokenCryptoHomeMadeIT.java | 677 +- .../module/challenge/NoSqlInjection1IT.java | 218 +- .../module/challenge/XxeChallenge1IT.java | 329 +- .../servlets/module/lesson/CsrfLessonIT.java | 335 +- .../module/lesson/DirectObjectLessonIT.java | 497 +- .../module/lesson/PoorValidationLessonIT.java | 374 +- .../lesson/SecurityMisconfigLessonIT.java | 455 +- .../lesson/SessionManagementLessonIT.java | 353 +- .../module/lesson/SqlInjectionLessonIT.java | 441 +- .../lesson/UnvalidatedForwardsLessonIT.java | 726 +- .../servlets/module/lesson/XssLessonIT.java | 859 +- .../servlets/module/lesson/XxeLessonIT.java | 369 +- src/main/java/dbProcs/Constants.java | 12 +- src/main/java/dbProcs/Database.java | 705 +- .../java/dbProcs/FileInputProperties.java | 54 +- src/main/java/dbProcs/Getter.java | 5161 ++++---- src/main/java/dbProcs/MongoDatabase.java | 702 +- src/main/java/dbProcs/Setter.java | 3009 ++--- src/main/java/servlets/ACS.java | 477 +- src/main/java/servlets/ChangePassword.java | 248 +- src/main/java/servlets/ChangeUsername.java | 132 +- src/main/java/servlets/GetJsonScore.java | 166 +- src/main/java/servlets/Login.java | 263 +- src/main/java/servlets/Logout.java | 237 +- src/main/java/servlets/MobileLogin.java | 233 +- src/main/java/servlets/OneTimePad.java | 228 +- src/main/java/servlets/Register.java | 337 +- src/main/java/servlets/SLS.java | 173 +- src/main/java/servlets/SSOLogin.java | 85 +- src/main/java/servlets/SSOMetadata.java | 95 +- src/main/java/servlets/Setup.java | 889 +- src/main/java/servlets/SetupFilter.java | 60 +- .../admin/config/ChangeCoreDatabase.java | 207 +- .../servlets/admin/config/DisableCheats.java | 104 +- .../admin/config/DisableFeedback.java | 148 +- .../admin/config/DisableScoreboard.java | 152 +- .../servlets/admin/config/EnableCheats.java | 125 +- .../servlets/admin/config/EnableFeedback.java | 148 +- .../admin/config/EnableScoreboard.java | 348 +- .../servlets/admin/config/SetCountdown.java | 125 +- .../servlets/admin/config/SetCtfMode.java | 108 +- .../admin/config/SetOpenFloorMode.java | 105 +- .../admin/config/SetTournamentMode.java | 104 +- .../admin/config/ToggleRegistration.java | 166 +- .../moduleManagement/CloseAllModules.java | 97 +- .../moduleManagement/EnableModuleBlock.java | 204 +- .../admin/moduleManagement/GetFeedback.java | 116 +- .../moduleManagement/GetJsonProgress.java | 124 +- .../admin/moduleManagement/GetProgress.java | 122 +- .../moduleManagement/OpenAllModules.java | 154 +- .../moduleManagement/OpenMobileModules.java | 97 +- .../OpenOrCloseByCategory.java | 142 +- .../moduleManagement/OpenWebModules.java | 153 +- .../moduleManagement/RemoveModuleLock.java | 130 +- .../moduleManagement/SetModuleStatus.java | 138 +- .../admin/userManagement/AddPlayer.java | 338 +- .../admin/userManagement/AssignPlayers.java | 310 +- .../userManagement/ChangeUserPassword.java | 247 +- .../admin/userManagement/CreateClass.java | 271 +- .../admin/userManagement/CreateNewAdmin.java | 304 +- .../admin/userManagement/DeletePlayers.java | 240 +- .../admin/userManagement/DowngradeAdmin.java | 237 +- .../userManagement/GetPlayersByClass.java | 243 +- .../admin/userManagement/GiveTakePoints.java | 255 +- .../admin/userManagement/SetDefaultClass.java | 219 +- .../admin/userManagement/SuspendUser.java | 247 +- .../admin/userManagement/UnSuspendUser.java | 234 +- .../admin/userManagement/UpgradePlayer.java | 241 +- src/main/java/servlets/api/Cheats.java | 41 +- src/main/java/servlets/api/Levels.java | 98 +- src/main/java/servlets/api/Scoreboard.java | 40 +- .../java/servlets/module/FeedbackSubmit.java | 413 +- src/main/java/servlets/module/GetCheat.java | 155 +- src/main/java/servlets/module/GetModule.java | 258 +- .../module/ModuleServletTemplate.java | 279 +- .../java/servlets/module/RefreshMenu.java | 234 +- .../java/servlets/module/SolutionSubmit.java | 626 +- .../module/challenge/BrokenCrypto3.java | 208 +- .../module/challenge/BrokenCrypto4.java | 275 +- .../challenge/BrokenCryptoHomeMade.java | 771 +- .../module/challenge/CsrfChallengeFive.java | 154 +- .../module/challenge/CsrfChallengeFour.java | 150 +- .../module/challenge/CsrfChallengeJSON.java | 162 +- .../module/challenge/CsrfChallengeOne.java | 158 +- .../module/challenge/CsrfChallengeSeven.java | 150 +- .../challenge/CsrfChallengeSevenGetToken.java | 155 +- .../module/challenge/CsrfChallengeSix.java | 151 +- .../challenge/CsrfChallengeSixGetToken.java | 150 +- .../challenge/CsrfChallengeTargetFive.java | 223 +- .../challenge/CsrfChallengeTargetFour.java | 287 +- .../challenge/CsrfChallengeTargetJSON.java | 192 +- .../challenge/CsrfChallengeTargetOne.java | 166 +- .../challenge/CsrfChallengeTargetSeven.java | 227 +- .../challenge/CsrfChallengeTargetSix.java | 233 +- .../challenge/CsrfChallengeTargetThree.java | 186 +- .../challenge/CsrfChallengeTargetTwo.java | 166 +- .../module/challenge/CsrfChallengeThree.java | 161 +- .../module/challenge/CsrfChallengeTwo.java | 161 +- .../module/challenge/DirectObject1.java | 180 +- .../module/challenge/DirectObject2.java | 180 +- .../DirectObjectBankCurrentBalance.java | 137 +- .../challenge/DirectObjectBankLogin.java | 513 +- .../challenge/DirectObjectBankLogout.java | 97 +- .../DirectObjectBankRegistration.java | 148 +- .../challenge/DirectObjectBankTransfer.java | 231 +- .../module/challenge/NoSqlInjection1.java | 297 +- .../module/challenge/PoorValidation1.java | 171 +- .../module/challenge/PoorValidation2.java | 186 +- .../SecurityMisconfigStealTokens.java | 382 +- .../module/challenge/SessionManagement1.java | 241 +- .../module/challenge/SessionManagement2.java | 279 +- .../SessionManagement2ChangePassword.java | 186 +- .../module/challenge/SessionManagement3.java | 349 +- .../SessionManagement3ChangePassword.java | 263 +- .../module/challenge/SessionManagement4.java | 270 +- .../module/challenge/SessionManagement5.java | 323 +- .../SessionManagement5ChangePassword.java | 340 +- .../challenge/SessionManagement5SetToken.java | 195 +- .../module/challenge/SessionManagement6.java | 359 +- .../SessionManagement6SecretQuestion.java | 455 +- .../module/challenge/SessionManagement7.java | 338 +- .../SessionManagement7SecretQuestion.java | 436 +- .../module/challenge/SessionManagement8.java | 277 +- .../module/challenge/SqlInjection1.java | 203 +- .../module/challenge/SqlInjection3.java | 194 +- .../module/challenge/SqlInjection4.java | 231 +- .../module/challenge/SqlInjection5.java | 294 +- .../challenge/SqlInjection5CouponCheck.java | 185 +- .../challenge/SqlInjection5VipCheck.java | 187 +- .../module/challenge/SqlInjection6.java | 224 +- .../module/challenge/SqlInjection7.java | 231 +- .../module/challenge/SqlInjectionEmail.java | 225 +- .../challenge/SqlInjectionEscaping.java | 201 +- .../SqlInjectionStoredProcedure.java | 191 +- .../servlets/module/challenge/UrlAccess1.java | 160 +- .../module/challenge/UrlAccess1Admin.java | 178 +- .../servlets/module/challenge/UrlAccess2.java | 157 +- .../module/challenge/UrlAccess2Admin.java | 168 +- .../servlets/module/challenge/UrlAccess3.java | 298 +- .../module/challenge/UrlAccess3UserList.java | 180 +- .../module/challenge/XssChallengeFive.java | 177 +- .../module/challenge/XssChallengeFour.java | 202 +- .../module/challenge/XssChallengeOne.java | 173 +- .../module/challenge/XssChallengeSix.java | 177 +- .../module/challenge/XssChallengeThree.java | 173 +- .../module/challenge/XssChallengeTwo.java | 184 +- .../module/challenge/XxeChallenge1.java | 310 +- .../servlets/module/lesson/CsrfLesson.java | 189 +- .../module/lesson/CsrfLessonTarget.java | 98 +- .../module/lesson/DirectObjectLesson.java | 224 +- .../module/lesson/PoorValidationLesson.java | 164 +- .../java/servlets/module/lesson/Redirect.java | 115 +- .../module/lesson/RedirectLessonTarget.java | 102 +- .../lesson/SecurityMisconfigLesson.java | 166 +- .../lesson/SessionManagementLesson.java | 193 +- .../module/lesson/SqlInjectionLesson.java | 248 +- .../lesson/UnvalidatedForwardsLesson.java | 276 +- .../servlets/module/lesson/XssLesson.java | 176 +- .../servlets/module/lesson/XxeLesson.java | 319 +- src/main/java/utils/Analytics.java | 67 +- src/main/java/utils/CheatSheetStatus.java | 250 +- src/main/java/utils/CountdownHandler.java | 478 +- src/main/java/utils/FeedbackStatus.java | 93 +- src/main/java/utils/FindXSS.java | 774 +- src/main/java/utils/GetJson.java | 56 +- src/main/java/utils/Hash.java | 239 +- .../java/utils/InstallationException.java | 13 +- .../utils/InvalidCountdownStateException.java | 49 +- src/main/java/utils/LoginMethod.java | 99 +- src/main/java/utils/ModuleBlock.java | 79 +- src/main/java/utils/ModulePlan.java | 292 +- src/main/java/utils/OpenRegistration.java | 167 +- src/main/java/utils/ScoreboardStatus.java | 554 +- src/main/java/utils/ShepherdLogManager.java | 115 +- src/main/java/utils/SqlFilter.java | 110 +- src/main/java/utils/UserKicker.java | 95 +- src/main/java/utils/Validate.java | 990 +- src/main/java/utils/XmlDocumentBuilder.java | 152 +- src/main/java/utils/XssFilter.java | 343 +- src/main/webapp/WEB-INF/web.xml | 74 +- .../webapp/admin/config/aboutShepherd.jsp | 41 +- src/main/webapp/admin/config/configCheats.jsp | 76 +- .../webapp/admin/config/configFeedback.jsp | 75 +- .../webapp/admin/config/setCoreDatabase.jsp | 55 +- .../admin/config/updateRegistration.jsp | 82 +- .../moduleManagement/changeLevelLayout.jsp | 129 +- .../admin/moduleManagement/classProgress.jsp | 69 +- .../admin/moduleManagement/feedback.jsp | 63 +- .../admin/moduleManagement/moduleBlock.jsp | 108 +- .../moduleManagement/openCloseByCategory.jsp | 63 +- .../admin/moduleManagement/setStatus.jsp | 56 +- .../admin/userManagement/addPlayers.jsp | 104 +- .../admin/userManagement/assignPlayers.jsp | 118 +- .../userManagement/changeUserPassword.jsp | 98 +- .../admin/userManagement/createNewAdmin.jsp | 80 +- .../admin/userManagement/createNewClass.jsp | 58 +- .../admin/userManagement/deletePlayers.jsp | 91 +- .../admin/userManagement/downgradeAdmins.jsp | 73 +- .../admin/userManagement/givePoints.jsp | 101 +- .../setDefaultClassForRegistration.jsp | 72 +- .../admin/userManagement/suspendUser.jsp | 102 +- .../admin/userManagement/unSuspendUser.jsp | 94 +- .../admin/userManagement/upgradePlayers.jsp | 97 +- src/main/webapp/blockedMessage.jsp | 39 +- ...939bd496ffe8c9f7b564bce32bd5e3a8c2f751.jsp | 80 +- ...a55050e3e1cfbbbe1d597b0537513ac8665295.jsp | 44 +- ...5e0ed26b11af978523e34528cf0bb9d32de851.jsp | 50 +- ...fdfa6ac5d77fadee08585eb98b130ec524d00c.jsp | 139 +- ...aece3784d61adc56498f7603ccd7cb8ae92629.jsp | 96 +- ...085e5eae5d25e8646dcd4b05009353c9cf9c80.jsp | 154 +- ...3bf993087de5a0ac72adff216002abf79146fa.jsp | 69 +- ...14d422ea56705a7e3fc405a77bc269948ccae1.jsp | 76 +- ...a0c78d5a70c2d38ea9d8b3e14db3aea01afcbb.jsp | 115 +- ...58470469d7024929cf78d570cd16c03bee3569.jsp | 117 +- ...bee31e9291aaa5367594c29b3af542a7572c01.jsp | 50 +- ...74e3f1336d350c4e1e51d4eda5b52dddf86c99.jsp | 75 +- ...40b48f53aad7b41390fe46c6f324fee748d136.jsp | 24 +- ...fd8fbb5469a60209b44fa3485c18794df4d5b1.jsp | 30 +- ...34489287969d5ba504ac2439915184d6e5dc49.jsp | 117 +- ...b1060ac41f0d96f53b6ea54705bb1ea4316334.jsp | 67 +- ...4c671f8999680556c127a19ee79fa5d7a132e1.jsp | 133 +- ...bb8fef3209c5d648b54d1276813cd072815df3.jsp | 116 +- ...cb54137960405da2f7a90a0684f86c4d45a2e7.jsp | 102 +- ...200f7c10569dc94e51349f7b857fb68b4e6bdf.jsp | 25 +- ...73d944aacb7b72f28693a23f9949ac310648b5.jsp | 119 +- ...a634194bf5da440282227c15954bbdfb54f0c7.jsp | 42 +- ...da550520e29f7a82400a317c579eb3a5a0a8ef.jsp | 50 +- ...a002dc0e455f0e92c8a46ab0cf519b1547eced.jsp | 93 +- ...87aa9d88044dc43e248984a252c6e861f673d4.jsp | 101 +- ...6c46b03379a0eebab36afcd1d9076f65d4ce62.jsp | 153 +- ...a52071b2eb211d8c044dde6d2f4b89874a7bc4.jsp | 92 +- ...dd0d84013ea2c80e232c980e54dd753700123e.jsp | 88 +- ...148ab44b7bd028009a908ce3f1b4d019886d0e.jsp | 85 +- ...46c4dde25ebd8ceab51807bad88ff47c316ece.jsp | 154 +- ...0dc2e875344035e38608fcfb7c1ab8924923f6.jsp | 85 +- ...0cc18533a88b2363054a1f391fe855954d12f9.jsp | 160 +- ...3dd9417e0530a4e0186c27699f54637c7fb5d4.jsp | 80 +- ...9322dd2750f633246842280dc68c858d208425.jsp | 54 +- ...21aae15d28c36c7981222eb59f7fc8d8f212a2.jsp | 87 +- ...590b499ceca941ab848805c00f5bf0a40c9717.jsp | 46 +- ...22ea8e0a60589c3940afd6ebf433469e997caf.jsp | 76 +- ...afe54491d1bacf9fffa0b21a072b03c5bafe66.jsp | 93 +- ...c11e7b4575a7bc12ee6d0a384ac2469449e8fa.jsp | 87 +- ...22937090ebd3769466a501a5e7ac605b9f34b7.jsp | 124 +- ...d45a6c1c635bf1b482dccfe32e9b01b69a042b.jsp | 34 +- ...d06134dac7d843367763a3226c9081f537fb2f.jsp | 93 +- ...a998c759646bd8aea02511482b8ce5d707f93a.jsp | 64 +- ...8613e64f7d0f51c432a164efc8418513711b0a.jsp | 100 +- ...350f55c77b82878329570efa894838980de5b4.jsp | 64 +- ...769967bdc75740ad2363803168b7907c794cd4.jsp | 52 +- ...95c23f7fadcf08a092e05620c9968bd60fcba6.jsp | 72 +- ...bb18ac934667971fa275bd7d234589bd8a8467.jsp | 42 +- ...3f53039d4489c94df2ee280d6203b389dd5671.jsp | 80 +- ...90791bb312a3044b3110acb8a65d165376bf34.jsp | 42 +- ...befff7427f6610ed626dfd43abf35295f106bc.jsp | 46 +- ...82b9d703404e99cdef54d2aa745f497abe070b.jsp | 101 +- ...cc0e685e5f86a87f30c2ca641e1dde15b01177.jsp | 64 +- ...9a27a72daea0f17017253f87e7ebd98c71c98c.jsp | 77 +- ...2170c1c06817e72b526b3d1e9a6085f429cf52.jsp | 115 +- ...69eeac25dbb2a6887bdb38873e57d0ef447bc3.jsp | 142 +- ...1d6034bafe48954575c3a6563cb47a85b1e888.jsp | 85 +- ...1d847e47ed7abac2a4ce4cb6086646e0f313a4.jsp | 92 +- ...544edb2ee8f624249f3e920663edb733f15cd7.jsp | 47 +- ...171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp | 112 +- ...7415820adc5633256a7b44a7d1e262db105e3c.jsp | 113 +- .../css/jquery.mCustomScrollbar.min.css | 1547 ++- src/main/webapp/css/lessonCss/theCss.css | 93 +- src/main/webapp/css/theCss.css | 272 +- src/main/webapp/css/theResponsiveCss.css | 44 +- src/main/webapp/getStarted.jsp | 144 +- ...0adb59928158da5994a39f584cb799f25a95b9.jsp | 57 +- ...b94f70afe9cca3f78c1e4766fee1cc08c035ec.jsp | 92 +- ...5481c4ce397b80291d99307cfad69662277d39.jsp | 56 +- ...57ae1f7da21282795d0ed86c55fefe41eb874f.jsp | 125 +- ...1ef40836d9b710179cd19754ec5b3c31f27d1a.jsp | 133 +- ...d34e8d6bd8b037f05341e64e94f5411c10ac8e.jsp | 50 +- ...42c4157e29b9bcc44e8a827be3bb7e58c9a212.jsp | 59 +- .../webapp/lessons/adminOnly/resultKey.jsp | 142 +- ...a7a32410a0808138bbefc98986030f9ea83806.jsp | 136 +- ...e60986af8119c4f643894775433dbfb6faa594.jsp | 141 +- ...576e1dc140393185afca8975fbd6822ebf392f.jsp | 59 +- ...7cdbe270a9e9dd714065f0f775cd40dc296bc7.jsp | 133 +- ...6016a0a7f6879283c873d9476a8e7e94ea736f.jsp | 128 +- ...a7c0f68abc6ef2ab747ea87e0892767152eae1.jsp | 47 +- ...9dc62ea21e25ca619ed9107bcc50e4a8dbc100.jsp | 130 +- ...1ade2cde04a7a2e9a7f1a80dbb6dc9f717c833.jsp | 136 +- ...0c00ca655fded295c90ef36f3a6c5146c29ef2.jsp | 56 +- src/main/webapp/lessons/mobile/mobileAPI.jsp | 7 +- .../lessons/mobile/mobileServerLesson.jsp | 3 +- ...d8366d74eb52ef955e103c813b592dba0477e3.jsp | 75 +- ...7b24009f3ac54cdff1b81a65db1688d86efb3a.jsp | 122 +- src/main/webapp/loggedOutSheep.html | 2 +- src/main/webapp/login.jsp | 8 +- src/main/webapp/lostSheep.jsp | 4 +- src/main/webapp/mobileLevelTemplate.jsp | 44 +- src/main/webapp/readyToPlay.jsp | 31 +- src/main/webapp/register.jsp | 176 +- src/main/webapp/serverError.jsp | 5 +- src/main/webapp/translation-select.jsp | 22 +- src/main/webapp/translation.jsp | 10 +- src/main/webapp/webLevelTemplate.jsp | 37 +- src/setupFiles/tomcatShepherdSampleServer.xml | 284 +- src/setupFiles/tomcatShepherdSampleWeb.xml | 9217 +++++++------ src/test/java/dbProcs/GetterTest.java | 6039 +++++---- src/test/java/dbProcs/MongoDatabaseTest.java | 162 +- src/test/java/dbProcs/SetterTest.java | 2499 ++-- .../java/testUtils/TestCountdownHandler.java | 578 +- src/test/java/testUtils/TestProperties.java | 907 +- .../testUtils/TestXmlDocumentBuilder.java | 41 +- 1855 files changed, 146749 insertions(+), 117860 deletions(-) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..8f1cc51e7 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,33 @@ + +# OWASP Security Shepherd Contributing + +## GitFlow +Shepherd uses [GitFlow](https://datasift.github.io/gitflow/IntroducingGitFlow.html). That basically means you never directly commit to master / dev. + +## Where do I put new code? +To add a new feature or fix a bug in Shepherd, create a fork or branch from the [dev branch](https://github.com/OWASP/SecurityShepherd/tree/dev). When you're branch is complete and your JUnit's have been created / run clear, create a pull request to merge your branch into dev. Squash your commits if you like, if you don't that will be done be at merge. + +## Branch Naming Convention +If you're working on an issue from the backlog, call your branch dev#{issueNumber} + +## Code Format +Shepherd uses [Google's Java format styleguide](https://github.com/google/styleguide/blob/gh-pages/eclipse-java-google-style.xml). Please ensure your IDE will auto format to this spec before you merge. + +## How do I see the Backlog? +Install ZenHub for your browser and click the ZenHub tab that will appear in this repo. The Pipelines are as follows +1. *New Issues* - Issues yet to be reviewed for priority +2. *Ice Box* - Issues that are valid, but have not been prioritized for the backlog +3. *Backlog* - The Backlog order for priority. +4. *In Progess* - Items that are currently being worked +5. *QA Review* - Issues that have pull requests and require review / approval +6. *Closed* - Item is Done + +## How do I setup my dev environment? +[Like This](https://github.com/OWASP/SecurityShepherd/wiki/Create-a-Security-Shepherd-Dev-Environment) + +## Is there a Definition of Done? +*Work in Progess* +- [ ] New Code has 'Good' JUnit Tests that cover it +- [ ] All JUnit Tests Pass +- [ ] Acceptance Criteria of Epic has been satisfied where applicable +- [ ] Code does not introduce a vulnerability that can be leveraged to exploit the system/other users diff --git a/README.md b/README.md index c28c147fa..3d6fa90e8 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,7 @@ # OWASP Security Shepherd [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) The [OWASP Security Shepherd Project](http://bit.ly/owaspSecurityShepherd) is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status. -[![Build Status](https://github.com/OWASP/SecurityShepherd/workflows/Java%20Build/badge.svg)](https://github.com/OWASP/SecurityShepherd/actions/workflows/build.yml) -[![GitHub Super-Linter](https://github.com/OWASP/SecurityShepherd/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter) - +[![Build and Test](https://github.com/ismisepaul/SecurityShepherd/actions/workflows/test.yml/badge.svg)](https://github.com/ismisepaul/SecurityShepherd/actions/workflows/test.yml) # Where can I download Security Shepherd? diff --git a/pom.xml b/pom.xml index 09323ecbf..378fde321 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ de.mkammerer argon2-jvm 2.2 - + org.apache.logging.log4j @@ -504,4 +504,4 @@ - + \ No newline at end of file diff --git a/src/MobileShepherd/.metadata/.plugins/org.eclipse.e4.workbench/workbench.xmi b/src/MobileShepherd/.metadata/.plugins/org.eclipse.e4.workbench/workbench.xmi index a7d7a714a..86eac2510 100644 --- a/src/MobileShepherd/.metadata/.plugins/org.eclipse.e4.workbench/workbench.xmi +++ b/src/MobileShepherd/.metadata/.plugins/org.eclipse.e4.workbench/workbench.xmi @@ -1,2207 +1,6549 @@ - - - activeSchemeId:org.eclipse.ui.defaultAcceleratorConfiguration - ModelMigrationProcessor.001 - - - - - - topLevel - - - Minimized - MinimizedByZoom - - - persp.actionSet:org.eclipse.ui.cheatsheets.actionSet - persp.actionSet:org.eclipse.search.searchActionSet - persp.actionSet:org.eclipse.ui.edit.text.actionSet.annotationNavigation - persp.actionSet:org.eclipse.ui.edit.text.actionSet.navigation - persp.actionSet:org.eclipse.ui.edit.text.actionSet.convertLineDelimitersTo - persp.actionSet:org.eclipse.ui.externaltools.ExternalToolsSet - persp.actionSet:org.eclipse.ui.actionSet.keyBindings - persp.actionSet:org.eclipse.ui.actionSet.openFiles - persp.actionSet:com_sysdeo_eclipse_tomcat_actionSet - persp.actionSet:org.eclipse.debug.ui.launchActionSet - persp.actionSet:org.eclipse.jdt.ui.JavaActionSet - persp.actionSet:org.eclipse.jdt.ui.JavaElementCreationActionSet - persp.actionSet:org.eclipse.ui.NavigateActionSet - persp.viewSC:org.eclipse.jdt.ui.PackageExplorer - persp.viewSC:org.eclipse.jdt.ui.TypeHierarchy - persp.viewSC:org.eclipse.jdt.ui.SourceView - persp.viewSC:org.eclipse.jdt.ui.JavadocView - persp.viewSC:org.eclipse.search.ui.views.SearchView - persp.viewSC:org.eclipse.ui.console.ConsoleView - persp.viewSC:org.eclipse.ui.views.ContentOutline - persp.viewSC:org.eclipse.ui.views.ProblemView - persp.viewSC:org.eclipse.ui.views.ResourceNavigator - persp.viewSC:org.eclipse.ui.views.TaskList - persp.viewSC:org.eclipse.ui.views.ProgressView - persp.viewSC:org.eclipse.ui.navigator.ProjectExplorer - persp.viewSC:org.eclipse.ui.texteditor.TemplatesView - persp.viewSC:org.eclipse.pde.runtime.LogView - persp.newWizSC:org.eclipse.jdt.ui.wizards.JavaProjectWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewPackageCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewClassCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewInterfaceCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewEnumCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewAnnotationCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewSourceFolderCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewSnippetFileCreationWizard - persp.newWizSC:org.eclipse.jdt.ui.wizards.NewJavaWorkingSetWizard - persp.newWizSC:org.eclipse.ui.wizards.new.folder - persp.newWizSC:org.eclipse.ui.wizards.new.file - persp.newWizSC:org.eclipse.ui.editors.wizards.UntitledTextFileWizard - persp.perspSC:org.eclipse.jdt.ui.JavaBrowsingPerspective - persp.perspSC:org.eclipse.debug.ui.DebugPerspective - persp.newWizSC:com.android.ide.eclipse.adt.project.NewProjectWizard - persp.newWizSC:com.android.ide.eclipse.editors.wizards.NewXmlFileWizard - persp.actionSet:adt.actionSet.wizards - persp.actionSet:adt.actionSet.avdManager - persp.actionSet:adt.actionSet.lint - persp.actionSet:adt.actionSet.refactorings - persp.perspSC:com.android.ide.eclipse.ddms.Perspective - persp.perspSC:com.android.ide.eclipse.hierarchyviewer.PixelPerfectPespective - persp.perspSC:com.android.ide.eclipse.hierarchyviewer.TreeViewPerspective - persp.viewSC:org.eclipse.ant.ui.views.AntView - persp.showIn:org.eclipse.egit.ui.RepositoriesView - persp.actionSet:org.eclipse.debug.ui.breakpointActionSet - persp.actionSet:org.eclipse.jdt.debug.ui.JDTDebugActionSet - persp.newWizSC:org.eclipse.jdt.junit.wizards.NewTestCaseCreationWizard - persp.actionSet:org.eclipse.jdt.junit.JUnitActionSet - persp.showIn:org.eclipse.jdt.ui.PackageExplorer - persp.showIn:org.eclipse.team.ui.GenericHistoryView - persp.showIn:org.eclipse.ui.views.ResourceNavigator - persp.showIn:org.eclipse.ui.navigator.ProjectExplorer - - - - newtablook - org.eclipse.e4.primaryNavigationStack - - - - - - - - newtablook - - - - - - - - newtablook - org.eclipse.e4.secondaryNavigationStack - - - - - - - newtablook - org.eclipse.e4.secondaryDataStack - - - - - - - - - - - - - - Maximized - - - - - - - View - categoryTag:Help - - - - View - categoryTag:General - activeOnClose - - ViewMenu - menuContribution:menu - - - - - View - categoryTag:Help - - - - newtablook - org.eclipse.e4.primaryDataStack - EditorStack - - - - - View - categoryTag:Java - - ViewMenu - menuContribution:menu - - - - - View - categoryTag:Java - - - View - categoryTag:General - - - View - categoryTag:General - - - - View - categoryTag:General - - ViewMenu - menuContribution:menu - - - - - View - categoryTag:Java - - - View - categoryTag:Java - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - - View - categoryTag:General - - ViewMenu - menuContribution:menu - - - - - View - categoryTag:General - - - View - categoryTag:Ant - - - View - categoryTag:Git - - - View - categoryTag:Java - - - - toolbarSeparator - - - - Draggable - - - - - - - - - - - - - - - toolbarSeparator - - - - Draggable - - - - - - Draggable - - - - - Draggable - - - - - Draggable - - - - - - - Draggable - - - - - - - Draggable - - - - - - - Draggable - - - - - - toolbarSeparator - - - - Draggable - - - - - - - - - - - - toolbarSeparator - - - - toolbarSeparator - - - - Draggable - - - - - stretch - - - glue - - - - glue - - - Draggable - - - - - stretch - - - - Draggable - - - - - TrimStack - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - platform:win32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Editor - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Tracer for OpenGL ES - - - View - categoryTag:Tracer for OpenGL ES - - - View - categoryTag:Tracer for OpenGL ES - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:Android - - - View - categoryTag:&C/C++ - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Make - - - View - categoryTag:&C/C++ - - - View - categoryTag:&C/C++ - - - View - categoryTag:&C/C++ - - - View - categoryTag:&C/C++ - - - View - categoryTag:&C/C++ - - - View - categoryTag:General - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:Debug - - - View - categoryTag:General - - - View - categoryTag:Help - - - View - categoryTag:Debug - - - View - categoryTag:Java - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:Team - - - View - categoryTag:Team - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:Help - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:General - - - View - categoryTag:XML - - - View - categoryTag:XML - - - View - categoryTag:Ant - - - View - categoryTag:Java - - - View - categoryTag:Java - - - View - categoryTag:Java Browsing - - - View - categoryTag:Java Browsing - - - View - categoryTag:Java Browsing - - - View - categoryTag:Java Browsing - - - View - categoryTag:Java - - - View - categoryTag:Java - - - View - categoryTag:Java - - - View - categoryTag:Git - - - View - categoryTag:Git - - - View - categoryTag:Git - - - View - categoryTag:Git - - - View - categoryTag:Git - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + activeSchemeId:org.eclipse.ui.defaultAcceleratorConfiguration + ModelMigrationProcessor.001 + + + + + + topLevel + + + Minimized + MinimizedByZoom + + + persp.actionSet:org.eclipse.ui.cheatsheets.actionSet + persp.actionSet:org.eclipse.search.searchActionSet + persp.actionSet:org.eclipse.ui.edit.text.actionSet.annotationNavigation + persp.actionSet:org.eclipse.ui.edit.text.actionSet.navigation + persp.actionSet:org.eclipse.ui.edit.text.actionSet.convertLineDelimitersTo + persp.actionSet:org.eclipse.ui.externaltools.ExternalToolsSet + persp.actionSet:org.eclipse.ui.actionSet.keyBindings + persp.actionSet:org.eclipse.ui.actionSet.openFiles + persp.actionSet:com_sysdeo_eclipse_tomcat_actionSet + persp.actionSet:org.eclipse.debug.ui.launchActionSet + persp.actionSet:org.eclipse.jdt.ui.JavaActionSet + persp.actionSet:org.eclipse.jdt.ui.JavaElementCreationActionSet + persp.actionSet:org.eclipse.ui.NavigateActionSet + persp.viewSC:org.eclipse.jdt.ui.PackageExplorer + persp.viewSC:org.eclipse.jdt.ui.TypeHierarchy + persp.viewSC:org.eclipse.jdt.ui.SourceView + persp.viewSC:org.eclipse.jdt.ui.JavadocView + persp.viewSC:org.eclipse.search.ui.views.SearchView + persp.viewSC:org.eclipse.ui.console.ConsoleView + persp.viewSC:org.eclipse.ui.views.ContentOutline + persp.viewSC:org.eclipse.ui.views.ProblemView + persp.viewSC:org.eclipse.ui.views.ResourceNavigator + persp.viewSC:org.eclipse.ui.views.TaskList + persp.viewSC:org.eclipse.ui.views.ProgressView + persp.viewSC:org.eclipse.ui.navigator.ProjectExplorer + persp.viewSC:org.eclipse.ui.texteditor.TemplatesView + persp.viewSC:org.eclipse.pde.runtime.LogView + persp.newWizSC:org.eclipse.jdt.ui.wizards.JavaProjectWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewPackageCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewClassCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewInterfaceCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewEnumCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewAnnotationCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewSourceFolderCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewSnippetFileCreationWizard + persp.newWizSC:org.eclipse.jdt.ui.wizards.NewJavaWorkingSetWizard + persp.newWizSC:org.eclipse.ui.wizards.new.folder + persp.newWizSC:org.eclipse.ui.wizards.new.file + persp.newWizSC:org.eclipse.ui.editors.wizards.UntitledTextFileWizard + persp.perspSC:org.eclipse.jdt.ui.JavaBrowsingPerspective + persp.perspSC:org.eclipse.debug.ui.DebugPerspective + persp.newWizSC:com.android.ide.eclipse.adt.project.NewProjectWizard + persp.newWizSC:com.android.ide.eclipse.editors.wizards.NewXmlFileWizard + persp.actionSet:adt.actionSet.wizards + persp.actionSet:adt.actionSet.avdManager + persp.actionSet:adt.actionSet.lint + persp.actionSet:adt.actionSet.refactorings + persp.perspSC:com.android.ide.eclipse.ddms.Perspective + persp.perspSC:com.android.ide.eclipse.hierarchyviewer.PixelPerfectPespective + persp.perspSC:com.android.ide.eclipse.hierarchyviewer.TreeViewPerspective + persp.viewSC:org.eclipse.ant.ui.views.AntView + persp.showIn:org.eclipse.egit.ui.RepositoriesView + persp.actionSet:org.eclipse.debug.ui.breakpointActionSet + persp.actionSet:org.eclipse.jdt.debug.ui.JDTDebugActionSet + persp.newWizSC:org.eclipse.jdt.junit.wizards.NewTestCaseCreationWizard + persp.actionSet:org.eclipse.jdt.junit.JUnitActionSet + persp.showIn:org.eclipse.jdt.ui.PackageExplorer + persp.showIn:org.eclipse.team.ui.GenericHistoryView + persp.showIn:org.eclipse.ui.views.ResourceNavigator + persp.showIn:org.eclipse.ui.navigator.ProjectExplorer + + + + newtablook + org.eclipse.e4.primaryNavigationStack + + + + + + + + newtablook + + + + + + + + newtablook + org.eclipse.e4.secondaryNavigationStack + + + + + + + newtablook + org.eclipse.e4.secondaryDataStack + + + + + + + + + + + + + + Maximized + + + + + + + View + categoryTag:Help + + + + View + categoryTag:General + activeOnClose + + ViewMenu + menuContribution:menu + + + + + View + categoryTag:Help + + + + newtablook + org.eclipse.e4.primaryDataStack + EditorStack + + + + + View + categoryTag:Java + + ViewMenu + menuContribution:menu + + + + + View + categoryTag:Java + + + View + categoryTag:General + + + View + categoryTag:General + + + + View + categoryTag:General + + ViewMenu + menuContribution:menu + + + + + View + categoryTag:Java + + + View + categoryTag:Java + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + + View + categoryTag:General + + ViewMenu + menuContribution:menu + + + + + View + categoryTag:General + + + View + categoryTag:Ant + + + View + categoryTag:Git + + + View + categoryTag:Java + + + + toolbarSeparator + + + + Draggable + + + + + + + + + + + + + + + toolbarSeparator + + + + Draggable + + + + + + Draggable + + + + + Draggable + + + + + Draggable + + + + + + + Draggable + + + + + + + Draggable + + + + + + + Draggable + + + + + + toolbarSeparator + + + + Draggable + + + + + + + + + + + + toolbarSeparator + + + + toolbarSeparator + + + + Draggable + + + + + stretch + + + glue + + + + glue + + + Draggable + + + + + stretch + + + + Draggable + + + + + TrimStack + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + platform:win32 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Editor + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Tracer for OpenGL ES + + + View + categoryTag:Tracer for OpenGL ES + + + View + categoryTag:Tracer for OpenGL ES + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:Android + + + View + categoryTag:&C/C++ + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Make + + + View + categoryTag:&C/C++ + + + View + categoryTag:&C/C++ + + + View + categoryTag:&C/C++ + + + View + categoryTag:&C/C++ + + + View + categoryTag:&C/C++ + + + View + categoryTag:General + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:Debug + + + View + categoryTag:General + + + View + categoryTag:Help + + + View + categoryTag:Debug + + + View + categoryTag:Java + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:Team + + + View + categoryTag:Team + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:Help + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:General + + + View + categoryTag:XML + + + View + categoryTag:XML + + + View + categoryTag:Ant + + + View + categoryTag:Java + + + View + categoryTag:Java + + + View + categoryTag:Java Browsing + + + View + categoryTag:Java Browsing + + + View + categoryTag:Java Browsing + + + View + categoryTag:Java Browsing + + + View + categoryTag:Java + + + View + categoryTag:Java + + + View + categoryTag:Java + + + View + categoryTag:Git + + + View + categoryTag:Git + + + View + categoryTag:Git + + + View + categoryTag:Git + + + View + categoryTag:Git + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/OpenTypeHistory.xml b/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/OpenTypeHistory.xml index a4ee3cbc9..7f5e62253 100644 --- a/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/OpenTypeHistory.xml +++ b/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/OpenTypeHistory.xml @@ -1,2 +1,2 @@ - + diff --git a/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/QualifiedTypeNameHistory.xml b/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/QualifiedTypeNameHistory.xml index 9e390f501..1dd44b2ff 100644 --- a/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/QualifiedTypeNameHistory.xml +++ b/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/QualifiedTypeNameHistory.xml @@ -1,2 +1,2 @@ - + diff --git a/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/dialog_settings.xml b/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/dialog_settings.xml index 3e126aab1..358ea52a6 100644 --- a/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/dialog_settings.xml +++ b/src/MobileShepherd/.metadata/.plugins/org.eclipse.jdt.ui/dialog_settings.xml @@ -1,10 +1,13 @@
-
- - - - - +
+ + + + +
diff --git a/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/dialog_settings.xml b/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/dialog_settings.xml index ab5d73d29..ee04b116d 100644 --- a/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/dialog_settings.xml +++ b/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/dialog_settings.xml @@ -1,8 +1,8 @@
- - + + diff --git a/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/workingsets.xml b/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/workingsets.xml index 4a2fd9508..390b6b7f5 100644 --- a/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/workingsets.xml +++ b/src/MobileShepherd/.metadata/.plugins/org.eclipse.ui.workbench/workingsets.xml @@ -1,4 +1,7 @@ - + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/androidTest/java/com/mobshep/brokencrypto/ApplicationTest.java b/src/MobileShepherd/BrokenCrypto/app/src/androidTest/java/com/mobshep/brokencrypto/ApplicationTest.java index 0afe556c7..2c2ea0fe4 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/androidTest/java/com/mobshep/brokencrypto/ApplicationTest.java +++ b/src/MobileShepherd/BrokenCrypto/app/src/androidTest/java/com/mobshep/brokencrypto/ApplicationTest.java @@ -3,11 +3,10 @@ import android.app.Application; import android.test.ApplicationTestCase; -/** - * Testing Fundamentals - */ +/** Testing Fundamentals */ public class ApplicationTest extends ApplicationTestCase { - public ApplicationTest() { - super(Application.class); - } -} \ No newline at end of file + + public ApplicationTest() { + super(Application.class); + } +} diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/AndroidManifest.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/AndroidManifest.xml index adca1d3c1..1077f8aa5 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/AndroidManifest.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/AndroidManifest.xml @@ -1,45 +1,40 @@ - + - + - - + + - - - - + + + + - - - - - - + + + + + + - - - - + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/BrokenCrypto.java b/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/BrokenCrypto.java index 85cc7b94e..ea15616c2 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/BrokenCrypto.java +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/BrokenCrypto.java @@ -10,243 +10,226 @@ import android.widget.Button; import android.widget.Toast; - /** * This file is part of the Security Shepherd Project. - * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
- * - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
- * - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . - * + * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . + * * @author Sean Duggan */ - public class BrokenCrypto extends Activity { - Button messageOne, messageTwo, messageThree, messageFour, messageFive; - - - - @Override - protected void onCreate(Bundle savedInstanceState) { - // TODO Auto-generated method stub - super.onCreate(savedInstanceState); - setContentView(R.layout.broken); - - - - referenceXML(); - startTimerOne(); - startTimerTwo(); - startTimerThree(); - startTimerFour(); - startTimerFive(); - - } - - private void referenceXML() { - // TODO Auto-generated method stub - messageOne = (Button) findViewById(R.id.Message1); - messageTwo = (Button) findViewById(R.id.Message2); - messageThree = (Button) findViewById(R.id.Message3); - messageFour = (Button) findViewById(R.id.Message4); - messageFive = (Button) findViewById(R.id.Message5); - messageOne.setVisibility(View.INVISIBLE); - messageTwo.setVisibility(View.INVISIBLE); - messageThree.setVisibility(View.INVISIBLE); - messageFour.setVisibility(View.INVISIBLE); - messageFive.setVisibility(View.INVISIBLE); - - - } - - private void startTimerOne() { - final Handler handler = new Handler(); - Runnable runnable = new Runnable() { - public void run() { - - try { - Thread.sleep(2000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - handler.post(new Runnable() { - public void run() { - messageOne.setVisibility(View.VISIBLE); - - } - }); - - } - }; - new Thread(runnable).start(); - } - - private void startTimerTwo() { - final Handler handler = new Handler(); - Runnable runnable = new Runnable() { - public void run() { - - try { - Thread.sleep(4000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - handler.post(new Runnable() { - public void run() { - messageTwo.setVisibility(View.VISIBLE); - } - }); - - } - }; - new Thread(runnable).start(); - } - - private void startTimerThree() { - final Handler handler = new Handler(); - Runnable runnable = new Runnable() { - public void run() { - - try { - Thread.sleep(6000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - handler.post(new Runnable() { - public void run() { - messageThree.setVisibility(View.VISIBLE); - } - }); - - } - }; - new Thread(runnable).start(); - } - - private void startTimerFour() { - final Handler handler = new Handler(); - Runnable runnable = new Runnable() { - public void run() { - - try { - Thread.sleep(8000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - handler.post(new Runnable() { - public void run() { - messageFour.setVisibility(View.VISIBLE); - } - }); - - } - }; - new Thread(runnable).start(); - } - - private void startTimerFive() { - final Handler handler = new Handler(); - Runnable runnable = new Runnable() { - public void run() { - - try { - Thread.sleep(10000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - handler.post(new Runnable() { - public void run() { - messageFive.setVisibility(View.VISIBLE); - } - }); - - } - }; - new Thread(runnable).start(); - } - - // The following method allows a user to click one of the messages which - // appear in the xml layout and copy it directly to their clipboard - - public void copyMessage1(View v) { - - String copiedMessage = messageOne.getText().toString(); - - ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); - ClipData clip = ClipData.newPlainText("message1", copiedMessage); - clipboard.setPrimaryClip(clip); - - showToast(); - - } - - public void copyMessage2(View v) { - - String copiedMessage2 = messageTwo.getText().toString(); - - ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); - ClipData clip = ClipData.newPlainText("message2", copiedMessage2); - clipboard.setPrimaryClip(clip); - - showToast(); - - - } - - public void copyMessage3(View v) { - - String copiedMessage3 = messageThree.getText().toString(); - - ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); - ClipData clip = ClipData.newPlainText("message3", copiedMessage3); - clipboard.setPrimaryClip(clip); - - showToast(); - - - } - - public void copyMessage4(View v) { - - String copiedMessage4 = messageFour.getText().toString(); - - ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); - ClipData clip = ClipData.newPlainText("message4", copiedMessage4); - clipboard.setPrimaryClip(clip); - - showToast(); - - - } - - public void copyMessage5(View v) { - - String copiedMessage5 = messageFive.getText().toString(); - - ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); - ClipData clip = ClipData.newPlainText("message5", copiedMessage5); - clipboard.setPrimaryClip(clip); - - showToast(); - - } - - private void showToast() { + Button messageOne, messageTwo, messageThree, messageFour, messageFive; + + @Override + protected void onCreate(Bundle savedInstanceState) { + // TODO Auto-generated method stub + super.onCreate(savedInstanceState); + setContentView(R.layout.broken); + + referenceXML(); + startTimerOne(); + startTimerTwo(); + startTimerThree(); + startTimerFour(); + startTimerFive(); + } + + private void referenceXML() { + // TODO Auto-generated method stub + messageOne = (Button) findViewById(R.id.Message1); + messageTwo = (Button) findViewById(R.id.Message2); + messageThree = (Button) findViewById(R.id.Message3); + messageFour = (Button) findViewById(R.id.Message4); + messageFive = (Button) findViewById(R.id.Message5); + messageOne.setVisibility(View.INVISIBLE); + messageTwo.setVisibility(View.INVISIBLE); + messageThree.setVisibility(View.INVISIBLE); + messageFour.setVisibility(View.INVISIBLE); + messageFive.setVisibility(View.INVISIBLE); + } + + private void startTimerOne() { + final Handler handler = new Handler(); + Runnable runnable = + new Runnable() { + public void run() { + + try { + Thread.sleep(2000); + } catch (InterruptedException e) { + e.printStackTrace(); + } + handler.post( + new Runnable() { + public void run() { + messageOne.setVisibility(View.VISIBLE); + } + }); + } + }; + new Thread(runnable).start(); + } + + private void startTimerTwo() { + final Handler handler = new Handler(); + Runnable runnable = + new Runnable() { + public void run() { + + try { + Thread.sleep(4000); + } catch (InterruptedException e) { + e.printStackTrace(); + } + handler.post( + new Runnable() { + public void run() { + messageTwo.setVisibility(View.VISIBLE); + } + }); + } + }; + new Thread(runnable).start(); + } + + private void startTimerThree() { + final Handler handler = new Handler(); + Runnable runnable = + new Runnable() { + public void run() { + + try { + Thread.sleep(6000); + } catch (InterruptedException e) { + e.printStackTrace(); + } + handler.post( + new Runnable() { + public void run() { + messageThree.setVisibility(View.VISIBLE); + } + }); + } + }; + new Thread(runnable).start(); + } + + private void startTimerFour() { + final Handler handler = new Handler(); + Runnable runnable = + new Runnable() { + public void run() { + + try { + Thread.sleep(8000); + } catch (InterruptedException e) { + e.printStackTrace(); + } + handler.post( + new Runnable() { + public void run() { + messageFour.setVisibility(View.VISIBLE); + } + }); + } + }; + new Thread(runnable).start(); + } + + private void startTimerFive() { + final Handler handler = new Handler(); + Runnable runnable = + new Runnable() { + public void run() { + + try { + Thread.sleep(10000); + } catch (InterruptedException e) { + e.printStackTrace(); + } + handler.post( + new Runnable() { + public void run() { + messageFive.setVisibility(View.VISIBLE); + } + }); + } + }; + new Thread(runnable).start(); + } + + // The following method allows a user to click one of the messages which + // appear in the xml layout and copy it directly to their clipboard + + public void copyMessage1(View v) { + + String copiedMessage = messageOne.getText().toString(); + + ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); + ClipData clip = ClipData.newPlainText("message1", copiedMessage); + clipboard.setPrimaryClip(clip); + + showToast(); + } + + public void copyMessage2(View v) { + + String copiedMessage2 = messageTwo.getText().toString(); + + ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); + ClipData clip = ClipData.newPlainText("message2", copiedMessage2); + clipboard.setPrimaryClip(clip); + + showToast(); + } + + public void copyMessage3(View v) { + + String copiedMessage3 = messageThree.getText().toString(); + + ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); + ClipData clip = ClipData.newPlainText("message3", copiedMessage3); + clipboard.setPrimaryClip(clip); + + showToast(); + } + + public void copyMessage4(View v) { + + String copiedMessage4 = messageFour.getText().toString(); + + ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); + ClipData clip = ClipData.newPlainText("message4", copiedMessage4); + clipboard.setPrimaryClip(clip); + + showToast(); + } + + public void copyMessage5(View v) { + + String copiedMessage5 = messageFive.getText().toString(); + + ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE); + ClipData clip = ClipData.newPlainText("message5", copiedMessage5); + clipboard.setPrimaryClip(clip); - Toast copied = Toast.makeText(BrokenCrypto.this, - "Message copied to clipboard.", Toast.LENGTH_LONG); - copied.show(); + showToast(); + } - } + private void showToast() { + Toast copied = + Toast.makeText(BrokenCrypto.this, "Message copied to clipboard.", Toast.LENGTH_LONG); + copied.show(); + } } diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/Splash.java b/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/Splash.java index 855fff935..b9e7695d7 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/Splash.java +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/java/com/mobshep/brokencrypto/Splash.java @@ -6,56 +6,50 @@ /** * This file is part of the Security Shepherd Project. - * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
- * - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
- * - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * + * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . + * * @author Sean Duggan */ - public class Splash extends Activity { - @Override - protected void onCreate(Bundle Mobile) { - // TODO Auto-generated method stub - super.onCreate(Mobile); - setContentView(R.layout.splash); - // implement a thread to move on from the intro screen to input screen - Thread timer = new Thread() { - public void run() { - // catch exceptions - try { - sleep(3000); - } catch (InterruptedException e) { - e.printStackTrace(); - } finally - - { - Intent gotoMain = new Intent(Splash.this, BrokenCrypto.class); - startActivity(gotoMain); - } - - } - }; - - timer.start(); - } - - @Override - protected void onPause() { - // TODO Auto-generated method stub - super.onPause(); - finish(); - } - + @Override + protected void onCreate(Bundle Mobile) { + // TODO Auto-generated method stub + super.onCreate(Mobile); + setContentView(R.layout.splash); + // implement a thread to move on from the intro screen to input screen + Thread timer = + new Thread() { + public void run() { + // catch exceptions + try { + sleep(3000); + } catch (InterruptedException e) { + e.printStackTrace(); + } finally { + Intent gotoMain = new Intent(Splash.this, BrokenCrypto.class); + startActivity(gotoMain); + } + } + }; + + timer.start(); + } + + @Override + protected void onPause() { + // TODO Auto-generated method stub + super.onPause(); + finish(); + } } diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/edittext.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/edittext.xml index 0697647d0..8ed3e1441 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/edittext.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/edittext.xml @@ -1,27 +1,26 @@ - + - - - - - + + + + + - - - - - - + + + + + + - - - - - - + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/green.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/green.xml index 6a5780f3a..97bc761fe 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/green.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/green.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/purple.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/purple.xml index 5e72a03ad..2766f16a5 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/purple.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-hdpi/purple.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/edittext.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/edittext.xml index 0697647d0..8ed3e1441 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/edittext.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/edittext.xml @@ -1,27 +1,26 @@ - + - - - - - + + + + + - - - - - - + + + + + + - - - - - - + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/green.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/green.xml index 6a5780f3a..97bc761fe 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/green.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/green.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/purple.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/purple.xml index 5e72a03ad..2766f16a5 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/purple.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-ldpi/purple.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/edittext.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/edittext.xml index 0697647d0..8ed3e1441 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/edittext.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/edittext.xml @@ -1,27 +1,26 @@ - + - - - - - + + + + + - - - - - - + + + + + + - - - - - - + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/green.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/green.xml index 6a5780f3a..97bc761fe 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/green.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/green.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/purple.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/purple.xml index 5e72a03ad..2766f16a5 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/purple.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-mdpi/purple.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/edittext.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/edittext.xml index 0697647d0..8ed3e1441 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/edittext.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/edittext.xml @@ -1,27 +1,26 @@ - + - - - - - + + + + + - - - - - - + + + + + + - - - - - - + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/green.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/green.xml index 6a5780f3a..97bc761fe 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/green.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/green.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/purple.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/purple.xml index 5e72a03ad..2766f16a5 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/purple.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xhdpi/purple.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/edittext.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/edittext.xml index 0697647d0..8ed3e1441 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/edittext.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/edittext.xml @@ -1,27 +1,26 @@ - + - - - - - + + + + + - - - - - - + + + + + + - - - - - - + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/green.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/green.xml index 6a5780f3a..97bc761fe 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/green.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/green.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/purple.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/purple.xml index 5e72a03ad..2766f16a5 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/purple.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/drawable-xxhdpi/purple.xml @@ -1,37 +1,23 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/MobileShepherd/BrokenCrypto/app/src/main/res/layout/broken.xml b/src/MobileShepherd/BrokenCrypto/app/src/main/res/layout/broken.xml index b8c03ecc0..fa5cd3f3a 100644 --- a/src/MobileShepherd/BrokenCrypto/app/src/main/res/layout/broken.xml +++ b/src/MobileShepherd/BrokenCrypto/app/src/main/res/layout/broken.xml @@ -1,79 +1,60 @@ - - - - - - - " + - "

 

" - + ""; - log.debug("Returning: " + forLog); - } - catch (Exception e) - { - log.error("Encrypt Failure: " + e.toString()); - toReturn = "Key Should be here! Please refresh the home page and try again!";; - } - return toReturn; - } + try { + String key = createUserSpecificEncryptionKey(Validate.validateEncryptionKey(userSalt)); + String forLog = BrokenCryptoHomeMade.encrypt(key, baseKey + getCurrentSalt()); + toReturn = + "" + + "
" + + "" + + "

 

" + + "
"; + log.debug("Returning: " + forLog); + } catch (Exception e) { + log.error("Encrypt Failure: " + e.toString()); + toReturn = "Key Should be here! Please refresh the home page and try again!"; + ; + } + return toReturn; + } - public static String generateUserSolutionKeyOnly(String baseKey, String userSalt) - { - log.debug("Generating key for " + userSalt); - String forLog = "Key Should be here! Please refresh the home page and try again!"; + public static String generateUserSolutionKeyOnly(String baseKey, String userSalt) { + log.debug("Generating key for " + userSalt); + String forLog = "Key Should be here! Please refresh the home page and try again!"; - try - { - String key = createUserSpecificEncryptionKey(Validate.validateEncryptionKey(userSalt)); - forLog = BrokenCryptoHomeMade.encrypt(key, baseKey + getCurrentSalt()); + try { + String key = createUserSpecificEncryptionKey(Validate.validateEncryptionKey(userSalt)); + forLog = BrokenCryptoHomeMade.encrypt(key, baseKey + getCurrentSalt()); - log.debug("Returning: " + forLog); - } - catch (Exception e) - { - log.error("Encrypt Failure: " + e.toString()); - } - return forLog; - } + log.debug("Returning: " + forLog); + } catch (Exception e) { + log.error("Encrypt Failure: " + e.toString()); + } + return forLog; + } - /** - * This is used when encrypting/decrypting the salt. If this is bypassed characters can be lost in encryption process. - * @return - */ - public static String getCurrentSalt() - { - return Base64.encodeBase64String(encryptionKeySalt.getBytes()); - } + /** + * This is used when encrypting/decrypting the salt. If this is bypassed characters can be lost in + * encryption process. + * + * @return + */ + public static String getCurrentSalt() { + return Base64.encodeBase64String(encryptionKeySalt.getBytes()); + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeFive.java b/src/main/java/servlets/module/challenge/CsrfChallengeFive.java index 6d1128130..250c9fbda 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeFive.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeFive.java @@ -1,106 +1,106 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Five - Does not return result Key - *

+ * Cross Site Request Forgery Challenge Five - Does not return result Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeFive extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeFive.class); - private static final String levelHash = "70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49"; - private static String levelName = "CSRF Challenge 5"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetFive - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeFive extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeFive.class); + private static final String levelHash = + "70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49"; + private static String levelName = "CSRF Challenge 5"; + + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetFive + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, CsrfChallengeFive.levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = + Getter.getModuleIdFromHash(ApplicationRoot, CsrfChallengeFive.levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeFour.java b/src/main/java/servlets/module/challenge/CsrfChallengeFour.java index 4560bf1bc..18d22e28b 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeFour.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeFour.java @@ -1,106 +1,104 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Four - Does not return result Key - *

+ * Cross Site Request Forgery Challenge Four - Does not return result Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeFour extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeFour.class); - private static final String levelHash = "84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5"; - private static String levelName = "CSRF Challenge 4"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetFour - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeFour extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeFour.class); + private static final String levelHash = + "84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5"; + private static String levelName = "CSRF Challenge 4"; - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetFour + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("Message Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("Message Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - } - } + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeJSON.java b/src/main/java/servlets/module/challenge/CsrfChallengeJSON.java index 01df3c1f6..efc9d467b 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeJSON.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeJSON.java @@ -1,110 +1,110 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge JSON - Does not return result Key, just sets URL for Class Forum - *

+ * Cross Site Request Forgery Challenge JSON - Does not return result Key, just sets URL for Class + * Forum
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeJSON extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeJSON.class); - private static String levelName = "Cross Site Request Forgery Challenge NEW"; - private static String levelHash = "2e0981dcb8278a57dcfaae3b8da0c78d5a70c2d38ea9d8b3e14db3aea01afcbb"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetTwo - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); +public class CsrfChallengeJSON extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeJSON.class); + private static String levelName = "Cross Site Request Forgery Challenge NEW"; + private static String levelHash = + "2e0981dcb8278a57dcfaae3b8da0c78d5a70c2d38ea9d8b3e14db3aea01afcbb"; + + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetTwo + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - public static String getLevelHash() - { - return levelHash; - } + public static String getLevelHash() { + return levelHash; + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeOne.java b/src/main/java/servlets/module/challenge/CsrfChallengeOne.java index 2c5f22633..2a6b64ff7 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeOne.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeOne.java @@ -1,109 +1,107 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge One - Does not return reslut key - *

+ * Cross Site Request Forgery Challenge One - Does not return reslut key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeOne extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeOne.class); - private static String levelName = "Cross-SiteForegery Challenge One"; - private static String levelHash = "s74a796e84e25b854906d88f622170c1c06817e72b526b3d1e9a6085f429cf52"; - /** - * Allows users to set their CSRF attack string to complete this module - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); +public class CsrfChallengeOne extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeOne.class); + private static String levelName = "Cross-SiteForegery Challenge One"; + private static String levelHash = + "s74a796e84e25b854906d88f622170c1c06817e72b526b3d1e9a6085f429cf52"; + + /** + * Allows users to set their CSRF attack string to complete this module + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithImg(ApplicationRoot, classId, moduleId, csrfGenerics); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithImg(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - public static String getLevelHash() - { - return levelHash; - } + public static String getLevelHash() { + return levelHash; + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeSeven.java b/src/main/java/servlets/module/challenge/CsrfChallengeSeven.java index 693ea254a..3794236a8 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeSeven.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeSeven.java @@ -1,106 +1,104 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Seven - Does not return result Key - *

+ * Cross Site Request Forgery Challenge Seven - Does not return result Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeSeven extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeSeven.class); - private static final String levelHash = "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; - private static String levelName = "CSRF Challenge 7"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetSeven - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeSeven extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeSeven.class); + private static final String levelHash = + "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; + private static String levelName = "CSRF Challenge 7"; - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetSeven + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - } - } + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java b/src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java index ff0f2b55c..95652fa63 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeSevenGetToken.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,106 +8,100 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Cross Site Request Forgery Challenge Seven - Does not return result Key - *

+ * Cross Site Request Forgery Challenge Seven - Does not return result Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeSevenGetToken extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeSevenGetToken.class); - public static final String levelHash = "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; - private static String levelName = "CSRF Challenge 7 Get Token"; - /** - * Allows users to retrieve their CSRF token for the CSRF Challenge 6 module - * @param myMessage To Be stored as the users message for this module - */ - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeSevenGetToken extends HttpServlet { - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeSevenGetToken.class); + public static final String levelHash = + "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; + private static String levelName = "CSRF Challenge 7 Get Token"; - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String htmlOutput = new String("Your csrf Token for this Challenge is: "); - String userId = request.getParameter("userId").toString(); + /** + * Allows users to retrieve their CSRF token for the CSRF Challenge 6 module + * + * @param myMessage To Be stored as the users message for this module + */ + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - Connection conn = Database.getChallengeConnection(getServletContext().getRealPath(""), "csrfChallengeEnumerateTokens"); - try - { - log.debug("Preparing setCsrfChallengeSevenToken call"); - PreparedStatement callstmnt = conn.prepareStatement("SELECT csrfTokenscol FROM csrfChallengeEnumTokens.csrfTokens WHERE userId LIKE ?"); - callstmnt.setString(1, userId); - log.debug("Executing setCsrfChallengeSevenTokenQuery"); - ResultSet rs = callstmnt.executeQuery(); - int i = 0; - while(rs.next()) - { - i++; - htmlOutput += Encode.forHtml("\"" + rs.getString(1) + "\"") + "
"; - } - log.debug("Returned " + i + " CSRF Tokens for ID: " + userId); - conn.close(); - } - catch (Exception e) - { - log.debug("Could not retrieve Challenge CSRF Tokens: " + e.toString()); - htmlOutput = csrfGenerics.getString("error.noToken"); - } - out.write(htmlOutput); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - } - } + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String htmlOutput = new String("Your csrf Token for this Challenge is: "); + String userId = request.getParameter("userId").toString(); + Connection conn = + Database.getChallengeConnection( + getServletContext().getRealPath(""), "csrfChallengeEnumerateTokens"); + try { + log.debug("Preparing setCsrfChallengeSevenToken call"); + PreparedStatement callstmnt = + conn.prepareStatement( + "SELECT csrfTokenscol FROM csrfChallengeEnumTokens.csrfTokens WHERE userId LIKE" + + " ?"); + callstmnt.setString(1, userId); + log.debug("Executing setCsrfChallengeSevenTokenQuery"); + ResultSet rs = callstmnt.executeQuery(); + int i = 0; + while (rs.next()) { + i++; + htmlOutput += Encode.forHtml("\"" + rs.getString(1) + "\"") + "
"; + } + log.debug("Returned " + i + " CSRF Tokens for ID: " + userId); + conn.close(); + } catch (Exception e) { + log.debug("Could not retrieve Challenge CSRF Tokens: " + e.toString()); + htmlOutput = csrfGenerics.getString("error.noToken"); + } + out.write(htmlOutput); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeSix.java b/src/main/java/servlets/module/challenge/CsrfChallengeSix.java index 7871eb307..caee9ccf3 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeSix.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeSix.java @@ -1,105 +1,104 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Six - *

+ * Cross Site Request Forgery Challenge Six
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeSix extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeSix.class); - private static final String levelHash = "2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569"; - private static String levelName = "CSRF Challenge 6"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetSix - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeSix extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeSix.class); + private static final String levelHash = + "2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569"; + private static String levelName = "CSRF Challenge 6"; + + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetSix + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - } - } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeSixGetToken.java b/src/main/java/servlets/module/challenge/CsrfChallengeSixGetToken.java index 3251c6475..8b59bfa4d 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeSixGetToken.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeSixGetToken.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,104 +8,95 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Cross Site Request Forgery Challenge Six - Does not return result Key - *

+ * Cross Site Request Forgery Challenge Six - Does not return result Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeSixGetToken extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeSixGetToken.class); - public static final String levelHash = "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; - private static String levelName = "CSRF Challenge 6 Get Token"; - /** - * Allows users to retrieve their CSRF token for the CSRF Challenge 6 module - * @param myMessage To Be stored as the users message for this module - */ - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-SiteForegery Challenge Get Token Six Servlet"); +public class CsrfChallengeSixGetToken extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeSixGetToken.class); + public static final String levelHash = + "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; + private static String levelName = "CSRF Challenge 6 Get Token"; - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + /** + * Allows users to retrieve their CSRF token for the CSRF Challenge 6 module + * + * @param myMessage To Be stored as the users message for this module + */ + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-SiteForegery Challenge Get Token Six Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String htmlOutput = new String("Your csrf Token for this Challenge is: "); - String userId = request.getParameter("userId").toString(); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - Connection conn = Database.getChallengeConnection(getServletContext().getRealPath(""), "csrfChallengeSix"); - try - { - log.debug("Preparing setCsrfChallengeSixToken call"); - PreparedStatement callstmnt = conn.prepareStatement("SELECT csrfTokenscol FROM csrfchallengesix.csrfTokens WHERE userId LIKE ?"); - callstmnt.setString(1, userId); - log.debug("Executing setCsrfChallengeSixTokenQuery"); - ResultSet rs = callstmnt.executeQuery(); - int i = 0; - while(rs.next()) - { - i++; - htmlOutput += Encode.forHtml("\"" + rs.getString(1) + "\"") + "
"; - } - log.debug("Returned " + i + " CSRF Tokens for ID: " + userId); - conn.close(); - } - catch (Exception e) - { - log.debug("Could not retrieve Challenge CSRF Tokens: " + e.toString()); - htmlOutput = csrfGenerics.getString("error.noToken"); - } - out.write(htmlOutput); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - } - } + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String htmlOutput = new String("Your csrf Token for this Challenge is: "); + String userId = request.getParameter("userId").toString(); + Connection conn = + Database.getChallengeConnection( + getServletContext().getRealPath(""), "csrfChallengeSix"); + try { + log.debug("Preparing setCsrfChallengeSixToken call"); + PreparedStatement callstmnt = + conn.prepareStatement( + "SELECT csrfTokenscol FROM csrfchallengesix.csrfTokens WHERE userId LIKE ?"); + callstmnt.setString(1, userId); + log.debug("Executing setCsrfChallengeSixTokenQuery"); + ResultSet rs = callstmnt.executeQuery(); + int i = 0; + while (rs.next()) { + i++; + htmlOutput += Encode.forHtml("\"" + rs.getString(1) + "\"") + "
"; + } + log.debug("Returned " + i + " CSRF Tokens for ID: " + userId); + conn.close(); + } catch (Exception e) { + log.debug("Could not retrieve Challenge CSRF Tokens: " + e.toString()); + htmlOutput = csrfGenerics.getString("error.noToken"); + } + out.write(htmlOutput); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetFive.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetFive.java index 8b04326ad..4ccc2edcb 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetFive.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetFive.java @@ -1,150 +1,133 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.Random; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Target Five - Does not return Result key - *

- * Weak Nonce Variety can be broken - *

+ * Cross Site Request Forgery Challenge Target Five - Does not return Result key
+ *
+ * Weak Nonce Variety can be broken
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetFive extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final String levelHash = "70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49"; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetFive.class); - private static String levelName = "CSRF 5 Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge Two as complete. - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class CsrfChallengeTargetFive extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final String levelHash = + "70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49"; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetFive.class); + private static String levelName = "CSRF 5 Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge Two as complete. + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - String storedToken = new String(); - try - { - boolean result = false; - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - //Get CSRF Token From session - if(ses.getAttribute("csrfChallengeFiveNonce") == null || ses.getAttribute("csrfChallengeFiveNonce").toString().isEmpty()) - { - log.debug("No CSRF Token associated with user"); - Random random = new Random(); - int newToken = random.nextInt(3); - out.write(csrfGenerics.getString("target.noTokenNewToken") + " " + newToken + "

"); - storedToken = "" + newToken; - ses.setAttribute("csrfChallengeFiveNonce", newToken); - } - else - { - storedToken = "" + ses.getAttribute("csrfChallengeFiveNonce"); - } - String userId = (String)ses.getAttribute("userStamp"); + String storedToken = new String(); + try { + boolean result = false; + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + // Get CSRF Token From session + if (ses.getAttribute("csrfChallengeFiveNonce") == null + || ses.getAttribute("csrfChallengeFiveNonce").toString().isEmpty()) { + log.debug("No CSRF Token associated with user"); + Random random = new Random(); + int newToken = random.nextInt(3); + out.write(csrfGenerics.getString("target.noTokenNewToken") + " " + newToken + "

"); + storedToken = "" + newToken; + ses.setAttribute("csrfChallengeFiveNonce", newToken); + } else { + storedToken = "" + ses.getAttribute("csrfChallengeFiveNonce"); + } + String userId = (String) ses.getAttribute("userStamp"); - String plusId = (String)request.getParameter("userId").trim(); - log.debug("User Submitted - " + plusId); - String csrfToken = (String)request.getParameter("csrfToken").trim();; - log.debug("csrfToken Submitted - " + csrfToken); + String plusId = (String) request.getParameter("userId").trim(); + log.debug("User Submitted - " + plusId); + String csrfToken = (String) request.getParameter("csrfToken").trim(); + ; + log.debug("csrfToken Submitted - " + csrfToken); - if(!userId.equals(plusId)) - { - if(csrfToken.equalsIgnoreCase(storedToken)) - { - log.debug("Valid Nonce Value Submitted"); - String ApplicationRoot = getServletContext().getRealPath(""); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + if (!userId.equals(plusId)) { + if (csrfToken.equalsIgnoreCase(storedToken)) { + log.debug("Valid Nonce Value Submitted"); + String ApplicationRoot = getServletContext().getRealPath(""); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } - else - { - log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); - } - } - else - { - log.debug("User " + userId + " is attacking themselves"); - } + log.debug("Attempting to Increment "); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } else { + log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); + } + } else { + log.debug("User " + userId + " is attacking themselves"); + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetFour.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetFour.java index 172662e7c..c7f5fb2a4 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetFour.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetFour.java @@ -1,5 +1,8 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,180 +11,164 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Target Four - Does not return Result key - *

- * Weak Nonce Variety can be broken - *

+ * Cross Site Request Forgery Challenge Target Four - Does not return Result key
+ *
+ * Weak Nonce Variety can be broken
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetFour extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static String moduleHash = "84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5"; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetFour.class); - private static String levelName = "CSRF Target 4"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge Two as complete. - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class CsrfChallengeTargetFour extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static String moduleHash = + "84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5"; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetFour.class); + private static String levelName = "CSRF Target 4"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge Two as complete. + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - String storedToken = new String(); - try - { - String ApplicationRoot = getServletContext().getRealPath(""); - String csrfTokenName = "csrfChallengeFourNonce"; - boolean result = false; - HttpSession ses = request.getSession(true); - String userId = (String)ses.getAttribute("userStamp"); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - //Get CSRF Token From session - if(ses.getAttribute(csrfTokenName) == null || ses.getAttribute(csrfTokenName).toString().isEmpty()) - { - log.debug("No CSRF Token found in session"); - storedToken = Setter.setCsrfChallengeFourCsrfToken(userId, Hash.randomString(), ApplicationRoot); - out.write(csrfGenerics.getString("target.noTokenNewToken") + " " + storedToken + "

"); - ses.setAttribute(csrfTokenName, storedToken); - } - else - { - storedToken = "" + ses.getAttribute(csrfTokenName); - } - log.debug("Victom is - " + userId); - String plusId = request.getParameter("userId").trim(); - log.debug("User Submitted - " + plusId); - String csrfToken = request.getParameter("csrfToken").trim(); - log.debug("csrfToken Submitted - '" + csrfToken + "'"); - log.debug("storedCsrf Token is - '" + storedToken + "'"); + String storedToken = new String(); + try { + String ApplicationRoot = getServletContext().getRealPath(""); + String csrfTokenName = "csrfChallengeFourNonce"; + boolean result = false; + HttpSession ses = request.getSession(true); + String userId = (String) ses.getAttribute("userStamp"); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + // Get CSRF Token From session + if (ses.getAttribute(csrfTokenName) == null + || ses.getAttribute(csrfTokenName).toString().isEmpty()) { + log.debug("No CSRF Token found in session"); + storedToken = + Setter.setCsrfChallengeFourCsrfToken(userId, Hash.randomString(), ApplicationRoot); + out.write( + csrfGenerics.getString("target.noTokenNewToken") + " " + storedToken + "

"); + ses.setAttribute(csrfTokenName, storedToken); + } else { + storedToken = "" + ses.getAttribute(csrfTokenName); + } + log.debug("Victom is - " + userId); + String plusId = request.getParameter("userId").trim(); + log.debug("User Submitted - " + plusId); + String csrfToken = request.getParameter("csrfToken").trim(); + log.debug("csrfToken Submitted - '" + csrfToken + "'"); + log.debug("storedCsrf Token is - '" + storedToken + "'"); - if(!userId.equals(plusId)) - { - if(validCsrfToken(ApplicationRoot, csrfToken)) // Poor CSRF Validation Method - { - log.debug("'Valid' Nonce Value Submitted"); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + if (!userId.equals(plusId)) { + if (validCsrfToken(ApplicationRoot, csrfToken)) // Poor CSRF Validation Method + { + log.debug("'Valid' Nonce Value Submitted"); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found in system."); - } - } - else - { - log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); - } - } - else - { - log.debug("User " + userId + " is attacking themselves"); - } + log.debug("Attempting to Increment "); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found in system."); + } + } else { + log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); + } + } else { + log.debug("User " + userId + " is attacking themselves"); + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - /** - * CSRF Validator that checks if user submitted CSRF token is in the DB. This function does not filter the CSRF table for CSRF tokens belonging to the user submitting the request. It will return true as long as the token exists in the database, regardless of who owns the token - * @param ApplicationRoot Running context of the application - * @param csrfToken CSRF Token value to search DB for - * @return Returns true if the CSRF Token is Deemed valid - */ - private static boolean validCsrfToken (String ApplicationRoot, String csrfToken) - { - log.debug("*** CSRF4.validCsrfToken ***"); - boolean result = false; - Connection conn; + /** + * CSRF Validator that checks if user submitted CSRF token is in the DB. This function does not + * filter the CSRF table for CSRF tokens belonging to the user submitting the request. It will + * return true as long as the token exists in the database, regardless of who owns the token + * + * @param ApplicationRoot Running context of the application + * @param csrfToken CSRF Token value to search DB for + * @return Returns true if the CSRF Token is Deemed valid + */ + private static boolean validCsrfToken(String ApplicationRoot, String csrfToken) { + log.debug("*** CSRF4.validCsrfToken ***"); + boolean result = false; + Connection conn; - try - { - conn = Database.getChallengeConnection(ApplicationRoot, "csrfChallengeFour"); + try { + conn = Database.getChallengeConnection(ApplicationRoot, "csrfChallengeFour"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT count(csrfTokenscol) FROM csrfTokens WHERE csrfTokenscol = ?"); - prepstmt.setString(1, csrfToken); - ResultSet rs = prepstmt.executeQuery(); - result = rs.next(); //If there is a row then the CSRF token was in the DB. Therefore CSRF Validated - Database.closeConnection(conn); + PreparedStatement prepstmt = + conn.prepareStatement( + "SELECT count(csrfTokenscol) FROM csrfTokens WHERE csrfTokenscol = ?"); + prepstmt.setString(1, csrfToken); + ResultSet rs = prepstmt.executeQuery(); + result = rs.next(); // If there is a row then the CSRF token was in the DB. Therefore CSRF + // Validated + Database.closeConnection(conn); - } - catch(SQLException e) - { - log.error("CSRF4 Token Check Failure: " + e.toString()); - result = false; - } - log.debug("*** END CSRF4.validCsrfToken ***"); - return result; - } + } catch (SQLException e) { + log.error("CSRF4 Token Check Failure: " + e.toString()); + result = false; + } + log.debug("*** END CSRF4.validCsrfToken ***"); + return result; + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetJSON.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetJSON.java index 66cd88b7d..d428426eb 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetJSON.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetJSON.java @@ -1,134 +1,122 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; import java.util.Scanner; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.json.simple.JSONObject; import org.json.simple.JSONValue; - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Target SON - Does not return Result key - *

+ * Cross Site Request Forgery Challenge Target SON - Does not return Result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetJSON extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetJSON.class); - private static String levelName = "CSRF JSON Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge as complete. Function expecting JSON formed data - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeTargetJSON extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetJSON.class); + private static String levelName = "CSRF JSON Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge as complete. Function expecting JSON formed data + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - boolean result = false; - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + boolean result = false; + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - log.debug("Getting JSON String"); - String jsonData = extractPostRequestBody(request); - log.debug("POST body: " + jsonData); - JSONObject json = (JSONObject)JSONValue.parse(jsonData); - log.debug("Getting userId"); - String plusId = (String) json.get("userId"); - log.debug("User Submitted - " + plusId); - String userId = (String)ses.getAttribute("userStamp"); - if(!userId.equals(plusId)) - { - String ApplicationRoot = getServletContext().getRealPath(""); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + log.debug("Getting JSON String"); + String jsonData = extractPostRequestBody(request); + log.debug("POST body: " + jsonData); + JSONObject json = (JSONObject) JSONValue.parse(jsonData); + log.debug("Getting userId"); + String plusId = (String) json.get("userId"); + log.debug("User Submitted - " + plusId); + String userId = (String) ses.getAttribute("userStamp"); + if (!userId.equals(plusId)) { + String ApplicationRoot = getServletContext().getRealPath(""); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleHash = CsrfChallengeJSON.getLevelHash(); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } + log.debug("Attempting to Increment "); + String moduleHash = CsrfChallengeJSON.getLevelHash(); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - @SuppressWarnings("resource") - static String extractPostRequestBody(HttpServletRequest request) throws IOException { - if ("POST".equalsIgnoreCase(request.getMethod())) { - Scanner s = new Scanner(request.getInputStream(), "UTF-8").useDelimiter("\\A"); - return s.hasNext() ? s.next() : ""; - } - return ""; - } + @SuppressWarnings("resource") + static String extractPostRequestBody(HttpServletRequest request) throws IOException { + if ("POST".equalsIgnoreCase(request.getMethod())) { + Scanner s = new Scanner(request.getInputStream(), "UTF-8").useDelimiter("\\A"); + return s.hasNext() ? s.next() : ""; + } + return ""; + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetOne.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetOne.java index 10627f6fe..f93bfdda7 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetOne.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetOne.java @@ -1,116 +1,104 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery challenge target One - Does not return result key - *

+ * Cross Site Request Forgery challenge target One - Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetOne extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetOne.class); - private static String levelName = "CSRF 1 Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge One as complete. - * @param userId User identifier to be incremented - */ - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-SiteForegery Challenge One Target Servlet"); +public class CsrfChallengeTargetOne extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetOne.class); + private static String levelName = "CSRF 1 Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge One as complete. + * + * @param userId User identifier to be incremented + */ + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-SiteForegery Challenge One Target Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - boolean result = false; - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String plusId = request.getParameter("userid"); - log.debug("User Submitted - " + plusId); - String userId = (String)ses.getAttribute("userStamp"); - if(!userId.equals(plusId)) - { - String ApplicationRoot = getServletContext().getRealPath(""); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + boolean result = false; + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String plusId = request.getParameter("userid"); + log.debug("User Submitted - " + plusId); + String userId = (String) ses.getAttribute("userStamp"); + if (!userId.equals(plusId)) { + String ApplicationRoot = getServletContext().getRealPath(""); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleHash = CsrfChallengeOne.getLevelHash(); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } + log.debug("Attempting to Increment "); + String moduleHash = CsrfChallengeOne.getLevelHash(); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal("Cross Site Request Forgery Challenge Target 1 - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal("Cross Site Request Forgery Challenge Target 1 - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetSeven.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetSeven.java index 5c6cbc507..d5df56cf8 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetSeven.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetSeven.java @@ -1,151 +1,134 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Target Seven - Does not return Result key - *

- * Weak Nonce Variety can be broken - *

+ * Cross Site Request Forgery Challenge Target Seven - Does not return Result key
+ *
+ * Weak Nonce Variety can be broken
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetSeven extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static String moduleHash = "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetSeven.class); - private static String levelName = "CSRF Seven Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge Two as complete. - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeTargetSeven extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static String moduleHash = + "7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3"; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetSeven.class); + private static String levelName = "CSRF Seven Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge Two as complete. + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String storedToken = new String(); - try - { - String ApplicationRoot = getServletContext().getRealPath(""); - String csrfTokenName = "csrfChallengeSevenNonce"; - boolean result = false; - HttpSession ses = request.getSession(true); - String userId = (String)ses.getAttribute("userStamp"); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - //Get CSRF Token From session - if(ses.getAttribute(csrfTokenName) == null || ses.getAttribute(csrfTokenName).toString().isEmpty()) - { - log.debug("No CSRF Token associated with user"); - storedToken = Hash.randomString(); - out.write(csrfGenerics.getString("target.noTokenNewToken") + " " + storedToken + "

"); - ses.setAttribute(csrfTokenName, storedToken); - Setter.setCsrfChallengeSevenCsrfToken(userId, storedToken, ApplicationRoot); - } - else - { - storedToken = "" + ses.getAttribute(csrfTokenName); - } - log.debug("Victom is - " + userId); - String plusId = request.getParameter("userId").trim(); - log.debug("User Submitted - " + plusId); - String csrfToken = request.getParameter("csrfToken").trim(); - log.debug("csrfToken Submitted - '" + csrfToken + "'"); - log.debug("storedCsrf Token is - '" + storedToken + "'"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String storedToken = new String(); + try { + String ApplicationRoot = getServletContext().getRealPath(""); + String csrfTokenName = "csrfChallengeSevenNonce"; + boolean result = false; + HttpSession ses = request.getSession(true); + String userId = (String) ses.getAttribute("userStamp"); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + // Get CSRF Token From session + if (ses.getAttribute(csrfTokenName) == null + || ses.getAttribute(csrfTokenName).toString().isEmpty()) { + log.debug("No CSRF Token associated with user"); + storedToken = Hash.randomString(); + out.write( + csrfGenerics.getString("target.noTokenNewToken") + " " + storedToken + "

"); + ses.setAttribute(csrfTokenName, storedToken); + Setter.setCsrfChallengeSevenCsrfToken(userId, storedToken, ApplicationRoot); + } else { + storedToken = "" + ses.getAttribute(csrfTokenName); + } + log.debug("Victom is - " + userId); + String plusId = request.getParameter("userId").trim(); + log.debug("User Submitted - " + plusId); + String csrfToken = request.getParameter("csrfToken").trim(); + log.debug("csrfToken Submitted - '" + csrfToken + "'"); + log.debug("storedCsrf Token is - '" + storedToken + "'"); - if(!userId.equals(plusId)) - { - if(csrfToken.equalsIgnoreCase(storedToken)) - { - log.debug("Valid Nonce Value Submitted"); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + if (!userId.equals(plusId)) { + if (csrfToken.equalsIgnoreCase(storedToken)) { + log.debug("Valid Nonce Value Submitted"); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } - else - { - log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); - } - } - else - { - log.debug("User " + userId + " is attacking themselves"); - } + log.debug("Attempting to Increment "); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } else { + log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); + } + } else { + log.debug("User " + userId + " is attacking themselves"); + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetSix.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetSix.java index d84604aae..52cf2532f 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetSix.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetSix.java @@ -1,152 +1,141 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.Random; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Target Six - *

- * Weak Nonce Variety can be broken - *

+ * Cross Site Request Forgery Challenge Target Six
+ *
+ * Weak Nonce Variety can be broken
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetSix extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static String moduleHash = "2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569"; - private static final String[] csrfArray ={"c4ca4238a0b923820dcc509a6f75849b", "c81e728d9d4c2f636f067f89cc14862c", "eccbc87e4b5ce2fe28308fd9f2a7baf3"}; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetSix.class); - private static String levelName = "CSRF 6 Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge Two as complete. - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); +public class CsrfChallengeTargetSix extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static String moduleHash = + "2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569"; + private static final String[] csrfArray = { + "c4ca4238a0b923820dcc509a6f75849b", + "c81e728d9d4c2f636f067f89cc14862c", + "eccbc87e4b5ce2fe28308fd9f2a7baf3" + }; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetSix.class); + private static String levelName = "CSRF 6 Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge Two as complete. + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String storedToken = new String(); - try - { - String csrfTokenName = "csrfChallengeSixNonce"; - boolean result = false; - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - //Get CSRF Token From session - if(ses.getAttribute(csrfTokenName) == null || ses.getAttribute(csrfTokenName).toString().isEmpty()) - { - log.debug("No CSRF Token associated with user"); - Random random = new Random(); - int newToken = random.nextInt(3); - storedToken = csrfArray[newToken]; - out.write(csrfGenerics.getString("target.noTokenNewToken") + " " + storedToken + "

"); - ses.setAttribute(csrfTokenName, storedToken); - } - else - { - storedToken = "" + ses.getAttribute(csrfTokenName); - } - String userId = (String)ses.getAttribute("userStamp"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String storedToken = new String(); + try { + String csrfTokenName = "csrfChallengeSixNonce"; + boolean result = false; + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + // Get CSRF Token From session + if (ses.getAttribute(csrfTokenName) == null + || ses.getAttribute(csrfTokenName).toString().isEmpty()) { + log.debug("No CSRF Token associated with user"); + Random random = new Random(); + int newToken = random.nextInt(3); + storedToken = csrfArray[newToken]; + out.write( + csrfGenerics.getString("target.noTokenNewToken") + " " + storedToken + "

"); + ses.setAttribute(csrfTokenName, storedToken); + } else { + storedToken = "" + ses.getAttribute(csrfTokenName); + } + String userId = (String) ses.getAttribute("userStamp"); - String plusId = request.getParameter("userId").trim();; - log.debug("User Submitted - " + plusId); - String csrfToken = request.getParameter("csrfToken").trim();; - log.debug("csrfToken Submitted - " + csrfToken); + String plusId = request.getParameter("userId").trim(); + ; + log.debug("User Submitted - " + plusId); + String csrfToken = request.getParameter("csrfToken").trim(); + ; + log.debug("csrfToken Submitted - " + csrfToken); - if(!userId.equals(plusId)) - { - if(csrfToken.equalsIgnoreCase(storedToken)) - { - log.debug("Valid Nonce Value Submitted"); - String ApplicationRoot = getServletContext().getRealPath(""); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + if (!userId.equals(plusId)) { + if (csrfToken.equalsIgnoreCase(storedToken)) { + log.debug("Valid Nonce Value Submitted"); + String ApplicationRoot = getServletContext().getRealPath(""); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } - else - { - log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); - } - } - else - { - log.debug("User " + userId + " is attacking themselves"); - } + log.debug("Attempting to Increment "); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } else { + log.debug("User " + plusId + " CSRF attack failed due to invalid nonce"); + } + } else { + log.debug("User " + userId + " is attacking themselves"); + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetThree.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetThree.java index c4ee5617e..1af55fbd0 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetThree.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetThree.java @@ -1,128 +1,114 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery challenge Target Three - Does not return result key - *

+ * Cross Site Request Forgery challenge Target Three - Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetThree extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetThree.class); - private static String levelName = "CSRF 3 Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge Three as complete. - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-SiteForegery Challenge Three Target"); +public class CsrfChallengeTargetThree extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetThree.class); + private static String levelName = "CSRF 3 Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge Three as complete. + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-SiteForegery Challenge Three Target"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - boolean result = false; - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String plusId = request.getParameter("userid"); - log.debug("User Submitted - " + plusId); - String csrfParam = null; - if(request.getParameter("csrfToken") != null) - { - csrfParam = (String)request.getParameter("csrfToken"); - if(csrfParam.isEmpty()) - csrfParam = null; - } + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + boolean result = false; + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String plusId = request.getParameter("userid"); + log.debug("User Submitted - " + plusId); + String csrfParam = null; + if (request.getParameter("csrfToken") != null) { + csrfParam = (String) request.getParameter("csrfToken"); + if (csrfParam.isEmpty()) { + csrfParam = null; + } + } - String userId = (String)ses.getAttribute("userStamp"); - if(!userId.equals(plusId) && csrfParam != null) - { - String ApplicationRoot = getServletContext().getRealPath(""); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + String userId = (String) ses.getAttribute("userStamp"); + if (!userId.equals(plusId) && csrfParam != null) { + String ApplicationRoot = getServletContext().getRealPath(""); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleHash = CsrfChallengeThree.getLevelHash(); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } - else - { - log.debug("No CSRF Token found"); - } + log.debug("Attempting to Increment "); + String moduleHash = CsrfChallengeThree.getLevelHash(); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } else { + log.debug("No CSRF Token found"); + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal("Cross Site Request Forgery Challenge Target 3 - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal("Cross Site Request Forgery Challenge Target 3 - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTargetTwo.java b/src/main/java/servlets/module/challenge/CsrfChallengeTargetTwo.java index b598a5072..bd61c3b38 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTargetTwo.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTargetTwo.java @@ -1,116 +1,104 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Target Two - Does not return Result key - *

+ * Cross Site Request Forgery Challenge Target Two - Does not return Result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTargetTwo extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeTargetTwo.class); - private static String levelName = "CSRF 2 Target"; - /** - * CSRF vulnerable function that can be used by users to force other users to mark their CSRF challenge Two as complete. - * @param userId User identifier to be incremented - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-SiteForegery Challenge Two Target Servlet"); +public class CsrfChallengeTargetTwo extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeTargetTwo.class); + private static String levelName = "CSRF 2 Target"; + + /** + * CSRF vulnerable function that can be used by users to force other users to mark their CSRF + * challenge Two as complete. + * + * @param userId User identifier to be incremented + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-SiteForegery Challenge Two Target Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - boolean result = false; - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String plusId = request.getParameter("userId"); - log.debug("User Submitted - " + plusId); - String userId = (String)ses.getAttribute("userStamp"); - if(!userId.equals(plusId)) - { - String ApplicationRoot = getServletContext().getRealPath(""); - String userName = (String)ses.getAttribute("userName"); - String attackerName = Getter.getUserName(ApplicationRoot, plusId); - if(attackerName != null) - { - log.debug(userName + " is been CSRF'd by " + attackerName); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + boolean result = false; + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String plusId = request.getParameter("userId"); + log.debug("User Submitted - " + plusId); + String userId = (String) ses.getAttribute("userStamp"); + if (!userId.equals(plusId)) { + String ApplicationRoot = getServletContext().getRealPath(""); + String userName = (String) ses.getAttribute("userName"); + String attackerName = Getter.getUserName(ApplicationRoot, plusId); + if (attackerName != null) { + log.debug(userName + " is been CSRF'd by " + attackerName); - log.debug("Attempting to Increment "); - String moduleHash = CsrfChallengeTwo.getLevelHash(); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); - result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); - } - else - { - log.error("UserId '" + plusId + "' could not be found."); - } - } + log.debug("Attempting to Increment "); + String moduleHash = CsrfChallengeTwo.getLevelHash(); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, moduleHash); + result = Setter.updateCsrfCounter(ApplicationRoot, moduleId, plusId); + } else { + log.error("UserId '" + plusId + "' could not be found."); + } + } - if(result) - { - out.write(csrfGenerics.getString("target.incrementSuccess")); - } - else - { - out.write(csrfGenerics.getString("target.incrementFailed")); - } - } - else - { - out.write(csrfGenerics.getString("target.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal("Cross Site Request Forgery Target Challenge 2 - " + e.toString()); - } - } + if (result) { + out.write(csrfGenerics.getString("target.incrementSuccess")); + } else { + out.write(csrfGenerics.getString("target.incrementFailed")); + } + } else { + out.write(csrfGenerics.getString("target.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal("Cross Site Request Forgery Target Challenge 2 - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeThree.java b/src/main/java/servlets/module/challenge/CsrfChallengeThree.java index ababd8b89..a86ca3fdb 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeThree.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeThree.java @@ -1,110 +1,109 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Three - Does not return result key - *

+ * Cross Site Request Forgery Challenge Three - Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeThree extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeThree.class); - private static String levelName = "Cross Site Request Forgery Challenge Three"; - private static String levelHash = "z6b2f5ebbe112dd09a6c430a167415820adc5633256a7b44a7d1e262db105e3c"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetThree - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); +public class CsrfChallengeThree extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeThree.class); + private static String levelName = "Cross Site Request Forgery Challenge Three"; + private static String levelHash = + "z6b2f5ebbe112dd09a6c430a167415820adc5633256a7b44a7d1e262db105e3c"; + + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetThree + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - public static String getLevelHash() - { - return levelHash; - } + public static String getLevelHash() { + return levelHash; + } } diff --git a/src/main/java/servlets/module/challenge/CsrfChallengeTwo.java b/src/main/java/servlets/module/challenge/CsrfChallengeTwo.java index 325d0166a..081424a32 100644 --- a/src/main/java/servlets/module/challenge/CsrfChallengeTwo.java +++ b/src/main/java/servlets/module/challenge/CsrfChallengeTwo.java @@ -1,110 +1,109 @@ package servlets.module.challenge; +import dbProcs.Getter; +import dbProcs.Setter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; -import dbProcs.Setter; /** - * Cross Site Request Forgery Challenge Two - Does not return result Key - *

+ * Cross Site Request Forgery Challenge Two - Does not return result Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfChallengeTwo extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfChallengeTwo.class); - private static String levelName = "Cross Site Request Forgery Challenge Two"; - private static String levelHash = "z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e"; - /** - * Allows users to set their CSRF attack string to complete this module. They should be using this to force users to visit their own pages that - * forces the victim to submit a post request to the CSRFChallengeTargetTwo - * @param myMessage To Be stored as the users message for this module - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); +public class CsrfChallengeTwo extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfChallengeTwo.class); + private static String levelName = "Cross Site Request Forgery Challenge Two"; + private static String levelHash = + "z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e"; + + /** + * Allows users to set their CSRF attack string to complete this module. They should be using this + * to force users to visit their own pages that forces the victim to submit a post request to the + * CSRFChallengeTargetTwo + * + * @param myMessage To Be stored as the users message for this module + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle csrfGenerics = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle csrfGenerics = ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String myMessage = request.getParameter("myMessage"); + log.debug("User Submitted - " + myMessage); + myMessage = Validate.makeValidUrl(myMessage); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String myMessage = request.getParameter("myMessage"); - log.debug("User Submitted - " + myMessage); - myMessage = Validate.makeValidUrl(myMessage); + log.debug("Updating User's Stored Message"); + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); + String userId = (String) ses.getAttribute("userStamp"); + Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); - log.debug("Updating User's Stored Message"); - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); - String userId = (String)ses.getAttribute("userStamp"); - Setter.setStoredMessage(ApplicationRoot, myMessage, userId, moduleId); + log.debug("Retrieving user's class's forum"); + String classId = null; + if (ses.getAttribute("userClass") != null) { + classId = (String) ses.getAttribute("userClass"); + } + String htmlOutput = + Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); - log.debug("Retrieving user's class's forum"); - String classId = null; - if(ses.getAttribute("userClass") != null) - classId = (String)ses.getAttribute("userClass"); - String htmlOutput = Getter.getCsrfForumWithIframe(ApplicationRoot, classId, moduleId, csrfGenerics); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - public static String getLevelHash() - { - return levelHash; - } + public static String getLevelHash() { + return levelHash; + } } diff --git a/src/main/java/servlets/module/challenge/DirectObject1.java b/src/main/java/servlets/module/challenge/DirectObject1.java index 2c6c3f2cc..2422db780 100644 --- a/src/main/java/servlets/module/challenge/DirectObject1.java +++ b/src/main/java/servlets/module/challenge/DirectObject1.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,110 +8,119 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Insecure Direct Object Challenge Challenge One - * Does not use user specific key because key is currently hard coded into database schema - *

+ * Insecure Direct Object Challenge Challenge One Does not use user specific key because key is + * currently hard coded into database schema
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObject1 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObject1.class); - private static String levelName = "Insecure Direct Object Challenge Challenge One"; - public static String levelHash = "o9a450a64cc2a196f55878e2bd9a27a72daea0f17017253f87e7ebd98c71c98c"; - /** - * The user must abuse this functionality to reveal a hidden user. The result key is hidden in this users profile. - * @param userId To be used in generating the HTML output - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); +public class DirectObject1 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObject1.class); + private static String levelName = "Insecure Direct Object Challenge Challenge One"; + public static String levelHash = + "o9a450a64cc2a196f55878e2bd9a27a72daea0f17017253f87e7ebd98c71c98c"; + + /** + * The user must abuse this functionality to reveal a hidden user. The result key is hidden in + * this users profile. + * + * @param userId To be used in generating the HTML output + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectRef1", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectRef1", locale); - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - String userId = request.getParameter("userId[]"); - log.debug("User Submitted - " + userId); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); - String htmlOutput = new String(); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + String userId = request.getParameter("userId[]"); + log.debug("User Submitted - " + userId); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); + String htmlOutput = new String(); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "directObjectRefChalOne"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT userName, privateMessage FROM users WHERE userId = ?"); - prepstmt.setString(1, userId); - ResultSet resultSet = prepstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("Found user: " + resultSet.getString(1)); - String userName = resultSet.getString(1); - String privateMessage = resultSet.getString(2); - htmlOutput = "

" + userName + "'s " + bundle.getString("response.message") + "

" + - "

" + privateMessage + "

"; - } - else - { - log.debug("No Profile Found"); + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "directObjectRefChalOne"); + PreparedStatement prepstmt = + conn.prepareStatement("SELECT userName, privateMessage FROM users WHERE userId = ?"); + prepstmt.setString(1, userId); + ResultSet resultSet = prepstmt.executeQuery(); + if (resultSet.next()) { + log.debug("Found user: " + resultSet.getString(1)); + String userName = resultSet.getString(1); + String privateMessage = resultSet.getString(2); + htmlOutput = + "

" + + userName + + "'s " + + bundle.getString("response.message") + + "

" + + "

" + + privateMessage + + "

"; + } else { + log.debug("No Profile Found"); - htmlOutput = "

" + bundle.getString("response.notFound") + "

" + bundle.getString("response.notFoundMessage.1") + " '" + Encode.forHtml(userId) + "' " + bundle.getString("response.notFoundMessage.2") + "

"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - Database.closeConnection(conn); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + htmlOutput = + "

" + + bundle.getString("response.notFound") + + "

" + + bundle.getString("response.notFoundMessage.1") + + " '" + + Encode.forHtml(userId) + + "' " + + bundle.getString("response.notFoundMessage.2") + + "

"; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + Database.closeConnection(conn); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/DirectObject2.java b/src/main/java/servlets/module/challenge/DirectObject2.java index e045f211c..59b378d3c 100644 --- a/src/main/java/servlets/module/challenge/DirectObject2.java +++ b/src/main/java/servlets/module/challenge/DirectObject2.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,110 +8,119 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Insecure Direct Object Reference Challenge Two - * Does not use user specific key because key is currently hard coded into database schema - *

+ * Insecure Direct Object Reference Challenge Two Does not use user specific key because key is + * currently hard coded into database schema
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObject2 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObject2.class); - private static String levelName = "Insecure Direct Object Reference Challenge Two"; - public static String levelHash = "vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4"; - /** - * The user must abuse this functionality to reveal a hidden user. The result key is hidden in this users profile. - * @param userId To be used in generating the HTML output - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class DirectObject2 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObject2.class); + private static String levelName = "Insecure Direct Object Reference Challenge Two"; + public static String levelHash = + "vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4"; + + /** + * The user must abuse this functionality to reveal a hidden user. The result key is hidden in + * this users profile. + * + * @param userId To be used in generating the HTML output + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectRef2", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectRef2", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - String userId = request.getParameter("userId[]"); - log.debug("User Submitted - " + userId); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); - String htmlOutput = new String(); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + String userId = request.getParameter("userId[]"); + log.debug("User Submitted - " + userId); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); + String htmlOutput = new String(); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "directObjectRefChalTwo"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT userName, privateMessage FROM users WHERE userId = ?"); - prepstmt.setString(1, userId); - ResultSet resultSet = prepstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("Found user: " + resultSet.getString(1)); - String userName = resultSet.getString(1); - String privateMessage = resultSet.getString(2); - htmlOutput = "

" + userName + "'s " + bundle.getString("response.message") + "

" + - "

" + privateMessage + "

"; - } - else - { - log.debug("No Profile Found"); + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "directObjectRefChalTwo"); + PreparedStatement prepstmt = + conn.prepareStatement("SELECT userName, privateMessage FROM users WHERE userId = ?"); + prepstmt.setString(1, userId); + ResultSet resultSet = prepstmt.executeQuery(); + if (resultSet.next()) { + log.debug("Found user: " + resultSet.getString(1)); + String userName = resultSet.getString(1); + String privateMessage = resultSet.getString(2); + htmlOutput = + "

" + + userName + + "'s " + + bundle.getString("response.message") + + "

" + + "

" + + privateMessage + + "

"; + } else { + log.debug("No Profile Found"); - htmlOutput = "

" + bundle.getString("response.notFound") + "

" + bundle.getString("response.notFoundMessage.1") + " '" + Encode.forHtml(userId) + "' " + bundle.getString("response.notFoundMessage.2") + "

"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - Database.closeConnection(conn); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + htmlOutput = + "

" + + bundle.getString("response.notFound") + + "

" + + bundle.getString("response.notFoundMessage.1") + + " '" + + Encode.forHtml(userId) + + "' " + + bundle.getString("response.notFoundMessage.2") + + "

"; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + Database.closeConnection(conn); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java b/src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java index 0e262a9c3..75f28cec5 100644 --- a/src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java +++ b/src/main/java/servlets/module/challenge/DirectObjectBankCurrentBalance.java @@ -5,92 +5,89 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; /** - * Insecure Direct Object Reference Bank Challenge Get Balance Function - * DOES NOT RETURN RESULT KEY - *

+ * Insecure Direct Object Reference Bank Challenge Get Balance Function DOES NOT RETURN RESULT KEY + *
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObjectBankCurrentBalance extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObjectBankCurrentBalance.class); - private static String levelName = "Insecure Direct Object Bank Challenge (Refresh Balance)"; - public static String levelHash = "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; - /** - * This Servlet is used by users to register a new bank account in the Insecure Direct Object Bank Challenge. - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class DirectObjectBankCurrentBalance extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObjectBankCurrentBalance.class); + private static String levelName = "Insecure Direct Object Bank Challenge (Refresh Balance)"; + public static String levelHash = + "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; + + /** + * This Servlet is used by users to register a new bank account in the Insecure Direct Object Bank + * Challenge. + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - String accountNumber = request.getParameter("accountNumber"); - log.debug("Account Number - " + accountNumber); - String applicationRoot = getServletContext().getRealPath(""); - String htmlOutput = new String(); - float currentBalance = DirectObjectBankLogin.getAccountBalance(accountNumber, applicationRoot); - log.debug("Outputting HTML"); - htmlOutput = Float.toString(currentBalance); - out.write(htmlOutput); - } - catch(SQLException e) - { - out.write(errors.getString("error.funky") + " " + bundle.getString("login.error.couldNotGetBalance")); - log.fatal(levelName + " SQL Error - " + e.toString()); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + String accountNumber = request.getParameter("accountNumber"); + log.debug("Account Number - " + accountNumber); + String applicationRoot = getServletContext().getRealPath(""); + String htmlOutput = new String(); + float currentBalance = + DirectObjectBankLogin.getAccountBalance(accountNumber, applicationRoot); + log.debug("Outputting HTML"); + htmlOutput = Float.toString(currentBalance); + out.write(htmlOutput); + } catch (SQLException e) { + out.write( + errors.getString("error.funky") + + " " + + bundle.getString("login.error.couldNotGetBalance")); + log.fatal(levelName + " SQL Error - " + e.toString()); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankLogin.java b/src/main/java/servlets/module/challenge/DirectObjectBankLogin.java index b34c69838..c437a5f35 100644 --- a/src/main/java/servlets/module/challenge/DirectObjectBankLogin.java +++ b/src/main/java/servlets/module/challenge/DirectObjectBankLogin.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.CallableStatement; @@ -8,243 +9,333 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Insecure Direct Object Reference Bank Challenge - *

+ * Insecure Direct Object Reference Bank Challenge
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObjectBankLogin extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObjectBankLogin.class); - private static String levelName = "Insecure Direct Object Bank Challenge"; - public static String levelHash = "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; - private static String levelResult = "4a1df02af317270f844b56edc0c29a09f3dd39faad3e2a23393606769b2dfa35"; - /** - * This Servlet is used in the Insecure Direct Object Bank to sign in to a specific bank account. - * It does this by checking the user DB credentials and then returns the bank form the user needs - * to call Bank Functions. - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - response.setCharacterEncoding("UTF-8"); - request.setCharacterEncoding("UTF-8"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); +public class DirectObjectBankLogin extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObjectBankLogin.class); + private static String levelName = "Insecure Direct Object Bank Challenge"; + public static String levelHash = + "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; + private static String levelResult = + "4a1df02af317270f844b56edc0c29a09f3dd39faad3e2a23393606769b2dfa35"; - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - String accountHolder = request.getParameter("accountHolder"); - log.debug("Account Holder - " + accountHolder); - String accountPass = request.getParameter("accountPass"); - log.debug("Account Pass - " + accountPass); - String applicationRoot = getServletContext().getRealPath(""); - String htmlOutput = new String(); + /** + * This Servlet is used in the Insecure Direct Object Bank to sign in to a specific bank account. + * It does this by checking the user DB credentials and then returns the bank form the user needs + * to call Bank Functions. + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + response.setCharacterEncoding("UTF-8"); + request.setCharacterEncoding("UTF-8"); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); - Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); - CallableStatement callstmt = conn.prepareCall("CALL bankAuth(?, ?)"); - callstmt.setString(1, accountHolder); - callstmt.setString(2, accountPass); - ResultSet resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - String accountNumber = resultSet.getString(1); - log.debug("Found Account Number: " + accountNumber); - ses.setAttribute("directObjectBankAccount", accountNumber); - htmlOutput += bankForm(accountNumber, applicationRoot, ses, bundle, errors); - } - else - { - log.debug("Authentication Failed"); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + String accountHolder = request.getParameter("accountHolder"); + log.debug("Account Holder - " + accountHolder); + String accountPass = request.getParameter("accountPass"); + log.debug("Account Pass - " + accountPass); + String applicationRoot = getServletContext().getRealPath(""); + String htmlOutput = new String(); - htmlOutput = bundle.getString("login.authFailedMessage.1") + " '" + Encode.forHtml(accountHolder) + "' " + bundle.getString("login.authFailedMessage.2"); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - Database.closeConnection(conn); - } - catch(SQLException e) - { - out.write(errors.getString("error.funky") + " " + bundle.getString("login.error.couldNotGetBalance")); - log.fatal(levelName + " SQL Error - " + e.toString()); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); + CallableStatement callstmt = conn.prepareCall("CALL bankAuth(?, ?)"); + callstmt.setString(1, accountHolder); + callstmt.setString(2, accountPass); + ResultSet resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + String accountNumber = resultSet.getString(1); + log.debug("Found Account Number: " + accountNumber); + ses.setAttribute("directObjectBankAccount", accountNumber); + htmlOutput += bankForm(accountNumber, applicationRoot, ses, bundle, errors); + } else { + log.debug("Authentication Failed"); - /** - * Method used to return the bank interaction view for the user that is signed into the Direct Object Bank challenge - * @param accountNumber - * @param applicationRoot - * @param ses - * @param bundle - * @param errors - * @return - * @throws SQLException - */ - public static String bankForm(String accountNumber, String applicationRoot, HttpSession ses, ResourceBundle bundle, ResourceBundle errors) throws SQLException - { + htmlOutput = + bundle.getString("login.authFailedMessage.1") + + " '" + + Encode.forHtml(accountHolder) + + "' " + + bundle.getString("login.authFailedMessage.2"); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + Database.closeConnection(conn); + } catch (SQLException e) { + out.write( + errors.getString("error.funky") + + " " + + bundle.getString("login.error.couldNotGetBalance")); + log.fatal(levelName + " SQL Error - " + e.toString()); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - float currentBalance = getAccountBalance(accountNumber, applicationRoot); - String bankForm = "

" + bundle.getString("bankForm.yourAccount") + "

" + - "

" + bundle.getString("bankForm.yourAccount.balance") + "

" + currentBalance + "

"; - if(currentBalance > 5000000) - { - //Level Complete As the user has more than 5000000 in account. Return Key - bankForm += "

" + bundle.getString("result.complete") + "

" + bundle.getString("result.wellDone") + "

" - + "" + bundle.getString("result.theKeyIs") + " " + Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")) + ""; - } - bankForm += "" - + "" - + "

" + bundle.getString("bankForm.transferFunds") + "

" + bundle.getString("bankForm.transferFunds.whatToDo") + "

" - + "
" - + "" - + "" - + "" - + "
" + bundle.getString("bankForm.recieverNumber") + "
" + bundle.getString("bankForm.amountToSend") + "
" - + "
" - + "

" + bundle.getString("bankForm.refreshBalance") + "

" + bundle.getString("bankForm.refreshBalance.whatToDo") + "

" - + "
" - + "
" - + "
" - + "
" - + "

" + bundle.getString("bankForm.logoutOfAccount") + "

" + bundle.getString("bankForm.logoutOfAccount.whatToDo") + "

" - + "
" - + "
" - + "
" - + "
"; - return bankForm; - } + /** + * Method used to return the bank interaction view for the user that is signed into the Direct + * Object Bank challenge + * + * @param accountNumber + * @param applicationRoot + * @param ses + * @param bundle + * @param errors + * @return + * @throws SQLException + */ + public static String bankForm( + String accountNumber, + String applicationRoot, + HttpSession ses, + ResourceBundle bundle, + ResourceBundle errors) + throws SQLException { - /** - * Method used to return the bank interaction view for the user that is signed into the Direct Object Bank challenge. This method pulls the local level translation from the session submitted - * @param accountNumber - * @param applicationRoot - * @param ses - * @return - * @throws SQLException - */ - public static String bankForm(String accountNumber, String applicationRoot, HttpSession ses) throws SQLException - { - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(ses)); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); + float currentBalance = getAccountBalance(accountNumber, applicationRoot); + String bankForm = + "

" + + bundle.getString("bankForm.yourAccount") + + "

" + + "

" + + bundle.getString("bankForm.yourAccount.balance") + + "

" + + currentBalance + + "

"; + if (currentBalance > 5000000) { + // Level Complete As the user has more than 5000000 in account. Return Key + bankForm += + "

" + + bundle.getString("result.complete") + + "

" + + bundle.getString("result.wellDone") + + "

" + + "" + + bundle.getString("result.theKeyIs") + + " " + + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")) + + ""; + } + bankForm += + "" + + "" + + "

" + + bundle.getString("bankForm.transferFunds") + + "

" + + bundle.getString("bankForm.transferFunds.whatToDo") + + "

" + + "" + + "" + + "
" + + bundle.getString("bankForm.recieverNumber") + + "
" + + bundle.getString("bankForm.amountToSend") + + "
" + + "
" + + "

" + + bundle.getString("bankForm.refreshBalance") + + "

" + + bundle.getString("bankForm.refreshBalance.whatToDo") + + "

" + + "
" + + "
" + + "

" + + bundle.getString("bankForm.logoutOfAccount") + + "

" + + bundle.getString("bankForm.logoutOfAccount.whatToDo") + + "

" + + "
" + + "
" + + "
" + + "
"; + return bankForm; + } + /** + * Method used to return the bank interaction view for the user that is signed into the Direct + * Object Bank challenge. This method pulls the local level translation from the session submitted + * + * @param accountNumber + * @param applicationRoot + * @param ses + * @return + * @throws SQLException + */ + public static String bankForm(String accountNumber, String applicationRoot, HttpSession ses) + throws SQLException { + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(ses)); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); - float currentBalance = getAccountBalance(accountNumber, applicationRoot); - String bankForm = "

" + bundle.getString("bankForm.yourAccount") + "

" + - "

" + bundle.getString("bankForm.yourAccount.balance") + "

" + currentBalance + "

"; - if(currentBalance > 5000000) - { - //Level Complete As the user has more than 5000000 in account. Return Key - bankForm += "

" + bundle.getString("result.complete") + "

" + bundle.getString("result.wellDone") + "

" - + "" + bundle.getString("result.theKeyIs") + " " + Encode.forHtml(Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName"))) + ""; - } - bankForm += "" - + "" - + "

" + bundle.getString("bankForm.transferFunds") + "

" + bundle.getString("bankForm.transferFunds.whatToDo") + "

" - + "
" - + "" - + "" - + "" - + "
" + bundle.getString("bankForm.recieverNumber") + "
" + bundle.getString("bankForm.amountToSend") + "
" - + "
" - + "

" + bundle.getString("bankForm.refreshBalance") + "

" + bundle.getString("bankForm.refreshBalance.whatToDo") + "

" - + "
" - + "
" - + "
" - + "
" - + "

" + bundle.getString("bankForm.logoutOfAccount") + "

" + bundle.getString("bankForm.logoutOfAccount.whatToDo") + "

" - + "
" - + "
" - + "
" - + "
"; - return bankForm; - } + float currentBalance = getAccountBalance(accountNumber, applicationRoot); + String bankForm = + "

" + + bundle.getString("bankForm.yourAccount") + + "

" + + "

" + + bundle.getString("bankForm.yourAccount.balance") + + "

" + + currentBalance + + "

"; + if (currentBalance > 5000000) { + // Level Complete As the user has more than 5000000 in account. Return Key + bankForm += + "

" + + bundle.getString("result.complete") + + "

" + + bundle.getString("result.wellDone") + + "

" + + "" + + bundle.getString("result.theKeyIs") + + " " + + Encode.forHtml( + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName"))) + + ""; + } + bankForm += + "" + + "" + + "

" + + bundle.getString("bankForm.transferFunds") + + "

" + + bundle.getString("bankForm.transferFunds.whatToDo") + + "

" + + "" + + "" + + "
" + + bundle.getString("bankForm.recieverNumber") + + "
" + + bundle.getString("bankForm.amountToSend") + + "
" + + "
" + + "

" + + bundle.getString("bankForm.refreshBalance") + + "

" + + bundle.getString("bankForm.refreshBalance.whatToDo") + + "

" + + "
" + + "
" + + "

" + + bundle.getString("bankForm.logoutOfAccount") + + "

" + + bundle.getString("bankForm.logoutOfAccount.whatToDo") + + "

" + + "
" + + "
" + + "
" + + "
"; + return bankForm; + } - /** - * Method to get the account balance from the DirectObjectBank for a specific account - * @param accountNumber The Account Number to Check the Balance Of - * @param applicationRoot Running Context of the application - * @return Returns a Float Value representing the balance - * @throws SQLException If no rows found or if SQL error occurs - */ - public static float getAccountBalance(String accountNumber, String applicationRoot) throws SQLException { - Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); - CallableStatement callstmt; - float toReturn = 0; - try - { + /** + * Method to get the account balance from the DirectObjectBank for a specific account + * + * @param accountNumber The Account Number to Check the Balance Of + * @param applicationRoot Running Context of the application + * @return Returns a Float Value representing the balance + * @throws SQLException If no rows found or if SQL error occurs + */ + public static float getAccountBalance(String accountNumber, String applicationRoot) + throws SQLException { + Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); + CallableStatement callstmt; + float toReturn = 0; + try { - callstmt = conn.prepareCall("CALL currentFunds(?)"); - callstmt.setString(1, accountNumber); - ResultSet rs = callstmt.executeQuery(); - if(rs.next()) - { - toReturn = rs.getFloat(1); - } - else - { - throw new SQLException("Could not Get Funds. No Rows Found From Query"); - } - } - catch (SQLException e) - { - throw e; - } - conn.close(); - return toReturn; - } + callstmt = conn.prepareCall("CALL currentFunds(?)"); + callstmt.setString(1, accountNumber); + ResultSet rs = callstmt.executeQuery(); + if (rs.next()) { + toReturn = rs.getFloat(1); + } else { + throw new SQLException("Could not Get Funds. No Rows Found From Query"); + } + } catch (SQLException e) { + throw e; + } + conn.close(); + return toReturn; + } } diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankLogout.java b/src/main/java/servlets/module/challenge/DirectObjectBankLogout.java index 420392f55..2d376a1bb 100644 --- a/src/main/java/servlets/module/challenge/DirectObjectBankLogout.java +++ b/src/main/java/servlets/module/challenge/DirectObjectBankLogout.java @@ -4,72 +4,69 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; /** - * Insecure Direct Object Reference Bank Challenge Logout Function - * DOES NOT RETURN RESULT KEY - *

+ * Insecure Direct Object Reference Bank Challenge Logout Function DOES NOT RETURN RESULT KEY
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObjectBankLogout extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObjectBankLogout.class); - private static String levelName = "Insecure Direct Object Bank Challenge (Logout)"; - public static String levelHash = "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; - /** - * This Servlet is used by a user to Sign out of a Bank Account Session in the Insecure Direct Bank Challenge - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class DirectObjectBankLogout extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObjectBankLogout.class); + private static String levelName = "Insecure Direct Object Bank Challenge (Logout)"; + public static String levelHash = + "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; + + /** + * This Servlet is used by a user to Sign out of a Bank Account Session in the Insecure Direct + * Bank Challenge + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - ses.removeAttribute("directObjectBankAccount"); - out.write(bundle.getString("logout.loggedOut")); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + ses.removeAttribute("directObjectBankAccount"); + out.write(bundle.getString("logout.loggedOut")); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankRegistration.java b/src/main/java/servlets/module/challenge/DirectObjectBankRegistration.java index 0ea47f3ea..941027a84 100644 --- a/src/main/java/servlets/module/challenge/DirectObjectBankRegistration.java +++ b/src/main/java/servlets/module/challenge/DirectObjectBankRegistration.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.CallableStatement; @@ -7,102 +8,91 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Insecure Direct Object Reference Bank Challenge Registration Function - * DOES NOT RETURN RESULT KEY - *

+ * Insecure Direct Object Reference Bank Challenge Registration Function DOES NOT RETURN RESULT KEY + *
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObjectBankRegistration extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObjectBankRegistration.class); - private static String levelName = "Insecure Direct Object Bank Challenge (Register)"; - public static String levelHash = "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; - /** - * This Servlet is used to register a new bank account - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class DirectObjectBankRegistration extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObjectBankRegistration.class); + private static String levelName = "Insecure Direct Object Bank Challenge (Register)"; + public static String levelHash = + "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; + + /** This Servlet is used to register a new bank account */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - String accountHolder = request.getParameter("accountHolder"); - log.debug("Account Holder - " + accountHolder); - String accountPass = request.getParameter("accountPass"); - log.debug("Account Pass - " + accountPass); - String applicationRoot = getServletContext().getRealPath(""); - String htmlOutput = new String(); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + String accountHolder = request.getParameter("accountHolder"); + log.debug("Account Holder - " + accountHolder); + String accountPass = request.getParameter("accountPass"); + log.debug("Account Pass - " + accountPass); + String applicationRoot = getServletContext().getRealPath(""); + String htmlOutput = new String(); - Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); - CallableStatement callstmt = conn.prepareCall("CALL createAccount(?, ?)"); - callstmt.setString(1, accountHolder); - callstmt.setString(2, accountPass); - callstmt.execute(); - log.debug("Sucessfully ran create account procedure."); - log.debug("Outputting HTML"); - htmlOutput = bundle.getString("register.accountCreated"); - out.write(htmlOutput); - Database.closeConnection(conn); - } - catch(SQLException e) - { - out.write(errors.getString("error.funky") + " " + bundle.getString("register.error")); - log.fatal(levelName + " SQL Error - " + e.toString()); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); + CallableStatement callstmt = conn.prepareCall("CALL createAccount(?, ?)"); + callstmt.setString(1, accountHolder); + callstmt.setString(2, accountPass); + callstmt.execute(); + log.debug("Sucessfully ran create account procedure."); + log.debug("Outputting HTML"); + htmlOutput = bundle.getString("register.accountCreated"); + out.write(htmlOutput); + Database.closeConnection(conn); + } catch (SQLException e) { + out.write(errors.getString("error.funky") + " " + bundle.getString("register.error")); + log.fatal(levelName + " SQL Error - " + e.toString()); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java b/src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java index a6c8bc822..95c3f2953 100644 --- a/src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java +++ b/src/main/java/servlets/module/challenge/DirectObjectBankTransfer.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.CallableStatement; @@ -7,144 +8,134 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Insecure Direct Object Reference Bank Challenge Transfer Funds Function - * DOES NOT RETURN RESULT KEY - *

+ * Insecure Direct Object Reference Bank Challenge Transfer Funds Function DOES NOT RETURN RESULT + * KEY
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class DirectObjectBankTransfer extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObjectBankTransfer.class); - private static String levelName = "Insecure Direct Object Bank Challenge (Transfer)"; - public static String levelHash = "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; - /** - * This Servlet is used to transfer funds from one bank account to another, insecurely, in the Direct Object Reference Bank challenge - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class DirectObjectBankTransfer extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObjectBankTransfer.class); + private static String levelName = "Insecure Direct Object Bank Challenge (Transfer)"; + public static String levelHash = + "1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c"; + + /** + * This Servlet is used to transfer funds from one bank account to another, insecurely, in the + * Direct Object Reference Bank challenge + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.directObject.directObjectBank", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - boolean performTransfer = false; - String errorMessage = new String(); - String applicationRoot = getServletContext().getRealPath(""); - try - { - String senderAccountNumber = request.getParameter("senderAccountNumber"); - log.debug("Sender Account Number - " + senderAccountNumber); - String recieverAccountNumber = request.getParameter("recieverAccountNumber"); - log.debug("Reciever Account Number - " + recieverAccountNumber); - String transferAmountString = request.getParameter("transferAmount"); - log.debug("Transfer Amount - " + transferAmountString); - float tranferAmount = Float.parseFloat(transferAmountString); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + boolean performTransfer = false; + String errorMessage = new String(); + String applicationRoot = getServletContext().getRealPath(""); + try { + String senderAccountNumber = request.getParameter("senderAccountNumber"); + log.debug("Sender Account Number - " + senderAccountNumber); + String recieverAccountNumber = request.getParameter("recieverAccountNumber"); + log.debug("Reciever Account Number - " + recieverAccountNumber); + String transferAmountString = request.getParameter("transferAmount"); + log.debug("Transfer Amount - " + transferAmountString); + float tranferAmount = Float.parseFloat(transferAmountString); - //Data Validation - //Positive Transfer Amount? - if(tranferAmount > 0) - { - //Sender Account Has necessary funds? - float senderFunds = DirectObjectBankLogin.getAccountBalance(senderAccountNumber, applicationRoot); - if((senderFunds-tranferAmount) > 0) - { - //Check Receiver Account Exists - try - { - float recieverAccountBalanace = DirectObjectBankLogin.getAccountBalance(recieverAccountNumber, applicationRoot); - if(recieverAccountBalanace >= 0) - performTransfer = true; - } - catch(Exception e) - { - log.debug("Reciever Account does not exist. Cancelling"); - errorMessage = bundle.getString("transfer.error.recieverNotFound"); - } - } - else - errorMessage = bundle.getString("transfer.error.notEnoughCash"); - } - else - errorMessage = bundle.getString("transfer.error.moreThanZero"); + // Data Validation + // Positive Transfer Amount? + if (tranferAmount > 0) { + // Sender Account Has necessary funds? + float senderFunds = + DirectObjectBankLogin.getAccountBalance(senderAccountNumber, applicationRoot); + if ((senderFunds - tranferAmount) > 0) { + // Check Receiver Account Exists + try { + float recieverAccountBalanace = + DirectObjectBankLogin.getAccountBalance(recieverAccountNumber, applicationRoot); + if (recieverAccountBalanace >= 0) { + performTransfer = true; + } + } catch (Exception e) { + log.debug("Reciever Account does not exist. Cancelling"); + errorMessage = bundle.getString("transfer.error.recieverNotFound"); + } + } else { + errorMessage = bundle.getString("transfer.error.notEnoughCash"); + } + } else { + errorMessage = bundle.getString("transfer.error.moreThanZero"); + } - String htmlOutput = new String(); - if(performTransfer) - { - log.debug("Valid Data Submitted, transfering Funds..."); - Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); - CallableStatement callstmt = conn.prepareCall("CALL transferFunds(?, ?, ?)"); - callstmt.setString(1, senderAccountNumber); - callstmt.setString(2, recieverAccountNumber); - callstmt.setFloat(3, tranferAmount); - callstmt.execute(); - log.debug("Sucessfully ran Transfer Funds procedure."); - htmlOutput = bundle.getString("transfer.success"); - Database.closeConnection(conn); - } - else - { - log.debug("Invalid Data Detected: " + errorMessage); - htmlOutput = bundle.getString("transfer.error.occurred") + " " + errorMessage; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(SQLException e) - { - out.write(errors.getString("error.funky") + " " + bundle.getString("transfer.error.couldNotTransfer")); - log.fatal(levelName + " SQL Error - " + e.toString()); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + String htmlOutput = new String(); + if (performTransfer) { + log.debug("Valid Data Submitted, transfering Funds..."); + Connection conn = Database.getChallengeConnection(applicationRoot, "directObjectBank"); + CallableStatement callstmt = conn.prepareCall("CALL transferFunds(?, ?, ?)"); + callstmt.setString(1, senderAccountNumber); + callstmt.setString(2, recieverAccountNumber); + callstmt.setFloat(3, tranferAmount); + callstmt.execute(); + log.debug("Sucessfully ran Transfer Funds procedure."); + htmlOutput = bundle.getString("transfer.success"); + Database.closeConnection(conn); + } else { + log.debug("Invalid Data Detected: " + errorMessage); + htmlOutput = bundle.getString("transfer.error.occurred") + " " + errorMessage; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (SQLException e) { + out.write( + errors.getString("error.funky") + + " " + + bundle.getString("transfer.error.couldNotTransfer")); + log.fatal(levelName + " SQL Error - " + e.toString()); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/NoSqlInjection1.java b/src/main/java/servlets/module/challenge/NoSqlInjection1.java index d558ae32b..4116302fe 100644 --- a/src/main/java/servlets/module/challenge/NoSqlInjection1.java +++ b/src/main/java/servlets/module/challenge/NoSqlInjection1.java @@ -1,172 +1,181 @@ package servlets.module.challenge; -import java.io.IOException; -import java.io.PrintWriter; -import java.util.Locale; -import java.util.ResourceBundle; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; +import static dbProcs.MongoDatabase.getMongoDatabase; +import static dbProcs.MongoDatabase.getMongoDbConnection; import com.mongodb.BasicDBObject; import com.mongodb.DB; -import com.mongodb.DBObject; import com.mongodb.DBCollection; import com.mongodb.DBCursor; +import com.mongodb.DBObject; import com.mongodb.MongoClient; import com.mongodb.MongoCredential; import com.mongodb.MongoException; import com.mongodb.MongoSocketException; import com.mongodb.MongoTimeoutException; - import dbProcs.MongoDatabase; -import org.apache.logging.log4j.Logger; +import java.io.IOException; +import java.io.PrintWriter; +import java.util.Locale; +import java.util.ResourceBundle; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - import utils.ShepherdLogManager; import utils.Validate; -import static dbProcs.MongoDatabase.getMongoDatabase; -import static dbProcs.MongoDatabase.getMongoDbConnection; - /** - * NoSQL Injection Challenge One - Does not use user specific key
- *
+ * NoSQL Injection Challenge One - Does not use user specific key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Paul McCann - * */ public class NoSqlInjection1 extends HttpServlet { - // Sql Challenge 3 - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(NoSqlInjection1.class); - private static String levelName = "NoSQL Injection Challenge One"; - public static String levelHash = "d63c2fb5da9b81ca26237f1308afe54491d1bacf9fffa0b21a072b03c5bafe66"; - - // private static String levelResult = ""; // Stored in Vulnerable DB. Not User - // Specific - /** - * Users have to use NoSQL injection to get a specific user (Marlo) gamer ID. - * The query they are injecting into by default only outputs usernames. The - * input they enter is also been filtered. theGamerName User name used in - * database look up. - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - // Setting IpAddress To Log and taking header for original IP if forwarded from - // proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - // Attempting to recover user name of session that made request - HttpSession ses = request.getSession(true); - if (Validate.validateSession(ses)) { - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.injection.nosql", locale); - - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), - ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - - DBCollection dbCollection; - MongoCredential credential; - MongoClient mongoClient = null; - DB mongoDb; - String dbCollectionName; - DBCursor cursor; - Object id; - Object name; - Object address; - - try { - String applicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + applicationRoot); - - credential = MongoDatabase.getMongoChallengeCredentials(applicationRoot, "NoSqlInjection1"); - log.debug("Credentials created"); - mongoClient = getMongoDbConnection(applicationRoot, credential); - log.debug("Client created"); - mongoDb = getMongoDatabase(mongoClient); - log.debug("Database DB connection acquired"); - dbCollectionName = MongoDatabase.getMongoChallengeCollName(applicationRoot, "NoSqlInjection1"); - dbCollection = mongoDb.getCollection(dbCollectionName); - - String gamerId = request.getParameter("theGamerName"); - log.debug("User Submitted: " + gamerId); - - DBObject whereQuery = new BasicDBObject("$where", "this._id == '" + gamerId + "'"); - cursor = dbCollection.find(whereQuery); - - try { - int i = 0; - htmlOutput = "

Gamer Info

"; - htmlOutput += ""; - - log.debug("Opening Result Set from query"); - - while (cursor.hasNext()) { - DBObject result = cursor.next(); - id = result.get("_id"); - name = result.get("name"); - address = result.get("address"); - - log.debug(bundle.getString("results.queryResult") + result.toString()); - htmlOutput += ""; - i++; - } - htmlOutput += "
GamerIdNameAddress
" + Encode.forHtml(id.toString()) + "" - + Encode.forHtml(name.toString()) + "" + Encode.forHtml(address.toString()) - + "
"; - if (i == 0) { - htmlOutput = "

" + bundle.getString("result.none") + "

"; - } - - } catch (MongoTimeoutException e) { - log.fatal(bundle.getString("result.mongoError") + e.toString()); - htmlOutput += "

Mongo Timeout Occured

" + "

" + Encode.forHtml(e.toString()) + "

"; - } catch (MongoException e) { - log.error(bundle.getString("result.mongoError") + e.toString()); - htmlOutput += "

An error was detected!

" + "

" + Encode.forHtml(e.toString()) + "

"; - } catch (Exception e) { - out.write("An Error Occurred! You must be getting funky!"); - log.fatal(levelName + " - " + e.toString()); - } finally { - cursor.close(); - mongoClient.close(); - } - } catch (MongoSocketException e) { - log.error(bundle.getString("result.mongoError") + e.toString()); - htmlOutput += "

An error was detected!

" + "

" + Encode.forHtml(e.toString()) + "

"; - } catch (MongoException e) { - log.fatal("MongoDb Error caught - " + e.toString()); - htmlOutput += "

An error was detected!

" + "

" + Encode.forHtml(e.toString()) + "

"; - } finally { - mongoClient.close(); - } - - log.debug("Outputting HTML"); - out.write(htmlOutput); - } else { - log.error(levelName + " servlet accessed with no session"); - } - } + + // Sql Challenge 3 + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(NoSqlInjection1.class); + private static String levelName = "NoSQL Injection Challenge One"; + public static String levelHash = + "d63c2fb5da9b81ca26237f1308afe54491d1bacf9fffa0b21a072b03c5bafe66"; + + // private static String levelResult = ""; // Stored in Vulnerable DB. Not User + // Specific + + /** + * Users have to use NoSQL injection to get a specific user (Marlo) gamer ID. The query they are + * injecting into by default only outputs usernames. The input they enter is also been filtered. + * theGamerName User name used in database look up. + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from + // proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + // Attempting to recover user name of session that made request + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.injection.nosql", locale); + + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + + DBCollection dbCollection; + MongoCredential credential; + MongoClient mongoClient = null; + DB mongoDb; + String dbCollectionName; + DBCursor cursor; + Object id; + Object name; + Object address; + + try { + String applicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + applicationRoot); + + credential = MongoDatabase.getMongoChallengeCredentials(applicationRoot, "NoSqlInjection1"); + log.debug("Credentials created"); + mongoClient = getMongoDbConnection(applicationRoot, credential); + log.debug("Client created"); + mongoDb = getMongoDatabase(mongoClient); + log.debug("Database DB connection acquired"); + dbCollectionName = + MongoDatabase.getMongoChallengeCollName(applicationRoot, "NoSqlInjection1"); + dbCollection = mongoDb.getCollection(dbCollectionName); + + String gamerId = request.getParameter("theGamerName"); + log.debug("User Submitted: " + gamerId); + + DBObject whereQuery = new BasicDBObject("$where", "this._id == '" + gamerId + "'"); + cursor = dbCollection.find(whereQuery); + + try { + int i = 0; + htmlOutput = "

Gamer Info

"; + htmlOutput += ""; + + log.debug("Opening Result Set from query"); + + while (cursor.hasNext()) { + DBObject result = cursor.next(); + id = result.get("_id"); + name = result.get("name"); + address = result.get("address"); + + log.debug(bundle.getString("results.queryResult") + result.toString()); + htmlOutput += + ""; + i++; + } + htmlOutput += "
GamerIdNameAddress
" + + Encode.forHtml(id.toString()) + + "" + + Encode.forHtml(name.toString()) + + "" + + Encode.forHtml(address.toString()) + + "
"; + if (i == 0) { + htmlOutput = "

" + bundle.getString("result.none") + "

"; + } + + } catch (MongoTimeoutException e) { + log.fatal(bundle.getString("result.mongoError") + e.toString()); + htmlOutput += + "

Mongo Timeout Occured

" + "

" + Encode.forHtml(e.toString()) + "

"; + } catch (MongoException e) { + log.error(bundle.getString("result.mongoError") + e.toString()); + htmlOutput += + "

An error was detected!

" + "

" + Encode.forHtml(e.toString()) + "

"; + } catch (Exception e) { + out.write("An Error Occurred! You must be getting funky!"); + log.fatal(levelName + " - " + e.toString()); + } finally { + cursor.close(); + mongoClient.close(); + } + } catch (MongoSocketException e) { + log.error(bundle.getString("result.mongoError") + e.toString()); + htmlOutput += + "

An error was detected!

" + "

" + Encode.forHtml(e.toString()) + "

"; + } catch (MongoException e) { + log.fatal("MongoDb Error caught - " + e.toString()); + htmlOutput += + "

An error was detected!

" + "

" + Encode.forHtml(e.toString()) + "

"; + } finally { + mongoClient.close(); + } + + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/PoorValidation1.java b/src/main/java/servlets/module/challenge/PoorValidation1.java index 919c61320..6d51f04e8 100644 --- a/src/main/java/servlets/module/challenge/PoorValidation1.java +++ b/src/main/java/servlets/module/challenge/PoorValidation1.java @@ -4,16 +4,13 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; @@ -22,95 +19,107 @@ * Level : Poor Validation 1
*
* - * This file is part of the Security Shepherd Project. + *

This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class PoorValidation1 extends HttpServlet { - private static final String levelName = "Poor Validation 2"; - private static String levelSolution = "d30475881612685092e5ec469317dcc5ccc1f548a97bfdb041236b5bba7627bf"; - public static String levelHash = "ca0e89caf3c50dbf9239a0b3c6f6c17869b2a1e2edc3aa6f029fd30925d66c7e"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(PoorValidation1.class); - /** - * Shopping cart addition algorithm does not check for negative numbers on - * amounts - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - // Setting IpAddress To Log and taking header for original IP if forwarded from - // proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if (Validate.validateSession(ses)) { - // Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle - .getBundle("i18n.servlets.challenges.poorValidation.poorValidationStrings", locale); + private static final String levelName = "Poor Validation 2"; + private static String levelSolution = + "d30475881612685092e5ec469317dcc5ccc1f548a97bfdb041236b5bba7627bf"; + public static String levelHash = + "ca0e89caf3c50dbf9239a0b3c6f6c17869b2a1e2edc3aa6f029fd30925d66c7e"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(PoorValidation1.class); + + /** Shopping cart addition algorithm does not check for negative numbers on amounts */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from + // proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.poorValidation.poorValidationStrings", locale); - String currentUser = ses.getAttribute("userName").toString(); - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), currentUser); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - try { - int pineappleAmount = Integer.parseInt(request.getParameter("pineappleAmount")); - log.debug("pineappleAmount - " + pineappleAmount); - int orangeAmount = Integer.parseInt(request.getParameter("orangeAmount")); - log.debug("orangeAmount - " + orangeAmount); - int appleAmount = Integer.parseInt(request.getParameter("appleAmount")); - log.debug("appleAmount - " + appleAmount); - int bananaAmount = Integer.parseInt(request.getParameter("bananaAmount")); - log.debug("bananaAmount - " + bananaAmount); + String currentUser = ses.getAttribute("userName").toString(); + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), currentUser); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + try { + int pineappleAmount = Integer.parseInt(request.getParameter("pineappleAmount")); + log.debug("pineappleAmount - " + pineappleAmount); + int orangeAmount = Integer.parseInt(request.getParameter("orangeAmount")); + log.debug("orangeAmount - " + orangeAmount); + int appleAmount = Integer.parseInt(request.getParameter("appleAmount")); + log.debug("appleAmount - " + appleAmount); + int bananaAmount = Integer.parseInt(request.getParameter("bananaAmount")); + log.debug("bananaAmount - " + bananaAmount); - // Working out costs - int pineappleCost = pineappleAmount * 30; - int orangeCost = orangeAmount * 3000; - int appleCost = appleAmount * 45; - int bananaCost = bananaAmount * 15; + // Working out costs + int pineappleCost = pineappleAmount * 30; + int orangeCost = orangeAmount * 3000; + int appleCost = appleAmount * 45; + int bananaCost = bananaAmount * 15; - htmlOutput = new String(); + htmlOutput = new String(); - // Work Out Final Cost - int finalCost = pineappleCost + appleCost + bananaCost + orangeCost; + // Work Out Final Cost + int finalCost = pineappleCost + appleCost + bananaCost + orangeCost; - // Output Order - htmlOutput = "

" + bundle.getString("poorValidation.orderComplete") + "

" + "

" - + bundle.getString("poorValidation.orderComplete.message") + "

" + "

" - + bundle.getString("poorValidation.orderTotal") + " $" + finalCost - + "

"; - if (finalCost <= 0 && orangeAmount > 0) { - htmlOutput += "

" + bundle.getString("poorValidation.freeOranges") + " - " - + Hash.generateUserSolution(levelSolution, currentUser) + "

"; - } + // Output Order + htmlOutput = + "

" + + bundle.getString("poorValidation.orderComplete") + + "

" + + "

" + + bundle.getString("poorValidation.orderComplete.message") + + "

" + + "

" + + bundle.getString("poorValidation.orderTotal") + + " $" + + finalCost + + "

"; + if (finalCost <= 0 && orangeAmount > 0) { + htmlOutput += + "

" + + bundle.getString("poorValidation.freeOranges") + + " - " + + Hash.generateUserSolution(levelSolution, currentUser) + + "

"; + } - } catch (Exception e) { - log.debug("Didn't complete order: " + e.toString()); - htmlOutput += "

" + bundle.getString("poorValidation.badOrder") + "

"; - } - try { - Thread.sleep(1000); - } catch (Exception e) { - log.error("Failed to Pause: " + e.toString()); - } - out.write(htmlOutput); - } else { - log.error(levelName + " servlet accessed with no session"); - } - } + } catch (Exception e) { + log.debug("Didn't complete order: " + e.toString()); + htmlOutput += "

" + bundle.getString("poorValidation.badOrder") + "

"; + } + try { + Thread.sleep(1000); + } catch (Exception e) { + log.error("Failed to Pause: " + e.toString()); + } + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/PoorValidation2.java b/src/main/java/servlets/module/challenge/PoorValidation2.java index 788f4a163..7934d867d 100644 --- a/src/main/java/servlets/module/challenge/PoorValidation2.java +++ b/src/main/java/servlets/module/challenge/PoorValidation2.java @@ -4,16 +4,13 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; @@ -22,100 +19,117 @@ * Level : Poor Validation 2
*
* - * This file is part of the Security Shepherd Project. + *

This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class PoorValidation2 extends HttpServlet { - private static final String levelName = "Poor Validation 2"; - private static String levelSolution = "05adf1e4afeb5550faf7edbec99170b40e79168ecb3a5da19943f05a3fe08c8e"; - public static String levelHash = "20e8c4bb50180fed9c1c8d1bf6af5eac154e97d3ce97e43257c76e73e3bbe5d5"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(PoorValidation2.class); - /** - * Shopping cart addition algorithm is vulnerable to integer overflow. If the - * cost is high enough, the final value will go negative. - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - // Setting IpAddress To Log and taking header for original IP if forwarded from - // proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if (Validate.validateSession(ses)) { - // Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle - .getBundle("i18n.servlets.challenges.poorValidation.poorValidationStrings", locale); + private static final String levelName = "Poor Validation 2"; + private static String levelSolution = + "05adf1e4afeb5550faf7edbec99170b40e79168ecb3a5da19943f05a3fe08c8e"; + public static String levelHash = + "20e8c4bb50180fed9c1c8d1bf6af5eac154e97d3ce97e43257c76e73e3bbe5d5"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(PoorValidation2.class); + + /** + * Shopping cart addition algorithm is vulnerable to integer overflow. If the cost is high enough, + * the final value will go negative. + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from + // proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.poorValidation.poorValidationStrings", locale); - String currentUser = ses.getAttribute("userName").toString(); - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), currentUser); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - try { - int pineappleAmount = validateAmount(Integer.parseInt(request.getParameter("pineappleAmount"))); - log.debug("pineappleAmount - " + pineappleAmount); - int orangeAmount = validateAmount(Integer.parseInt(request.getParameter("orangeAmount"))); - log.debug("orangeAmount - " + orangeAmount); - int appleAmount = validateAmount(Integer.parseInt(request.getParameter("appleAmount"))); - log.debug("appleAmount - " + appleAmount); - int bananaAmount = validateAmount(Integer.parseInt(request.getParameter("bananaAmount"))); - log.debug("bananaAmount - " + bananaAmount); + String currentUser = ses.getAttribute("userName").toString(); + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), currentUser); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + try { + int pineappleAmount = + validateAmount(Integer.parseInt(request.getParameter("pineappleAmount"))); + log.debug("pineappleAmount - " + pineappleAmount); + int orangeAmount = validateAmount(Integer.parseInt(request.getParameter("orangeAmount"))); + log.debug("orangeAmount - " + orangeAmount); + int appleAmount = validateAmount(Integer.parseInt(request.getParameter("appleAmount"))); + log.debug("appleAmount - " + appleAmount); + int bananaAmount = validateAmount(Integer.parseInt(request.getParameter("bananaAmount"))); + log.debug("bananaAmount - " + bananaAmount); - // Working out costs - int pineappleCost = pineappleAmount * 30; - int orangeCost = orangeAmount * 3000; - int appleCost = appleAmount * 45; - int bananaCost = bananaAmount * 15; + // Working out costs + int pineappleCost = pineappleAmount * 30; + int orangeCost = orangeAmount * 3000; + int appleCost = appleAmount * 45; + int bananaCost = bananaAmount * 15; - htmlOutput = new String(); + htmlOutput = new String(); - // Work Out Final Cost - int finalCost = pineappleCost + orangeCost + bananaCost + appleCost; + // Work Out Final Cost + int finalCost = pineappleCost + orangeCost + bananaCost + appleCost; - // Output Order - htmlOutput = "

" + bundle.getString("poorValidation.orderComplete") + "

" + "

" - + bundle.getString("poorValidation.orderComplete.message") + "


" + "

" - + bundle.getString("poorValidation.orderTotal") + " $" + finalCost - + "

"; - if (finalCost <= 0 && orangeAmount > 0) { - htmlOutput += "

" + bundle.getString("poorValidation.freeOranges") + " - " - + Hash.generateUserSolution(levelSolution, currentUser) + "

"; - } - } catch (Exception e) { - log.debug("Didn't complete order: " + e.toString()); - htmlOutput += "

" + bundle.getString("poorValidation.badOrder") + "

"; - } - try { - Thread.sleep(1000); - } catch (Exception e) { - log.error("Failed to Pause: " + e.toString()); - } - out.write(htmlOutput); - } else { - log.error(levelName + " servlet accessed with no session"); - } - } + // Output Order + htmlOutput = + "

" + + bundle.getString("poorValidation.orderComplete") + + "

" + + "

" + + bundle.getString("poorValidation.orderComplete.message") + + "


" + + "

" + + bundle.getString("poorValidation.orderTotal") + + " $" + + finalCost + + "

"; + if (finalCost <= 0 && orangeAmount > 0) { + htmlOutput += + "

" + + bundle.getString("poorValidation.freeOranges") + + " - " + + Hash.generateUserSolution(levelSolution, currentUser) + + "

"; + } + } catch (Exception e) { + log.debug("Didn't complete order: " + e.toString()); + htmlOutput += "

" + bundle.getString("poorValidation.badOrder") + "

"; + } + try { + Thread.sleep(1000); + } catch (Exception e) { + log.error("Failed to Pause: " + e.toString()); + } + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - private static int validateAmount(int amount) { - if (amount < 0) - amount = 0; - return amount; - } + private static int validateAmount(int amount) { + if (amount < 0) { + amount = 0; + } + return amount; + } } diff --git a/src/main/java/servlets/module/challenge/SecurityMisconfigStealTokens.java b/src/main/java/servlets/module/challenge/SecurityMisconfigStealTokens.java index ecdd17af5..baff497c5 100644 --- a/src/main/java/servlets/module/challenge/SecurityMisconfigStealTokens.java +++ b/src/main/java/servlets/module/challenge/SecurityMisconfigStealTokens.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.CallableStatement; @@ -8,217 +9,220 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Security Misconfiguration Steal Tokens - *

+ * Security Misconfiguration Steal Tokens
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SecurityMisconfigStealTokens extends HttpServlet -{ - //Security Misconfiguration Challenge - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SecurityMisconfigStealTokens.class); - private static String levelName = "Security Misconfig Cookie Flags Servlet"; - public static String levelHash = "c4285bbc6734a10897d672c1ed3dd9417e0530a4e0186c27699f54637c7fb5d4"; - private static String levelResult = "92755de2ebb012e689caf8bfec629b1e237d23438427499b6bf0d7933f1b8215"; // Base Key. User is given user specific key - /** - * This servlet will return the key to complete as long as the cookie submitted is valid and does not belong to the user making the request - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.securityMisconfig.stealTokens", locale); +public class SecurityMisconfigStealTokens extends HttpServlet { + + // Security Misconfiguration Challenge + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SecurityMisconfigStealTokens.class); + private static String levelName = "Security Misconfig Cookie Flags Servlet"; + public static String levelHash = + "c4285bbc6734a10897d672c1ed3dd9417e0530a4e0186c27699f54637c7fb5d4"; + private static String levelResult = + "92755de2ebb012e689caf8bfec629b1e237d23438427499b6bf0d7933f1b8215"; // Base Key. User is given + // user specific key + + /** + * This servlet will return the key to complete as long as the cookie submitted is valid and does + * not belong to the user making the request + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.securityMisconfig.stealTokens", locale); - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - try - { - String applicationRoot = getServletContext().getRealPath(""); + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + try { + String applicationRoot = getServletContext().getRealPath(""); - String userId = ses.getAttribute("userStamp").toString(); - String userActualCookie = getUserToken(userId, applicationRoot); - //Getting Submitted Cookie - int i = 0; - Cookie[] userCookies = request.getCookies(); - Cookie theToken = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("securityMisconfigLesson") == 0) - { - theToken = userCookies[i]; - break; //End Loop, because we found the token - } - } - String cookieValue = theToken.getValue(); + String userId = ses.getAttribute("userStamp").toString(); + String userActualCookie = getUserToken(userId, applicationRoot); + // Getting Submitted Cookie + int i = 0; + Cookie[] userCookies = request.getCookies(); + Cookie theToken = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("securityMisconfigLesson") == 0) { + theToken = userCookies[i]; + break; // End Loop, because we found the token + } + } + String cookieValue = theToken.getValue(); - log.debug("User Submitted Cookie: " + cookieValue); - log.debug("Stored Cookie Value : " + userActualCookie); + log.debug("User Submitted Cookie: " + cookieValue); + log.debug("Stored Cookie Value : " + userActualCookie); - if(cookieValue.compareTo(userActualCookie) == 0) - { - //User is using their own Cookie: Not Complete - htmlOutput = new String("

" + bundle.getString("securityMisconfig.servlet.stealTokens.notComplete") + "

" - + "

" + bundle.getString("securityMisconfig.servlet.stealTokens.notComplete.message") + "

"); - } - else - { - //User submitted something different from their cookie - boolean notUsersTokenButValid = validToken(userId, cookieValue, applicationRoot); - if(notUsersTokenButValid) - { - log.debug("Valid Cookie of another User Dectected"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("securityMisconfig.servlet.stealTokens.complete") + "

" + - "

" + - bundle.getString("securityMisconfig.servlet.stealTokens.youDidIt") + " " + - "" + userKey + "" + - "

"; - } - else - { - htmlOutput = new String("

" + bundle.getString("securityMisconfig.servlet.stealTokens.notComplete") + "

" - + "

" + bundle.getString("securityMisconfig.servlet.stealTokens.notComplete.yourToken") + "

"); - } - } - } - catch(Exception e) - { - out.write(errors.getString("securityMisconfig.servlet.stealTokens.notComplete.yourToken")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (cookieValue.compareTo(userActualCookie) == 0) { + // User is using their own Cookie: Not Complete + htmlOutput = + new String( + "

" + + bundle.getString("securityMisconfig.servlet.stealTokens.notComplete") + + "

" + + "

" + + bundle.getString( + "securityMisconfig.servlet.stealTokens.notComplete.message") + + "

"); + } else { + // User submitted something different from their cookie + boolean notUsersTokenButValid = validToken(userId, cookieValue, applicationRoot); + if (notUsersTokenButValid) { + log.debug("Valid Cookie of another User Dectected"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("securityMisconfig.servlet.stealTokens.complete") + + "

" + + "

" + + bundle.getString("securityMisconfig.servlet.stealTokens.youDidIt") + + " " + + "" + + userKey + + "" + + "

"; + } else { + htmlOutput = + new String( + "

" + + bundle.getString("securityMisconfig.servlet.stealTokens.notComplete") + + "

" + + "

" + + bundle.getString( + "securityMisconfig.servlet.stealTokens.notComplete.yourToken") + + "

"); + } + } + } catch (Exception e) { + out.write(errors.getString("securityMisconfig.servlet.stealTokens.notComplete.yourToken")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - /** - * Method that will return a users token. If the user does not have a token, this will set one. - * @param userId User Identifier to search for - * @param applicationRoot Running context of application - * @return The token associated with the submitted userId - * @throws SQLException - */ - public static String getUserToken (String userId, String applicationRoot) throws SQLException - { - String userToken = new String(); - log.debug("Getting user token with id: " + userId); - Connection conn = Database.getChallengeConnection(applicationRoot, "SecurityMisconfigStealToken"); - try - { - CallableStatement getTokenCs = conn.prepareCall("call getToken(?)"); - getTokenCs.setString(1, userId); - log.debug("Executing getToken procedure..."); - ResultSet tokenRs = getTokenCs.executeQuery(); - if(tokenRs.next()) - { - userToken = tokenRs.getString(1); - } - else - { - log.error("No Results From Call"); - throw new SQLException("No results from getToken Call. Empty Result Set"); - } - tokenRs.close(); - } - catch (SQLException e) - { - log.error("Could not get user SecurityMisconfigStealToken token: " + e.toString()); - throw e; - } - conn.close(); - if (!userToken.isEmpty()) - log.debug("Found token: " + userToken); - return userToken; - } + /** + * Method that will return a users token. If the user does not have a token, this will set one. + * + * @param userId User Identifier to search for + * @param applicationRoot Running context of application + * @return The token associated with the submitted userId + * @throws SQLException + */ + public static String getUserToken(String userId, String applicationRoot) throws SQLException { + String userToken = new String(); + log.debug("Getting user token with id: " + userId); + Connection conn = + Database.getChallengeConnection(applicationRoot, "SecurityMisconfigStealToken"); + try { + CallableStatement getTokenCs = conn.prepareCall("call getToken(?)"); + getTokenCs.setString(1, userId); + log.debug("Executing getToken procedure..."); + ResultSet tokenRs = getTokenCs.executeQuery(); + if (tokenRs.next()) { + userToken = tokenRs.getString(1); + } else { + log.error("No Results From Call"); + throw new SQLException("No results from getToken Call. Empty Result Set"); + } + tokenRs.close(); + } catch (SQLException e) { + log.error("Could not get user SecurityMisconfigStealToken token: " + e.toString()); + throw e; + } + conn.close(); + if (!userToken.isEmpty()) { + log.debug("Found token: " + userToken); + } + return userToken; + } - /** - * Method to validate if a token exists in the database which does not belong to the user submitting the request - * @param userId The ID of the user submitting the request - * @param token The token submitted in the request - * @param applicationRoot Running context of the application - * @return Boolean depicting if the token exists in the database and does not belong to the user submitting the request - * @throws SQLException - */ - public static boolean validToken (String userId, String token, String applicationRoot) throws SQLException - { - boolean validToken = false; - log.debug("Checking token:" + token); - Connection conn = Database.getChallengeConnection(applicationRoot, "SecurityMisconfigStealToken"); - try - { - CallableStatement validateTokenCs = conn.prepareCall("call validToken(?, ?)"); - validateTokenCs.setString(1, userId); - validateTokenCs.setString(2, token); - log.debug("Executing validToken procedure..."); - ResultSet tokenRs = validateTokenCs.executeQuery(); - if(tokenRs.next()) - { - if(tokenRs.getInt(1) > 0) - { - log.debug("Valid Token Detected"); - validToken = true; - } - } - else - { - log.error("No Results From validToken Call"); - throw new SQLException("No results from validToken Call. Empty Result Set"); - } - tokenRs.close(); - } - catch (SQLException e) - { - log.error("Could not verify token: " + e.toString()); - throw e; - } - conn.close(); - return validToken; - } + /** + * Method to validate if a token exists in the database which does not belong to the user + * submitting the request + * + * @param userId The ID of the user submitting the request + * @param token The token submitted in the request + * @param applicationRoot Running context of the application + * @return Boolean depicting if the token exists in the database and does not belong to the user + * submitting the request + * @throws SQLException + */ + public static boolean validToken(String userId, String token, String applicationRoot) + throws SQLException { + boolean validToken = false; + log.debug("Checking token:" + token); + Connection conn = + Database.getChallengeConnection(applicationRoot, "SecurityMisconfigStealToken"); + try { + CallableStatement validateTokenCs = conn.prepareCall("call validToken(?, ?)"); + validateTokenCs.setString(1, userId); + validateTokenCs.setString(2, token); + log.debug("Executing validToken procedure..."); + ResultSet tokenRs = validateTokenCs.executeQuery(); + if (tokenRs.next()) { + if (tokenRs.getInt(1) > 0) { + log.debug("Valid Token Detected"); + validToken = true; + } + } else { + log.error("No Results From validToken Call"); + throw new SQLException("No results from validToken Call. Empty Result Set"); + } + tokenRs.close(); + } catch (SQLException e) { + log.error("Could not verify token: " + e.toString()); + throw e; + } + conn.close(); + return validToken; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement1.java b/src/main/java/servlets/module/challenge/SessionManagement1.java index a92047138..c7f11cb66 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement1.java +++ b/src/main/java/servlets/module/challenge/SessionManagement1.java @@ -4,145 +4,152 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - import org.apache.commons.codec.binary.Base64; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Session Management Challenge One - *

+ * Session Management Challenge One
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement1 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement1.class); - private static String levelName = "Session Management Challenge One"; - public static String levelHash = "dfd6bfba1033fa380e378299b6a998c759646bd8aea02511482b8ce5d707f93a"; - private static String levelResult = "db7b1da5d7a43c7100a6f01bb0c"; - /** - * Users must take advance of the broken session management in this application by modifying the tracking cookie "checksum" which is encoded in base 64. They must modify this cookie to be equal to administrator to access the result key. - * @param upgraeUserToAdmin Red herring - * @param returnPassword Red herring - * @param adminDetected Red herring - * @param checksum Cookie encoded base 64 that manages who is signed in to the sub schema - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class SessionManagement1 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement1.class); + private static String levelName = "Session Management Challenge One"; + public static String levelHash = + "dfd6bfba1033fa380e378299b6a998c759646bd8aea02511482b8ce5d707f93a"; + private static String levelResult = "db7b1da5d7a43c7100a6f01bb0c"; - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement1", locale); + /** + * Users must take advance of the broken session management in this application by modifying the + * tracking cookie "checksum" which is encoded in base 64. They must modify this cookie to be + * equal to administrator to access the result key. + * + * @param upgraeUserToAdmin Red herring + * @param returnPassword Red herring + * @param adminDetected Red herring + * @param checksum Cookie encoded base 64 that manages who is signed in to the sub schema + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - try - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("checksum") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - String htmlOutput = null; - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement1", locale); - if(decodedCookie.equals("userRole=administrator")) - { - log.debug("Challenge Complete"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.adminClub") + "

" + - "

" + - bundle.getString("response.welcomeAdmin") + - "" + userKey + "" + - "

"; - } - } - if(htmlOutput == null) - { - log.debug("Challenge Not Complete"); - boolean hackDetected = false; - hackDetected = !(request.getParameter("adminDetected") != null && request.getParameter("returnPassword") != null && request.getParameter("upgradeUserToAdmin") != null); - if(!hackDetected) - hackDetected = !(request.getParameter("adminDetected").toString().equalsIgnoreCase("false") && - request.getParameter("adminDetected").toString().equalsIgnoreCase("false") && - request.getParameter("adminDetected").toString().equalsIgnoreCase("false")); + try { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("checksum") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + String htmlOutput = null; + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); + if (decodedCookie.equals("userRole=administrator")) { + log.debug("Challenge Complete"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.adminClub") + + "

" + + "

" + + bundle.getString("response.welcomeAdmin") + + "" + + userKey + + "" + + "

"; + } + } + if (htmlOutput == null) { + log.debug("Challenge Not Complete"); + boolean hackDetected = false; + hackDetected = + !(request.getParameter("adminDetected") != null + && request.getParameter("returnPassword") != null + && request.getParameter("upgradeUserToAdmin") != null); + if (!hackDetected) { + hackDetected = + !(request.getParameter("adminDetected").toString().equalsIgnoreCase("false") + && request.getParameter("adminDetected").toString().equalsIgnoreCase("false") + && request.getParameter("adminDetected").toString().equalsIgnoreCase("false")); + } - if(!hackDetected) - { - htmlOutput = "

" + bundle.getString("response.notAdmin") + "

" + - "

" + - bundle.getString("response.notAdminMessage") + - "

"; - } - else - { - htmlOutput = "

" + bundle.getString("response.hackDetected") + "

" + - "

" + - bundle.getString("response.hackDetectedMessage") + - "

"; - } - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (!hackDetected) { + htmlOutput = + "

" + + bundle.getString("response.notAdmin") + + "

" + + "

" + + bundle.getString("response.notAdminMessage") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.hackDetected") + + "

" + + "

" + + bundle.getString("response.hackDetectedMessage") + + "

"; + } + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement2.java b/src/main/java/servlets/module/challenge/SessionManagement2.java index 3f9f75279..a20743a90 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement2.java +++ b/src/main/java/servlets/module/challenge/SessionManagement2.java @@ -1,5 +1,7 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,160 +9,177 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; /** - * Session Management Challenge Two - *

+ * Session Management Challenge Two
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement2 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement2.class); - private static String levelName = "Session Management Challenge Two"; - private static String levelHash = "d779e34a54172cbc245300d3bc22937090ebd3769466a501a5e7ac605b9f34b7"; - /** - * The user attempts to use this function to sign into a sub schema. If they successfully sign in then they are able to retrieve the result key for the challenge - * If they sign in with a correct user name but incorrect password then the email address of the user will be returned in a error message - * @param subName Sub schema user name - * @param subName Sub schema user password - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement2 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement2.class); + private static String levelName = "Session Management Challenge Two"; + private static String levelHash = + "d779e34a54172cbc245300d3bc22937090ebd3769466a501a5e7ac605b9f34b7"; + + /** + * The user attempts to use this function to sign into a sub schema. If they successfully sign in + * then they are able to retrieve the result key for the challenge If they sign in with a correct + * user name but incorrect password then the email address of the user will be returned in a error + * message + * + * @param subName Sub schema user name + * @param subName Sub schema user password + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement2", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement2", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet accessed"); - try - { - log.debug("Getting Challenge Parameters"); - Object nameObj = request.getParameter("subName"); - Object passObj = request.getParameter("subPassword"); - String subName = new String(); - String subPass = new String(); - String userAddress = new String(); - if(nameObj != null) - subName = (String) nameObj; - if(passObj != null) - subPass = (String) passObj; - log.debug("subName = " + subName); - log.debug("subPass = " + subPass); + String htmlOutput = new String(); + log.debug(levelName + " Servlet accessed"); + try { + log.debug("Getting Challenge Parameters"); + Object nameObj = request.getParameter("subName"); + Object passObj = request.getParameter("subPassword"); + String subName = new String(); + String subPass = new String(); + String userAddress = new String(); + if (nameObj != null) { + subName = (String) nameObj; + } + if (passObj != null) { + subPass = (String) passObj; + } + log.debug("subName = " + subName); + log.debug("subPass = " + subPass); - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalTwo"); - log.debug("Checking credentials"); - PreparedStatement callstmt; + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalTwo"); + log.debug("Checking credentials"); + PreparedStatement callstmt; - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); - callstmt = conn.prepareStatement("SELECT userName, userAddress FROM users WHERE userName = ? AND userPassword = SHA(?)"); - callstmt.setString(1, subName); - callstmt.setString(2, subPass); - log.debug("Executing authUser"); - ResultSet resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("Successful Login"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(ApplicationRoot, levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(resultSet.getString(1)) + "

" + - "

" + - bundle.getString("response.resultKey") + " " + userKey + "" + - "

"; - } - else - { - log.debug("Incorrect credentials, checking if user name correct"); - callstmt = conn.prepareStatement("SELECT userAddress FROM users WHERE userName = ?"); - callstmt.setString(1, subName); - log.debug("Executing getAddress"); - resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("User Found"); - userAddress = bundle.getString("response.badPass") + " " + Encode.forHtml(resultSet.getString(1)) + "
"; - } - else - { - userAddress = bundle.getString("response.badUser") + "
"; - } - htmlOutput = makeTable(userAddress, bundle); - } - Database.closeConnection(conn); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + callstmt = + conn.prepareStatement( + "SELECT userName, userAddress FROM users WHERE userName = ? AND userPassword =" + + " SHA(?)"); + callstmt.setString(1, subName); + callstmt.setString(2, subPass); + log.debug("Executing authUser"); + ResultSet resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + log.debug("Successful Login"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(ApplicationRoot, levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "

" + + "

" + + bundle.getString("response.resultKey") + + " " + + userKey + + "" + + "

"; + } else { + log.debug("Incorrect credentials, checking if user name correct"); + callstmt = conn.prepareStatement("SELECT userAddress FROM users WHERE userName = ?"); + callstmt.setString(1, subName); + log.debug("Executing getAddress"); + resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + log.debug("User Found"); + userAddress = + bundle.getString("response.badPass") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "
"; + } else { + userAddress = bundle.getString("response.badUser") + "
"; + } + htmlOutput = makeTable(userAddress, bundle); + } + Database.closeConnection(conn); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - private static String makeTable (String userAddress, ResourceBundle bundle) - { - return "" + userAddress + "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } + private static String makeTable(String userAddress, ResourceBundle bundle) { + return "" + + userAddress + + "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement2ChangePassword.java b/src/main/java/servlets/module/challenge/SessionManagement2ChangePassword.java index 241ac197f..c5ebb2af2 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement2ChangePassword.java +++ b/src/main/java/servlets/module/challenge/SessionManagement2ChangePassword.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,124 +8,119 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Session Management Challenge Two - Password Reset Servlet - * Does not return result key - *

+ * Session Management Challenge Two - Password Reset Servlet Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement2ChangePassword extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement2ChangePassword.class); - private static String levelName = "Session Management Challenge Two (Change Pass)"; - public static String levelHash = "f5ddc0ed2d30e597ebacf5fdd117083674b19bb92ffc3499121b9e6a12c92959"; - /** - * A user with the submitted email address is set a new random password, the password is also returned from the database procedure and is forwards through to the HTTP response. - * This response is not consumed by the client interface by default, and the user will have to discover it. - * @param subEmail Sub schema user email address - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement2ChangePassword extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement2ChangePassword.class); + private static String levelName = "Session Management Challenge Two (Change Pass)"; + public static String levelHash = + "f5ddc0ed2d30e597ebacf5fdd117083674b19bb92ffc3499121b9e6a12c92959"; + + /** + * A user with the submitted email address is set a new random password, the password is also + * returned from the database procedure and is forwards through to the HTTP response. This + * response is not consumed by the client interface by default, and the user will have to discover + * it. + * + * @param subEmail Sub schema user email address + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement2", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement2", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet accessed"); - try - { - log.debug("Getting Challenge Parameter"); - Object emailObj = request.getParameter("subEmail"); - String subEmail = new String(); - if(emailObj != null) - subEmail = (String) emailObj; - log.debug("subEmail = " + subEmail); + String htmlOutput = new String(); + log.debug(levelName + " Servlet accessed"); + try { + log.debug("Getting Challenge Parameter"); + Object emailObj = request.getParameter("subEmail"); + String subEmail = new String(); + if (emailObj != null) { + subEmail = (String) emailObj; + } + log.debug("subEmail = " + subEmail); - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); - String newPassword = Hash.randomString(); - try - { - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalTwo"); - log.debug("Checking credentials"); - PreparedStatement callstmt = conn.prepareStatement("UPDATE users SET userPassword = SHA(?) WHERE userAddress = ?"); - callstmt.setString(1, newPassword); - callstmt.setString(2, subEmail); - log.debug("Executing resetPassword"); - callstmt.execute(); - log.debug("Statement executed"); + String newPassword = Hash.randomString(); + try { + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalTwo"); + log.debug("Checking credentials"); + PreparedStatement callstmt = + conn.prepareStatement("UPDATE users SET userPassword = SHA(?) WHERE userAddress = ?"); + callstmt.setString(1, newPassword); + callstmt.setString(2, subEmail); + log.debug("Executing resetPassword"); + callstmt.execute(); + log.debug("Statement executed"); - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); - htmlOutput = Encode.forHtml(newPassword); - Database.closeConnection(conn); - } - catch(SQLException e) - { - log.error(levelName + " SQL Error: " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(bundle.getString("response.changedTo") + " " + htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + htmlOutput = Encode.forHtml(newPassword); + Database.closeConnection(conn); + } catch (SQLException e) { + log.error(levelName + " SQL Error: " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(bundle.getString("response.changedTo") + " " + htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement3.java b/src/main/java/servlets/module/challenge/SessionManagement3.java index 4ba4446f8..831b45436 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement3.java +++ b/src/main/java/servlets/module/challenge/SessionManagement3.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,184 +8,208 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Session Management Challenge Three - *

+ * Session Management Challenge Three
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement3 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement3.class); - private static String levelName = "Session Management Challenge Three"; - private static String levelHash = "t193c6634f049bcf65cdcac72269eeac25dbb2a6887bdb38873e57d0ef447bc3"; - private static String levelResult = "e62008dc47f5eb065229d48963"; - - public static String getLevelHash () - { - return levelHash; - } - - /** - * Users must use this functionality to sign in as an administrator to retrieve the result key. If the user name is valid but not the passwor, an error message with the user name is returned. - * @param userName Sub schema user name - * @param password Sub schema user password - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement3", locale); - - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - - String htmlOutput = new String(); - log.debug(levelName + " Servlet Accessed"); - try - { - log.debug("Getting Challenge Parameters"); - Object nameObj = request.getParameter("subUserName"); - Object passObj = request.getParameter("subUserPassword"); - String subName = new String(); - String subPass = new String(); - String userAddress = new String(); - if(nameObj != null) - subName = (String) nameObj; - if(passObj != null) - subPass = (String) passObj; - log.debug("subName = " + subName); - log.debug("subPass = " + subPass); - - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); - - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalThree"); - log.debug("Checking credentials"); - PreparedStatement callstmt; - - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); - - callstmt = conn.prepareStatement("SELECT userName, userAddress, userRole FROM users WHERE userName = ?"); - callstmt.setString(1, subName); - log.debug("Executing findUser"); - ResultSet resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("User found"); - if(resultSet.getString(3).equalsIgnoreCase("admin")) - { - log.debug("Admin Detected"); - callstmt = conn.prepareStatement("SELECT userName, userAddress, userRole FROM users WHERE userName = ? AND userPassword = SHA(?)"); - callstmt.setString(1, subName); - callstmt.setString(2, subPass); - log.debug("Executing authUser"); - ResultSet resultSet2 = callstmt.executeQuery(); - if(resultSet2.next()) - { - log.debug("Successful Admin Login"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(resultSet2.getString(1)) + "

" + - "

" + - bundle.getString("response.resultKey") + " " + userKey + "" + - "

"; - } - else - { - userAddress = bundle.getString("response.badPass") + " " + Encode.forHtml(resultSet.getString(1)) + "
"; - htmlOutput = makeTable(userAddress, bundle); - } - } - else - { - log.debug("Successful Guest Login"); - htmlOutput = makeTable(bundle) + - "

" + bundle.getString("response.welcomeGuest") + "

" + - "

" + bundle.getString("response.guestMessage") + "



"; - } - } - else - { - userAddress = bundle.getString("response.badUser") + "
"; - htmlOutput = makeTable(userAddress, bundle); - } - Database.closeConnection(conn); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - private static String makeTable (String userAddress, ResourceBundle bundle) - { - return "" + userAddress + "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } - private static String makeTable (ResourceBundle bundle) - { - return "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } +public class SessionManagement3 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement3.class); + private static String levelName = "Session Management Challenge Three"; + private static String levelHash = + "t193c6634f049bcf65cdcac72269eeac25dbb2a6887bdb38873e57d0ef447bc3"; + private static String levelResult = "e62008dc47f5eb065229d48963"; + + public static String getLevelHash() { + return levelHash; + } + + /** + * Users must use this functionality to sign in as an administrator to retrieve the result key. If + * the user name is valid but not the passwor, an error message with the user name is returned. + * + * @param userName Sub schema user name + * @param password Sub schema user password + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement3", locale); + + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + + String htmlOutput = new String(); + log.debug(levelName + " Servlet Accessed"); + try { + log.debug("Getting Challenge Parameters"); + Object nameObj = request.getParameter("subUserName"); + Object passObj = request.getParameter("subUserPassword"); + String subName = new String(); + String subPass = new String(); + String userAddress = new String(); + if (nameObj != null) { + subName = (String) nameObj; + } + if (passObj != null) { + subPass = (String) passObj; + } + log.debug("subName = " + subName); + log.debug("subPass = " + subPass); + + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); + + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalThree"); + log.debug("Checking credentials"); + PreparedStatement callstmt; + + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); + + callstmt = + conn.prepareStatement( + "SELECT userName, userAddress, userRole FROM users WHERE userName = ?"); + callstmt.setString(1, subName); + log.debug("Executing findUser"); + ResultSet resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + log.debug("User found"); + if (resultSet.getString(3).equalsIgnoreCase("admin")) { + log.debug("Admin Detected"); + callstmt = + conn.prepareStatement( + "SELECT userName, userAddress, userRole FROM users WHERE userName = ? AND" + + " userPassword = SHA(?)"); + callstmt.setString(1, subName); + callstmt.setString(2, subPass); + log.debug("Executing authUser"); + ResultSet resultSet2 = callstmt.executeQuery(); + if (resultSet2.next()) { + log.debug("Successful Admin Login"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(resultSet2.getString(1)) + + "

" + + "

" + + bundle.getString("response.resultKey") + + " " + + userKey + + "" + + "

"; + } else { + userAddress = + bundle.getString("response.badPass") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "
"; + htmlOutput = makeTable(userAddress, bundle); + } + } else { + log.debug("Successful Guest Login"); + htmlOutput = + makeTable(bundle) + + "

" + + bundle.getString("response.welcomeGuest") + + "

" + + "

" + + bundle.getString("response.guestMessage") + + "



"; + } + } else { + userAddress = bundle.getString("response.badUser") + "
"; + htmlOutput = makeTable(userAddress, bundle); + } + Database.closeConnection(conn); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } + + private static String makeTable(String userAddress, ResourceBundle bundle) { + return "" + + userAddress + + "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } + + private static String makeTable(ResourceBundle bundle) { + return "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement3ChangePassword.java b/src/main/java/servlets/module/challenge/SessionManagement3ChangePassword.java index b85e9ff6f..a7ab442fc 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement3ChangePassword.java +++ b/src/main/java/servlets/module/challenge/SessionManagement3ChangePassword.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.io.UnsupportedEncodingException; @@ -7,155 +8,145 @@ import java.sql.PreparedStatement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.apache.commons.codec.binary.Base64; - +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Session Management Challenge Three - Change Password - * This is a level function - DOES NOT RETURN KEY - *

+ * Session Management Challenge Three - Change Password This is a level function - DOES NOT RETURN + * KEY
+ *
* This file is part of the Security Shepherd Project. - * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
- * - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
- * - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . + * + * @author Mark Denihan */ -public class SessionManagement3ChangePassword extends HttpServlet -{ +public class SessionManagement3ChangePassword extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement3ChangePassword.class); + private static String levelName = "Session Management Challenge Three (Change Password)"; + public static String levelHash = + "b467dbe3cd61babc0ec599fd0c67e359e6fe04e8cdc618d537808cbb693fee8a"; + // private static String levelResult = ""; //This Servlet does not return a result + + /** + * Function used by Session Management Challenge Three to change the password of the submitted + * user name specified in the "Current" cookie + * + * @param current User cookie used to store the current user (encoded twice with base64) + * @param newPassword the password which to use to update an accounts password + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement3", locale); + + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + log.debug(levelName + " - Change Password - Servlet"); + try { + log.debug("Getting Challenge Parameters"); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("current") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + Object passNewObj = request.getParameter("newPassword"); + String subName = new String(); + String subNewPass = new String(); + if (theCookie != null) { + subName = theCookie.getValue(); + } + if (passNewObj != null) { + subNewPass = (String) passNewObj; + } + log.debug("subName = " + subName); + // Base 64 Decode + try { + byte[] decodedName = Base64.decodeBase64(subName); + subName = new String(decodedName, "UTF-8"); + decodedName = Base64.decodeBase64(subName); + subName = new String(decodedName, "UTF-8"); + } catch (UnsupportedEncodingException e) { + log.debug("Could not decode username"); + subName = new String(); + } + log.debug("subName Decoded = " + subName); + log.debug("subPass = " + subNewPass); + + if (subNewPass.length() >= 6) { + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalThree"); + log.debug("Changing password for user: " + subName); + log.debug("Changing password to: " + subNewPass); + PreparedStatement callstmt; + + callstmt = + conn.prepareStatement("UPDATE users SET userPassword = SHA(?) WHERE userName = ?"); + callstmt.setString(1, subNewPass); + callstmt.setString(2, subName); + log.debug("Executing changePassword"); + callstmt.execute(); + + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement3ChangePassword.class); - private static String levelName = "Session Management Challenge Three (Change Password)"; - public static String levelHash = "b467dbe3cd61babc0ec599fd0c67e359e6fe04e8cdc618d537808cbb693fee8a"; - // private static String levelResult = ""; //This Servlet does not return a result - /** - * Function used by Session Management Challenge Three to change the password of the submitted user name specified in the "Current" cookie - * @param current User cookie used to store the current user (encoded twice with base64) - * @param newPassword the password which to use to update an accounts password - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement3", locale); - - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " - Change Password - Servlet"); - try - { - log.debug("Getting Challenge Parameters"); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("current") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - Object passNewObj = request.getParameter("newPassword"); - String subName = new String(); - String subNewPass = new String(); - if(theCookie != null) - subName = theCookie.getValue(); - if(passNewObj != null) - subNewPass = (String) passNewObj; - log.debug("subName = " + subName); - //Base 64 Decode - try - { - byte[] decodedName = Base64.decodeBase64(subName); - subName = new String(decodedName, "UTF-8"); - decodedName = Base64.decodeBase64(subName); - subName = new String(decodedName, "UTF-8"); - } - catch (UnsupportedEncodingException e) - { - log.debug("Could not decode username"); - subName = new String(); - } - log.debug("subName Decoded = " + subName); - log.debug("subPass = " + subNewPass); - - if(subNewPass.length() >= 6) - { - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalThree"); - log.debug("Changing password for user: " + subName); - log.debug("Changing password to: " + subNewPass); - PreparedStatement callstmt; - - callstmt = conn.prepareStatement("UPDATE users SET userPassword = SHA(?) WHERE userName = ?"); - callstmt.setString(1, subNewPass); - callstmt.setString(2, subName); - log.debug("Executing changePassword"); - callstmt.execute(); - - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); - - htmlOutput = "

" + bundle.getString("reset.password") + "

"; - } - else - { - log.debug("invalid password submitted: " + subNewPass); - htmlOutput = "

" + bundle.getString("reset.failed") + "

"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - Change Password - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - + htmlOutput = "

" + bundle.getString("reset.password") + "

"; + } else { + log.debug("invalid password submitted: " + subNewPass); + htmlOutput = "

" + bundle.getString("reset.failed") + "

"; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - Change Password - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement4.java b/src/main/java/servlets/module/challenge/SessionManagement4.java index 8a9cb7926..285a99776 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement4.java +++ b/src/main/java/servlets/module/challenge/SessionManagement4.java @@ -4,160 +4,162 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - import org.apache.commons.codec.binary.Base64; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Session Management Challenge Four - *

+ * Session Management Challenge Four
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement4 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement4.class); - private static String levelName = "Session Management Challenge Four"; - public static String levelHash = "ec43ae137b8bf7abb9c85a87cf95c23f7fadcf08a092e05620c9968bd60fcba6"; - private static String levelResult = "238a43b12dde07f39d14599a780ae90f87a23e"; - /** - * Users must discover the session id for this sub application is very weak. The default session ID for a guest will be 00000001 base64'd. The admin's session will be 00000021 - * @param upgraeUserToAdmin Red herring - * @param returnPassword Red herring - * @param adminDetected Red herring - * @param checksum Cookie encoded base 64 that manages who is signed in to the sub schema - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class SessionManagement4 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement4.class); + private static String levelName = "Session Management Challenge Four"; + public static String levelHash = + "ec43ae137b8bf7abb9c85a87cf95c23f7fadcf08a092e05620c9968bd60fcba6"; + private static String levelResult = "238a43b12dde07f39d14599a780ae90f87a23e"; + + /** + * Users must discover the session id for this sub application is very weak. The default session + * ID for a guest will be 00000001 base64'd. The admin's session will be 00000021 + * + * @param upgraeUserToAdmin Red herring + * @param returnPassword Red herring + * @param adminDetected Red herring + * @param checksum Cookie encoded base 64 that manages who is signed in to the sub schema + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement4", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement4", locale); - try - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("SubSessionID") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - String htmlOutput = null; - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - //Decode Twice - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - decodedCookieBytes = Base64.decodeBase64(decodedCookie.getBytes()); - decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); - if(decodedCookie.equals("0000000000000001")) //Guest Session - { - log.debug("Guest Session Detected"); - } - else if (decodedCookie.equals("0000000000000009")) //Admin Session - { - log.debug("Admin Session Detected: Challenge Complete"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.adminClub") + "

" + - "

" + - bundle.getString("response.welcomeAdmin") + " " + - "" + userKey + "" + - "

"; - } - else //Unknown or Dead session - { - log.debug("Dead Session Detected"); - } - } - if(htmlOutput == null) - { - log.debug("Challenge Not Complete"); - boolean hackDetected = false; - hackDetected = !(request.getParameter("useSecurity") != null && request.getParameter("userId") != null); - if(!hackDetected) - { - log.debug("useSecurity: " + request.getParameter("useSecurity")); - log.debug("userId: " + request.getParameter("userId")); - hackDetected = !(request.getParameter("useSecurity").toString().equalsIgnoreCase("true")); - } - else - { - log.debug("Parameters Missing"); - } + try { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("SubSessionID") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + String htmlOutput = null; + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + // Decode Twice + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + decodedCookieBytes = Base64.decodeBase64(decodedCookie.getBytes()); + decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); + if (decodedCookie.equals("0000000000000001")) // Guest Session + { + log.debug("Guest Session Detected"); + } else if (decodedCookie.equals("0000000000000009")) // Admin Session + { + log.debug("Admin Session Detected: Challenge Complete"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.adminClub") + + "

" + + "

" + + bundle.getString("response.welcomeAdmin") + + " " + + "" + + userKey + + "" + + "

"; + } else // Unknown or Dead session + { + log.debug("Dead Session Detected"); + } + } + if (htmlOutput == null) { + log.debug("Challenge Not Complete"); + boolean hackDetected = false; + hackDetected = + !(request.getParameter("useSecurity") != null + && request.getParameter("userId") != null); + if (!hackDetected) { + log.debug("useSecurity: " + request.getParameter("useSecurity")); + log.debug("userId: " + request.getParameter("userId")); + hackDetected = + !(request.getParameter("useSecurity").toString().equalsIgnoreCase("true")); + } else { + log.debug("Parameters Missing"); + } - if(!hackDetected) - { - htmlOutput = "

" + bundle.getString("response.notAdmin") + "

" + - "

" + - bundle.getString("response.notAdminMessage") + - "

"; - } - else - { - htmlOutput = "

" + bundle.getString("response.hackDetected") + "

" + - "

" + - bundle.getString("response.hackDetectedMessage") + - "

"; - } - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (!hackDetected) { + htmlOutput = + "

" + + bundle.getString("response.notAdmin") + + "

" + + "

" + + bundle.getString("response.notAdminMessage") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.hackDetected") + + "

" + + "

" + + bundle.getString("response.hackDetectedMessage") + + "

"; + } + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement5.java b/src/main/java/servlets/module/challenge/SessionManagement5.java index ff4baec41..fad8e8cb7 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement5.java +++ b/src/main/java/servlets/module/challenge/SessionManagement5.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,181 +8,203 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Session Management Challenge Five - *

+ * Session Management Challenge Five
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement5 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement5.class); - private static String levelName = "Session Management Challenge Five"; - public static String levelHash = "7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1"; - private static String levelResult = "a15b8ea0b8a3374a1dedc326dfbe3dbae26"; - /** - * Users must use this functionality to sign in as an administrator to retrieve the result key. - * @param userName Sub schema user name - * @param password Sub schema user password - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement5 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement5.class); + private static String levelName = "Session Management Challenge Five"; + public static String levelHash = + "7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1"; + private static String levelResult = "a15b8ea0b8a3374a1dedc326dfbe3dbae26"; + + /** + * Users must use this functionality to sign in as an administrator to retrieve the result key. + * + * @param userName Sub schema user name + * @param password Sub schema user password + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement5", locale); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement5", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + String htmlOutput = new String(); + log.debug(levelName + " Servlet Accessed"); + try { + log.debug("Getting Challenge Parameters"); + Object nameObj = request.getParameter("subUserName"); + Object passObj = request.getParameter("subUserPassword"); + String subName = new String(); + String subPass = new String(); + String userAddress = new String(); + if (nameObj != null) { + subName = (String) nameObj; + } + if (passObj != null) { + subPass = (String) passObj; + } + log.debug("subName = " + subName); + log.debug("subPass = " + subPass); - String htmlOutput = new String(); - log.debug(levelName + " Servlet Accessed"); - try - { - log.debug("Getting Challenge Parameters"); - Object nameObj = request.getParameter("subUserName"); - Object passObj = request.getParameter("subUserPassword"); - String subName = new String(); - String subPass = new String(); - String userAddress = new String(); - if(nameObj != null) - subName = (String) nameObj; - if(passObj != null) - subPass = (String) passObj; - log.debug("subName = " + subName); - log.debug("subPass = " + subPass); + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFive"); + log.debug("Checking credentials"); + PreparedStatement callstmt; - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFive"); - log.debug("Checking credentials"); - PreparedStatement callstmt; + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); + callstmt = conn.prepareStatement("SELECT userName, userRole FROM users WHERE userName = ?"); + callstmt.setString(1, subName); + log.debug("Executing findUser"); + ResultSet resultSet = callstmt.executeQuery(); + // Is the username valid? + if (resultSet.next()) { + log.debug("User found"); + // Is the user an Admin? + if (resultSet.getString(2).equalsIgnoreCase("admin")) { + log.debug("Admin Detected"); + callstmt = + conn.prepareStatement( + "SELECT userName, userRole FROM users WHERE userName = ? AND userPassword =" + + " SHA(?)"); + callstmt.setString(1, subName); + callstmt.setString(2, subPass); + log.debug("Executing Login Check"); + ResultSet resultSet2 = callstmt.executeQuery(); + if (resultSet2.next()) { + log.debug("Successful Admin Login"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); - callstmt = conn.prepareStatement("SELECT userName, userRole FROM users WHERE userName = ?"); - callstmt.setString(1, subName); - log.debug("Executing findUser"); - ResultSet resultSet = callstmt.executeQuery(); - //Is the username valid? - if(resultSet.next()) - { - log.debug("User found"); - //Is the user an Admin? - if(resultSet.getString(2).equalsIgnoreCase("admin")) - { - log.debug("Admin Detected"); - callstmt = conn.prepareStatement("SELECT userName, userRole FROM users WHERE userName = ? AND userPassword = SHA(?)"); - callstmt.setString(1, subName); - callstmt.setString(2, subPass); - log.debug("Executing Login Check"); - ResultSet resultSet2 = callstmt.executeQuery(); - if(resultSet2.next()) - { - log.debug("Successful Admin Login"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(resultSet2.getString(1)) + + "

" + + "

" + + bundle.getString("response.resultKey") + + " " + + userKey + + "" + + "

"; + } else { + userAddress = + bundle.getString("response.badPass") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "
"; + htmlOutput = makeTable(userAddress, bundle); + } + } else { + log.debug("Successful Pleb Login"); + htmlOutput = + makeTable(bundle) + + "

" + + bundle.getString("response.welcomeGuest") + + "

" + + "

" + + bundle.getString("response.guestMessage") + + "



"; + } + } else { + userAddress = bundle.getString("response.badUser") + "
"; + htmlOutput = makeTable(userAddress, bundle); + } + Database.closeConnection(conn); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(resultSet2.getString(1)) + "

" + - "

" + - bundle.getString("response.resultKey") + " " + userKey + "" + - "

"; - } - else - { - userAddress = bundle.getString("response.badPass") + " " + Encode.forHtml(resultSet.getString(1)) + "
"; - htmlOutput = makeTable(userAddress, bundle); - } - } - else - { - log.debug("Successful Pleb Login"); - htmlOutput = makeTable(bundle) + - "

" + bundle.getString("response.welcomeGuest") + "

" + - "

" + bundle.getString("response.guestMessage") + "



"; - } - } - else - { - userAddress = bundle.getString("response.badUser") + "
"; - htmlOutput = makeTable(userAddress, bundle); - } - Database.closeConnection(conn); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + private static String makeTable(String userAddress, ResourceBundle bundle) { + return "" + + userAddress + + "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } - private static String makeTable (String userAddress, ResourceBundle bundle) - { - return "" + userAddress + "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } - private static String makeTable (ResourceBundle bundle) - { - return "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } + private static String makeTable(ResourceBundle bundle) { + return "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement5ChangePassword.java b/src/main/java/servlets/module/challenge/SessionManagement5ChangePassword.java index 672663f55..0ace93568 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement5ChangePassword.java +++ b/src/main/java/servlets/module/challenge/SessionManagement5ChangePassword.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.io.UnsupportedEncodingException; @@ -10,200 +11,179 @@ import java.util.Date; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.apache.commons.codec.binary.Base64; - +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Session Management Challenge Five - Change Password - * This is a level function - DOES NOT RETURN KEY - *

+ * Session Management Challenge Five - Change Password This is a level function - DOES NOT RETURN + * KEY
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement5ChangePassword extends HttpServlet -{ - - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement5ChangePassword.class); - private static String levelName = "Session Management Challenge Five (Change Password)"; - // private static String levelResult = ""; //This Servlet does not return a result - /** - * Function used by Session Management Challenge Five to change the password of the submitted user name. The function requires a valid token which is a base64'd timestamp. If the current time is within 10 minutes of the token, the function will execute - * @param userName User cookie used to store the user password to be reset - * @param newPassword the password which to use to update an accounts password - * @param resetPasswordToken Base64'd time stamp - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement5", locale); - - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - String errorMessage = new String(); - int tokenLife = 11; - try - { - log.debug("Getting Challenge Parameters"); - Object passNewObj = request.getParameter("newPassword"); - Object userNewObj = request.getParameter("userName"); - Object tokenObj = request.getParameter("resetPasswordToken"); - String userName = new String(); - String newPass = new String(); - String token = new String(); - if(passNewObj != null) - newPass = (String) passNewObj; - if(userNewObj != null) - userName = (String) userNewObj; - if(tokenObj != null) - token = (String) tokenObj; - log.debug("userName = " + userName); - log.debug("newPass = " + newPass); - log.debug("token = " + token); - String tokenTime = new String(); - try - { - byte[] decodedToken = Base64.decodeBase64(token); - tokenTime = new String(decodedToken, "UTF-8"); - } - catch (UnsupportedEncodingException e) - { - log.debug("Could not decode password token"); - errorMessage += "

" + bundle.getString("changePass.noDecode") + "

"; - } - if(tokenTime.isEmpty()) - { - log.debug("Could not decode token. Ending Servlet."); - out.write(errorMessage); - } - else - { - log.debug("Decoded Token = " + tokenTime); - - //Get Time from Token and see if it is inside the last 10 minutes - SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE MMM d HH:mm:ss Z yyyy"); - try - { - Date tokenDateTime = simpleDateFormat.parse(tokenTime); - Date currentDateTime = new Date(); - //Get difference in minutes - tokenLife = (int)((currentDateTime.getTime()/60000) - (tokenDateTime.getTime()/60000)); - log.debug("Token life = " + tokenLife); - } - catch (ParseException e) - { - log.error("Date Parsing Error: " + e.toString()); - errorMessage += bundle.getString("changePass.badTokenData") + ": " + e.toString(); - } - - if(tokenLife < 10 && tokenLife >= 0) - { - if(newPass.length() >= 12) - { - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); - - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFive"); - log.debug("Changing password for user: " + userName); - log.debug("Changing password to: " + newPass); - PreparedStatement callstmt; - - callstmt = conn.prepareStatement("UPDATE users SET userPassword = SHA(?) WHERE userName = ?"); - - callstmt.setString(1, newPass); - callstmt.setString(2, userName); - - log.debug("Executing changePassword"); - callstmt.execute(); - - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); - - htmlOutput = "

" + bundle.getString("changePass.success") + "

"; - } - else - { - log.debug("Invalid password submitted: " + newPass); - htmlOutput = "

" + bundle.getString("changePass.failure") + "

"; - } - } - else - { - if(!errorMessage.isEmpty()) - { - htmlOutput = "

" + errorMessage + ""; - } - else if(tokenLife >= 10) - { - log.debug("Token too old"); - htmlOutput = "

" + bundle.getString("changePass.oldToken") + "

"; - } - else if (tokenLife < 0) - { - log.debug("Token to young"); - htmlOutput = "

" + bundle.getString("changePass.youngToken") + "

"; - } - else - { - log.error("Token to Strange: Unexpected Error"); - htmlOutput = "

" + bundle.getString("changePass.funkyToken") + "

"; - } - } - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - Change Password - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - +public class SessionManagement5ChangePassword extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement5ChangePassword.class); + private static String levelName = "Session Management Challenge Five (Change Password)"; + // private static String levelResult = ""; //This Servlet does not return a result + + /** + * Function used by Session Management Challenge Five to change the password of the submitted user + * name. The function requires a valid token which is a base64'd timestamp. If the current time is + * within 10 minutes of the token, the function will execute + * + * @param userName User cookie used to store the user password to be reset + * @param newPassword the password which to use to update an accounts password + * @param resetPasswordToken Base64'd time stamp + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement5", locale); + + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + String errorMessage = new String(); + int tokenLife = 11; + try { + log.debug("Getting Challenge Parameters"); + Object passNewObj = request.getParameter("newPassword"); + Object userNewObj = request.getParameter("userName"); + Object tokenObj = request.getParameter("resetPasswordToken"); + String userName = new String(); + String newPass = new String(); + String token = new String(); + if (passNewObj != null) { + newPass = (String) passNewObj; + } + if (userNewObj != null) { + userName = (String) userNewObj; + } + if (tokenObj != null) { + token = (String) tokenObj; + } + log.debug("userName = " + userName); + log.debug("newPass = " + newPass); + log.debug("token = " + token); + String tokenTime = new String(); + try { + byte[] decodedToken = Base64.decodeBase64(token); + tokenTime = new String(decodedToken, "UTF-8"); + } catch (UnsupportedEncodingException e) { + log.debug("Could not decode password token"); + errorMessage += "

" + bundle.getString("changePass.noDecode") + "

"; + } + if (tokenTime.isEmpty()) { + log.debug("Could not decode token. Ending Servlet."); + out.write(errorMessage); + } else { + log.debug("Decoded Token = " + tokenTime); + + // Get Time from Token and see if it is inside the last 10 minutes + SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE MMM d HH:mm:ss Z yyyy"); + try { + Date tokenDateTime = simpleDateFormat.parse(tokenTime); + Date currentDateTime = new Date(); + // Get difference in minutes + tokenLife = + (int) ((currentDateTime.getTime() / 60000) - (tokenDateTime.getTime() / 60000)); + log.debug("Token life = " + tokenLife); + } catch (ParseException e) { + log.error("Date Parsing Error: " + e.toString()); + errorMessage += bundle.getString("changePass.badTokenData") + ": " + e.toString(); + } + + if (tokenLife < 10 && tokenLife >= 0) { + if (newPass.length() >= 12) { + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); + + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFive"); + log.debug("Changing password for user: " + userName); + log.debug("Changing password to: " + newPass); + PreparedStatement callstmt; + + callstmt = + conn.prepareStatement( + "UPDATE users SET userPassword = SHA(?) WHERE userName = ?"); + + callstmt.setString(1, newPass); + callstmt.setString(2, userName); + + log.debug("Executing changePassword"); + callstmt.execute(); + + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); + + htmlOutput = "

" + bundle.getString("changePass.success") + "

"; + } else { + log.debug("Invalid password submitted: " + newPass); + htmlOutput = "

" + bundle.getString("changePass.failure") + "

"; + } + } else { + if (!errorMessage.isEmpty()) { + htmlOutput = "

" + errorMessage + ""; + } else if (tokenLife >= 10) { + log.debug("Token too old"); + htmlOutput = "

" + bundle.getString("changePass.oldToken") + "

"; + } else if (tokenLife < 0) { + log.debug("Token to young"); + htmlOutput = "

" + bundle.getString("changePass.youngToken") + "

"; + } else { + log.error("Token to Strange: Unexpected Error"); + htmlOutput = "

" + bundle.getString("changePass.funkyToken") + "

"; + } + } + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - Change Password - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement5SetToken.java b/src/main/java/servlets/module/challenge/SessionManagement5SetToken.java index 0ea5ae871..dce973ab6 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement5SetToken.java +++ b/src/main/java/servlets/module/challenge/SessionManagement5SetToken.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,131 +8,127 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Session Management Challenge Five SessionManagement5SetToken - * (Does not Return Result Key) + * Session Management Challenge Five SessionManagement5SetToken (Does not Return Result Key) * - * This function is a shell to give the appearance that a token has been set for a user. - * A DB call is made to check if a user exists. If the user does exist the server returns an ok message + *

This function is a shell to give the appearance that a token has been set for a user. A DB + * call is made to check if a user exists. If the user does exist the server returns an ok message * claiming that the user has been emailed a URL with a token embedded for resetting their password. * This in fact does not happen. User must find another way to sign in as an admin. * - *

+ *


+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement5SetToken extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement5SetToken.class); - private static String levelName = "SessionManagement5SetToken"; - public static String levelHash = SessionManagement5.levelHash; - /** - * Used to apparently send a message to a user with a token to reset their password. - * - * @param userName Sub schema user name - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement5SetToken extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement5SetToken.class); + private static String levelName = "SessionManagement5SetToken"; + public static String levelHash = SessionManagement5.levelHash; + + /** + * Used to apparently send a message to a user with a token to reset their password. + * + * @param userName Sub schema user name + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement5", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement5", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet Accessed"); - try - { - log.debug("Getting Parameters"); - Object nameObj = request.getParameter("subUserName"); - String userName = new String(); - if(nameObj != null) - userName = (String) nameObj; - log.debug("subName = " + userName); + String htmlOutput = new String(); + log.debug(levelName + " Servlet Accessed"); + try { + log.debug("Getting Parameters"); + Object nameObj = request.getParameter("subUserName"); + String userName = new String(); + if (nameObj != null) { + userName = (String) nameObj; + } + log.debug("subName = " + userName); - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFive"); - log.debug("Checking name"); - PreparedStatement callstmt; + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFive"); + log.debug("Checking name"); + PreparedStatement callstmt; - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); - callstmt = conn.prepareStatement("SELECT userName FROM users WHERE userName = ?"); - callstmt.setString(1, userName); - log.debug("Executing findUser"); - ResultSet resultSet = callstmt.executeQuery(); - //Is the username valid? - if(resultSet.next()) - { - log.debug("User found"); - htmlOutput = bundle.getString("setToken.sentTo.1") + " '" + Encode.forHtml(userName) + "' " + bundle.getString("setToken.sentTo.2"); - } - else - { - log.debug("User not Found"); - htmlOutput = bundle.getString("response.badUser") + "" + Encode.forHtml(userName); - } - Database.closeConnection(conn); - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + callstmt = conn.prepareStatement("SELECT userName FROM users WHERE userName = ?"); + callstmt.setString(1, userName); + log.debug("Executing findUser"); + ResultSet resultSet = callstmt.executeQuery(); + // Is the username valid? + if (resultSet.next()) { + log.debug("User found"); + htmlOutput = + bundle.getString("setToken.sentTo.1") + + " '" + + Encode.forHtml(userName) + + "' " + + bundle.getString("setToken.sentTo.2"); + } else { + log.debug("User not Found"); + htmlOutput = bundle.getString("response.badUser") + "" + Encode.forHtml(userName); + } + Database.closeConnection(conn); + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement6.java b/src/main/java/servlets/module/challenge/SessionManagement6.java index 05b4260d5..b56778992 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement6.java +++ b/src/main/java/servlets/module/challenge/SessionManagement6.java @@ -1,5 +1,7 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,197 +9,206 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.apache.commons.codec.binary.Base64; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; /** - * Session Management Challenge Six - *

+ * Session Management Challenge Six
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement6 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement6.class); - private static String levelName = "Session Management Challenge Six"; - public static String levelHash = "b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece"; - /** - * Users must use this functionality to sign in as an administrator to retrieve the result key. - * @param userName Sub schema user name - * @param password Sub schema user password - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement6", locale); - - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - - String htmlOutput = new String(); - log.debug(levelName + " Servlet Accessed"); - try - { - log.debug("Getting Cookies"); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("ac") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); - - if(decodedCookie.equals("doNotReturnAnswers")) //Untampered Cookie - { - log.debug("Getting Challenge Parameters"); - Object nameObj = request.getParameter("subName"); - Object passObj = request.getParameter("subPassword"); - String subName = new String(); - String subPass = new String(); - String userAddress = new String(); - if(nameObj != null) - subName = (String) nameObj; - if(passObj != null) - subPass = (String) passObj; - log.debug("subName = " + subName); - log.debug("subPass = " + subPass); - - log.debug("Getting ApplicationRoot"); - String ApplicationRoot = getServletContext().getRealPath(""); - - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalSix"); - log.debug("Checking credentials"); - PreparedStatement callstmt; - - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); - - //Filtering password for !, so that it is impossible for users to sign in - subPass = subPass.replaceAll("!", ""); - - callstmt = conn.prepareStatement("SELECT userName, userAddress FROM users WHERE userName = ? AND userPassword = SHA(?)"); - callstmt.setString(1, subName); - callstmt.setString(2, subPass); - log.debug("Executing authUser"); - ResultSet resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - //This should never happen. But just in case; - log.debug("Successful Login"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(ApplicationRoot, levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(resultSet.getString(1)) + "

" + - "

" + - bundle.getString("response.resultKey") + " " + userKey + "" + - "

"; - } - else - { - log.debug("Incorrect credentials, checking if user name correct"); - callstmt = conn.prepareStatement("SELECT userAddress FROM users WHERE userName = ?"); - callstmt.setString(1, subName); - log.debug("Executing getAddress"); - resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("User Found"); - userAddress = "" + bundle.getString("response.badPass") + " " + Encode.forHtml(resultSet.getString(1)) + "
"; - } - else - { - userAddress = "" + bundle.getString("response.badUser") + "
"; - } - htmlOutput = makeTable(userAddress, bundle); - } - Database.closeConnection(conn); - log.debug("Outputting HTML"); - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = new String(bundle.getString("response.configError")); - } - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = new String(bundle.getString("response.configError")); - } - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - - private static String makeTable (String userAddress, ResourceBundle bundle) - { - return "" + userAddress + "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } +public class SessionManagement6 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement6.class); + private static String levelName = "Session Management Challenge Six"; + public static String levelHash = + "b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece"; + + /** + * Users must use this functionality to sign in as an administrator to retrieve the result key. + * + * @param userName Sub schema user name + * @param password Sub schema user password + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement6", locale); + + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + + String htmlOutput = new String(); + log.debug(levelName + " Servlet Accessed"); + try { + log.debug("Getting Cookies"); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("ac") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); + + if (decodedCookie.equals("doNotReturnAnswers")) // Untampered Cookie + { + log.debug("Getting Challenge Parameters"); + Object nameObj = request.getParameter("subName"); + Object passObj = request.getParameter("subPassword"); + String subName = new String(); + String subPass = new String(); + String userAddress = new String(); + if (nameObj != null) { + subName = (String) nameObj; + } + if (passObj != null) { + subPass = (String) passObj; + } + log.debug("subName = " + subName); + log.debug("subPass = " + subPass); + + log.debug("Getting ApplicationRoot"); + String ApplicationRoot = getServletContext().getRealPath(""); + + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalSix"); + log.debug("Checking credentials"); + PreparedStatement callstmt; + + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); + + // Filtering password for !, so that it is impossible for users to sign in + subPass = subPass.replaceAll("!", ""); + + callstmt = + conn.prepareStatement( + "SELECT userName, userAddress FROM users WHERE userName = ? AND userPassword =" + + " SHA(?)"); + callstmt.setString(1, subName); + callstmt.setString(2, subPass); + log.debug("Executing authUser"); + ResultSet resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + // This should never happen. But just in case; + log.debug("Successful Login"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(ApplicationRoot, levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "

" + + "

" + + bundle.getString("response.resultKey") + + " " + + userKey + + "" + + "

"; + } else { + log.debug("Incorrect credentials, checking if user name correct"); + callstmt = conn.prepareStatement("SELECT userAddress FROM users WHERE userName = ?"); + callstmt.setString(1, subName); + log.debug("Executing getAddress"); + resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + log.debug("User Found"); + userAddress = + "" + + bundle.getString("response.badPass") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "
"; + } else { + userAddress = "" + bundle.getString("response.badUser") + "
"; + } + htmlOutput = makeTable(userAddress, bundle); + } + Database.closeConnection(conn); + log.debug("Outputting HTML"); + } else { + log.debug("Tampered cookie detected"); + htmlOutput = new String(bundle.getString("response.configError")); + } + } else { + log.debug("Tampered cookie detected"); + htmlOutput = new String(bundle.getString("response.configError")); + } + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } + + private static String makeTable(String userAddress, ResourceBundle bundle) { + return "" + + userAddress + + "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement6SecretQuestion.java b/src/main/java/servlets/module/challenge/SessionManagement6SecretQuestion.java index b77db839f..6da58bf34 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement6SecretQuestion.java +++ b/src/main/java/servlets/module/challenge/SessionManagement6SecretQuestion.java @@ -1,5 +1,7 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,259 +10,260 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.apache.commons.codec.binary.Base64; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; /** - * Session Management Challenge Six - Security Question - * Does not return result key - *

+ * Session Management Challenge Six - Security Question Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement6SecretQuestion extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement6SecretQuestion.class); - private static String levelName = "Session Management Challenge Six (Secret Question)"; - private static String levelHash = "b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece"; - /** - * A user submits a username and answer, these values are checked against the DB to see if they are valid - * @param subEmail Sub schema user email to search DB with - * @param subAnswer Sub schema user secret answer to check against the DB - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement6SecretQuestion extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement6SecretQuestion.class); + private static String levelName = "Session Management Challenge Six (Secret Question)"; + private static String levelHash = + "b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece"; + + /** + * A user submits a username and answer, these values are checked against the DB to see if they + * are valid + * + * @param subEmail Sub schema user email to search DB with + * @param subAnswer Sub schema user secret answer to check against the DB + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement6", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement6", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet accessed"); - try - { - log.debug("Getting Challenge Parameters"); - Object emailObj = request.getParameter("subEmail"); - String subEmail = Validate.validateParameter(emailObj, 60); - log.debug("subEmail = " + subEmail); - Object ansObj = request.getParameter("subAnswer"); - String subAns = Validate.validateParameter(ansObj, 128); - log.debug("subAnswer = " + subAns); + String htmlOutput = new String(); + log.debug(levelName + " Servlet accessed"); + try { + log.debug("Getting Challenge Parameters"); + Object emailObj = request.getParameter("subEmail"); + String subEmail = Validate.validateParameter(emailObj, 60); + log.debug("subEmail = " + subEmail); + Object ansObj = request.getParameter("subAnswer"); + String subAns = Validate.validateParameter(ansObj, 128); + log.debug("subAnswer = " + subAns); - String ApplicationRoot = getServletContext().getRealPath(""); - try - { - if(Validate.isValidEmailAddress(subEmail) && subAns.length() > 5) - { - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalSix"); - log.debug("Checking Secret Answer"); - PreparedStatement callstmt = conn.prepareStatement("SELECT userName FROM users WHERE userAddress = ? AND secretAnswer = ?"); - callstmt.setString(1, subEmail); - callstmt.setString(2, subAns); - log.debug("Running secret Answer Check"); - ResultSet rs = callstmt.executeQuery(); - if(rs.next()) - { - log.debug("Correct Answer Submitted"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(ApplicationRoot, levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(rs.getString(1)) + "

" + - "

" + - bundle.getString("response.welcome")+ " " + userKey + "" + - "

"; - } - else - { - log.debug("Bad Answer Submitted"); - htmlOutput = new String("

" + bundle.getString("question.badAnswer") + "

" + bundle.getString("question.whoAreYou")); - } - Database.closeConnection(conn); - } - else - { - log.debug("Invalid data submitted"); - htmlOutput = new String("" + bundle.getString("question.invalidData") + ": "); - if(subAns.length() < 5) - htmlOutput += bundle.getString("question.invalidAns"); - else - htmlOutput += bundle.getString("question.invalidEmail"); - } - } - catch(SQLException e) - { - log.error(levelName + " SQL Error: " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + String ApplicationRoot = getServletContext().getRealPath(""); + try { + if (Validate.isValidEmailAddress(subEmail) && subAns.length() > 5) { + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalSix"); + log.debug("Checking Secret Answer"); + PreparedStatement callstmt = + conn.prepareStatement( + "SELECT userName FROM users WHERE userAddress = ? AND secretAnswer = ?"); + callstmt.setString(1, subEmail); + callstmt.setString(2, subAns); + log.debug("Running secret Answer Check"); + ResultSet rs = callstmt.executeQuery(); + if (rs.next()) { + log.debug("Correct Answer Submitted"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(ApplicationRoot, levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(rs.getString(1)) + + "

" + + "

" + + bundle.getString("response.welcome") + + " " + + userKey + + "" + + "

"; + } else { + log.debug("Bad Answer Submitted"); + htmlOutput = + new String( + "

" + + bundle.getString("question.badAnswer") + + "

" + + bundle.getString("question.whoAreYou")); + } + Database.closeConnection(conn); + } else { + log.debug("Invalid data submitted"); + htmlOutput = new String("" + bundle.getString("question.invalidData") + ": "); + if (subAns.length() < 5) { + htmlOutput += bundle.getString("question.invalidAns"); + } else { + htmlOutput += bundle.getString("question.invalidEmail"); + } + } + } catch (SQLException e) { + log.error(levelName + " SQL Error: " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - /** - * A user submits an email address to get that user's Secret QUestion. This is vulnerable to SQL injection - * @param subEmail Sub schema user email to search DB with - */ - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - String levelName = "Session Management Challenge Six (Get Question)"; - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + /** + * A user submits an email address to get that user's Secret QUestion. This is vulnerable to SQL + * injection + * + * @param subEmail Sub schema user email to search DB with + */ + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String levelName = "Session Management Challenge Six (Get Question)"; + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement6", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement6", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet accessed"); - try - { - log.debug("Getting Cookies"); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("ac") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - if(theCookie != null) - { - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); + String htmlOutput = new String(); + log.debug(levelName + " Servlet accessed"); + try { + log.debug("Getting Cookies"); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("ac") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + if (theCookie != null) { + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); - if(decodedCookie.equals("doNotReturnAnswers")) //Untampered Cookie - { - log.debug("Getting Parameter"); - Object emailObj = request.getParameter("subEmail"); - String subEmail = Validate.validateParameter(emailObj, 75); - log.debug("subEmail = " + subEmail); + if (decodedCookie.equals("doNotReturnAnswers")) // Untampered Cookie + { + log.debug("Getting Parameter"); + Object emailObj = request.getParameter("subEmail"); + String subEmail = Validate.validateParameter(emailObj, 75); + log.debug("subEmail = " + subEmail); - String ApplicationRoot = getServletContext().getRealPath(""); - try - { - if(subEmail.length() < 10) - { - log.debug("Invalid data submitted"); - htmlOutput = new String("" + bundle.getString("question.invalidData") + ": " + bundle.getString("question.invalidEmail")); - } - else - { - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalSix"); - log.debug("Getting Secret Question"); - PreparedStatement callstmt = conn.prepareStatement("SELECT secretQuestion FROM users WHERE userAddress = \"" + subEmail +"\""); - ResultSet rs = callstmt.executeQuery(); - if(rs.next()) - { - log.debug("'Valid' User Detected"); - log.debug("Encoding for output: " + rs.getString(1)); - //rs.getString(1) contains the question for the user to answer. This question is asked in English as it must be answered in English to successfully pass the level - htmlOutput = new String(Encode.forHtml(rs.getString(1))); - } - else - { - log.debug("No question found for user"); - htmlOutput = bundle.getString("question.noQuestion"); - } - Database.closeConnection(conn); - } - } - catch(SQLException e) - { - log.debug(levelName + " SQL Error: " + e.toString()); - log.debug("Outputting error to user"); - htmlOutput = new String(e.toString()); - } - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = new String(bundle.getString("response.configError")); - } - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = new String(bundle.getString("response.configError")); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + String ApplicationRoot = getServletContext().getRealPath(""); + try { + if (subEmail.length() < 10) { + log.debug("Invalid data submitted"); + htmlOutput = + new String( + "" + + bundle.getString("question.invalidData") + + ": " + + bundle.getString("question.invalidEmail")); + } else { + Connection conn = + Database.getChallengeConnection( + ApplicationRoot, "BrokenAuthAndSessMangChalSix"); + log.debug("Getting Secret Question"); + PreparedStatement callstmt = + conn.prepareStatement( + "SELECT secretQuestion FROM users WHERE userAddress = \"" + + subEmail + + "\""); + ResultSet rs = callstmt.executeQuery(); + if (rs.next()) { + log.debug("'Valid' User Detected"); + log.debug("Encoding for output: " + rs.getString(1)); + // rs.getString(1) contains the question for the user to answer. This question is + // asked in English as it must be answered in English to successfully pass the + // level + htmlOutput = new String(Encode.forHtml(rs.getString(1))); + } else { + log.debug("No question found for user"); + htmlOutput = bundle.getString("question.noQuestion"); + } + Database.closeConnection(conn); + } + } catch (SQLException e) { + log.debug(levelName + " SQL Error: " + e.toString()); + log.debug("Outputting error to user"); + htmlOutput = new String(e.toString()); + } + } else { + log.debug("Tampered cookie detected"); + htmlOutput = new String(bundle.getString("response.configError")); + } + } else { + log.debug("Tampered cookie detected"); + htmlOutput = new String(bundle.getString("response.configError")); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement7.java b/src/main/java/servlets/module/challenge/SessionManagement7.java index 9b5cf5e67..ddbe52067 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement7.java +++ b/src/main/java/servlets/module/challenge/SessionManagement7.java @@ -1,5 +1,7 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,194 +9,204 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.apache.commons.codec.binary.Base64; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; /** - * Session Management Challenge 7 - *

+ * Session Management Challenge 7
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement7 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement7.class); - private static String levelName = "Session Management Challenge 7"; - public static String levelHash = "269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80"; - /** - * Users must use this functionality to sign in as an administrator to retrieve the result key. - * @param userName Sub schema user name - * @param password Sub schema user password - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement7 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement7.class); + private static String levelName = "Session Management Challenge 7"; + public static String levelHash = + "269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80"; + + /** + * Users must use this functionality to sign in as an administrator to retrieve the result key. + * + * @param userName Sub schema user name + * @param password Sub schema user password + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement7", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement7", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet Accessed"); - try - { - log.debug("Getting Cookies"); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("ac") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); - if(decodedCookie.equals("doNotReturnAnswers")) //Untampered Cookie - { - log.debug("Getting Challenge Parameters"); - Object nameObj = request.getParameter("subName"); - Object passObj = request.getParameter("subPassword"); - String subName = new String(); - String subPass = new String(); - String userAddress = new String(); - if(nameObj != null) - subName = (String) nameObj; - if(passObj != null) - subPass = (String) passObj; - log.debug("subName = " + subName); - log.debug("subPass = " + subPass); + String htmlOutput = new String(); + log.debug(levelName + " Servlet Accessed"); + try { + log.debug("Getting Cookies"); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("ac") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); + if (decodedCookie.equals("doNotReturnAnswers")) // Untampered Cookie + { + log.debug("Getting Challenge Parameters"); + Object nameObj = request.getParameter("subName"); + Object passObj = request.getParameter("subPassword"); + String subName = new String(); + String subPass = new String(); + String userAddress = new String(); + if (nameObj != null) { + subName = (String) nameObj; + } + if (passObj != null) { + subPass = (String) passObj; + } + log.debug("subName = " + subName); + log.debug("subPass = " + subPass); - String ApplicationRoot = getServletContext().getRealPath(""); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFlowers"); - log.debug("Checking credentials"); - PreparedStatement callstmt; + String ApplicationRoot = getServletContext().getRealPath(""); + Connection conn = + Database.getChallengeConnection( + ApplicationRoot, "BrokenAuthAndSessMangChalFlowers"); + log.debug("Checking credentials"); + PreparedStatement callstmt; - log.debug("Committing changes made to database"); - callstmt = conn.prepareStatement("COMMIT"); - callstmt.execute(); - log.debug("Changes committed."); + log.debug("Committing changes made to database"); + callstmt = conn.prepareStatement("COMMIT"); + callstmt.execute(); + log.debug("Changes committed."); - //Filtering password for !, so that it is impossible for users to sign in - subPass = subPass.replaceAll("!", ""); + // Filtering password for !, so that it is impossible for users to sign in + subPass = subPass.replaceAll("!", ""); - callstmt = conn.prepareStatement("SELECT userName, userAddress FROM users WHERE userName = ? AND userPassword = SHA(?)"); - callstmt.setString(1, subName); - callstmt.setString(2, subPass); - log.debug("Executing authUser"); - ResultSet resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - //This should never happen. But just in case; - log.debug("Successful Login"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(ApplicationRoot, levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(resultSet.getString(1)) + "

" + - "

" + - "" + bundle.getString("response.resultKey") + " " + userKey + "" + - "

"; - } - else - { - log.debug("Incorrect credentials, checking if user name correct"); - callstmt = conn.prepareStatement("SELECT userAddress FROM users WHERE userName = ?"); - callstmt.setString(1, subName); - log.debug("Executing getAddress"); - resultSet = callstmt.executeQuery(); - if(resultSet.next()) - { - log.debug("User Found"); - userAddress = bundle.getString("response.badPass") + " " + Encode.forHtml(resultSet.getString(1)) + "
"; - } - else - { - userAddress = bundle.getString("response.badUser") + "
"; - } - htmlOutput = makeTable(userAddress, bundle); - } - Database.closeConnection(conn); - log.debug("Outputting HTML"); - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = new String(bundle.getString("response.configError")); - } - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = new String(bundle.getString("response.configError")); - } - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + callstmt = + conn.prepareStatement( + "SELECT userName, userAddress FROM users WHERE userName = ? AND userPassword =" + + " SHA(?)"); + callstmt.setString(1, subName); + callstmt.setString(2, subPass); + log.debug("Executing authUser"); + ResultSet resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + // This should never happen. But just in case; + log.debug("Successful Login"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(ApplicationRoot, levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "

" + + "

" + + "" + + bundle.getString("response.resultKey") + + " " + + userKey + + "" + + "

"; + } else { + log.debug("Incorrect credentials, checking if user name correct"); + callstmt = conn.prepareStatement("SELECT userAddress FROM users WHERE userName = ?"); + callstmt.setString(1, subName); + log.debug("Executing getAddress"); + resultSet = callstmt.executeQuery(); + if (resultSet.next()) { + log.debug("User Found"); + userAddress = + bundle.getString("response.badPass") + + " " + + Encode.forHtml(resultSet.getString(1)) + + "
"; + } else { + userAddress = bundle.getString("response.badUser") + "
"; + } + htmlOutput = makeTable(userAddress, bundle); + } + Database.closeConnection(conn); + log.debug("Outputting HTML"); + } else { + log.debug("Tampered cookie detected"); + htmlOutput = new String(bundle.getString("response.configError")); + } + } else { + log.debug("Tampered cookie detected"); + htmlOutput = new String(bundle.getString("response.configError")); + } + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - private static String makeTable (String userAddress, ResourceBundle bundle) - { - return "" + userAddress + "" + - "" + - "" + - "
" + bundle.getString("form.userName") + "
" + bundle.getString("form.password") + "
" + - "
"; - } + private static String makeTable(String userAddress, ResourceBundle bundle) { + return "" + + userAddress + + "" + + "" + + "" + + "
" + + bundle.getString("form.userName") + + "
" + + bundle.getString("form.password") + + "
" + + "
"; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement7SecretQuestion.java b/src/main/java/servlets/module/challenge/SessionManagement7SecretQuestion.java index 83264ebf9..15d6721d5 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement7SecretQuestion.java +++ b/src/main/java/servlets/module/challenge/SessionManagement7SecretQuestion.java @@ -1,5 +1,7 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,244 +10,252 @@ import java.sql.SQLException; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.apache.commons.codec.binary.Base64; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; /** - * Session Management Challenge 7 - Security Question - * Does not return result key - *

+ * Session Management Challenge 7 - Security Question Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement7SecretQuestion extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement7SecretQuestion.class); - private static String levelName = "Session Management Challenge 7 (Secret Question)"; - private static String levelHash = "269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80"; - //To catch most requests before calling the DB, the in comming Answers must be one of the following flowers - private static String possibleAnswers[] = {new String("Jade Vine"), new String("Corpse Flower"), - new String("Gibraltar Campion"), new String("Franklin Tree"), new String("Middlemist Red"), - new String("Chocolate Cosmos"), new String("Ghost Orchid")}; - /** - * A user submits a username and answer, these values are checked against the DB to see if they are valid - * @param subEmail Sub schema user email to search DB with - * @param subAnswer Sub schema user secret answer to check against the DB - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SessionManagement7SecretQuestion extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement7SecretQuestion.class); + private static String levelName = "Session Management Challenge 7 (Secret Question)"; + private static String levelHash = + "269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80"; + // To catch most requests before calling the DB, the in comming Answers must be one of the + // following flowers + private static String possibleAnswers[] = { + new String("Jade Vine"), + new String("Corpse Flower"), + new String("Gibraltar Campion"), + new String("Franklin Tree"), + new String("Middlemist Red"), + new String("Chocolate Cosmos"), + new String("Ghost Orchid") + }; + + /** + * A user submits a username and answer, these values are checked against the DB to see if they + * are valid + * + * @param subEmail Sub schema user email to search DB with + * @param subAnswer Sub schema user secret answer to check against the DB + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement7", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement7", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet accessed"); - try - { - log.debug("Getting Challenge Parameters"); + String htmlOutput = new String(); + log.debug(levelName + " Servlet accessed"); + try { + log.debug("Getting Challenge Parameters"); - Object ansObj = request.getParameter("subAnswer"); - String subAns = Validate.validateParameter(ansObj, 35); - log.debug("subAnswer = " + subAns); - Object emailObj = request.getParameter("subEmail"); - String subEmail = Validate.validateParameter(emailObj, 60); - log.debug("subEmail = " + subEmail); - if(validAnswer(subAns)) - { - log.debug("Submitted answer is a possible valid answer"); - String ApplicationRoot = getServletContext().getRealPath(""); - try - { - if(Validate.isValidEmailAddress(subEmail) && subAns.length() > 5) - { - Connection conn = Database.getChallengeConnection(ApplicationRoot, "BrokenAuthAndSessMangChalFlowers"); - log.debug("Checking Secret Answer"); - PreparedStatement callstmt = conn.prepareStatement("SELECT userName FROM users WHERE userAddress = ? AND secretAnswer = ?"); - callstmt.setString(1, subEmail); - callstmt.setString(2, subAns); - log.debug("Running secret Answer Check"); - ResultSet rs = callstmt.executeQuery(); - if(rs.next()) - { - log.debug("Correct Answer Submitted"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(ApplicationRoot, levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.welcome") + " " + Encode.forHtml(rs.getString(1)) + "

" + - "

" + - bundle.getString("response.resultKey") + " " + userKey + "" + - "

"; - } - else - { - log.debug("Bad Answer Submitted"); - htmlOutput = new String("

" + bundle.getString("question.badAnswer") + "

" + bundle.getString("question.whoAreYou") + "

"); - } - Database.closeConnection(conn); - } - else - { - log.debug("Invalid data submitted"); - htmlOutput = new String("" + bundle.getString("question.invalidData") + ": "); - if(subAns.length() < 5) - htmlOutput += bundle.getString("question.invalidAns"); - else - htmlOutput += bundle.getString("question.invalidEmail"); - } - } - catch(SQLException e) - { - log.error(levelName + " SQL Error: " + e.toString()); - } - } - else - { - log.debug("Invalid answer submitted for any user, skipping rest of function"); - htmlOutput = new String("

" + bundle.getString("question.badAnswer") + "

" + bundle.getString("question.whoAreYou") + "

"); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + Object ansObj = request.getParameter("subAnswer"); + String subAns = Validate.validateParameter(ansObj, 35); + log.debug("subAnswer = " + subAns); + Object emailObj = request.getParameter("subEmail"); + String subEmail = Validate.validateParameter(emailObj, 60); + log.debug("subEmail = " + subEmail); + if (validAnswer(subAns)) { + log.debug("Submitted answer is a possible valid answer"); + String ApplicationRoot = getServletContext().getRealPath(""); + try { + if (Validate.isValidEmailAddress(subEmail) && subAns.length() > 5) { + Connection conn = + Database.getChallengeConnection( + ApplicationRoot, "BrokenAuthAndSessMangChalFlowers"); + log.debug("Checking Secret Answer"); + PreparedStatement callstmt = + conn.prepareStatement( + "SELECT userName FROM users WHERE userAddress = ? AND secretAnswer = ?"); + callstmt.setString(1, subEmail); + callstmt.setString(2, subAns); + log.debug("Running secret Answer Check"); + ResultSet rs = callstmt.executeQuery(); + if (rs.next()) { + log.debug("Correct Answer Submitted"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(ApplicationRoot, levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(rs.getString(1)) + + "

" + + "

" + + bundle.getString("response.resultKey") + + " " + + userKey + + "" + + "

"; + } else { + log.debug("Bad Answer Submitted"); + htmlOutput = + new String( + "

" + + bundle.getString("question.badAnswer") + + "

" + + bundle.getString("question.whoAreYou") + + "

"); + } + Database.closeConnection(conn); + } else { + log.debug("Invalid data submitted"); + htmlOutput = new String("" + bundle.getString("question.invalidData") + ": "); + if (subAns.length() < 5) { + htmlOutput += bundle.getString("question.invalidAns"); + } else { + htmlOutput += bundle.getString("question.invalidEmail"); + } + } + } catch (SQLException e) { + log.error(levelName + " SQL Error: " + e.toString()); + } + } else { + log.debug("Invalid answer submitted for any user, skipping rest of function"); + htmlOutput = + new String( + "

" + + bundle.getString("question.badAnswer") + + "

" + + bundle.getString("question.whoAreYou") + + "

"); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - /** - * A user submits an email address to get that user's Secret QUestion. This is vulnerable to SQL injection - * @param subEmail Sub schema user email to search DB with - */ - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - String levelName = "Session Management Challenge 7 (Get Question)"; - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + /** + * A user submits an email address to get that user's Secret QUestion. This is vulnerable to SQL + * injection + * + * @param subEmail Sub schema user email to search DB with + */ + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String levelName = "Session Management Challenge 7 (Get Question)"; + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement7", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement7", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - log.debug(levelName + " Servlet accessed"); - try - { - log.debug("Getting Cookies"); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("ac") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - log.debug("Cookie value: " + theCookie.getValue()); - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); - if(decodedCookie.equals("doNotReturnAnswers")) //Untampered Cookie - { - //Question not translated as DB will only mark English answers as correct - htmlOutput = new String("What is your favourite flower?"); - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = bundle.getString("response.configError"); - } - } - else - { - log.debug("Tampered cookie detected"); - htmlOutput = bundle.getString("response.configError"); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + log.debug(levelName + " Servlet accessed"); + try { + log.debug("Getting Cookies"); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("ac") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + log.debug("Cookie value: " + theCookie.getValue()); + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); + if (decodedCookie.equals("doNotReturnAnswers")) // Untampered Cookie + { + // Question not translated as DB will only mark English answers as correct + htmlOutput = new String("What is your favourite flower?"); + } else { + log.debug("Tampered cookie detected"); + htmlOutput = bundle.getString("response.configError"); + } + } else { + log.debug("Tampered cookie detected"); + htmlOutput = bundle.getString("response.configError"); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - private static boolean validAnswer(String submittedAns) - { - for(int i = 0; i < possibleAnswers.length; i++) - { - if(possibleAnswers[i].equalsIgnoreCase(submittedAns)) - return true; - } - return false; - } + private static boolean validAnswer(String submittedAns) { + for (int i = 0; i < possibleAnswers.length; i++) { + if (possibleAnswers[i].equalsIgnoreCase(submittedAns)) { + return true; + } + } + return false; + } } diff --git a/src/main/java/servlets/module/challenge/SessionManagement8.java b/src/main/java/servlets/module/challenge/SessionManagement8.java index fdabf412e..697a9a9f1 100644 --- a/src/main/java/servlets/module/challenge/SessionManagement8.java +++ b/src/main/java/servlets/module/challenge/SessionManagement8.java @@ -1,164 +1,169 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Session Management Challenge Eight - *

+ * Session Management Challenge Eight
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagement8 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagement8.class); - private static String levelName = "Session Management Challenge Eight"; - private static String levelHash = "714d8601c303bbef8b5cabab60b1060ac41f0d96f53b6ea54705bb1ea4316334"; - /** - * Users must take advance of the broken session management in this application by modifying the tracking cookie "challengeRole" which is encoded in ATOM-128. They must modify this cookie to be equal to superuser to access the result key. - * @param returnUserRole Red herring - * @param returnPassword Red herring - * @param adminDetected Red herring - * @param challengeRole Cookie encoded ATOM-128 that manages who is signed in to the sub schema - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - String redherringOne = new String("returnUserRole"); - String redherringTwo = new String("returnPassword"); - String redherringThr = new String("adminDetected"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class SessionManagement8 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagement8.class); + private static String levelName = "Session Management Challenge Eight"; + private static String levelHash = + "714d8601c303bbef8b5cabab60b1060ac41f0d96f53b6ea54705bb1ea4316334"; + + /** + * Users must take advance of the broken session management in this application by modifying the + * tracking cookie "challengeRole" which is encoded in ATOM-128. They must modify this cookie to + * be equal to superuser to access the result key. + * + * @param returnUserRole Red herring + * @param returnPassword Red herring + * @param adminDetected Red herring + * @param challengeRole Cookie encoded ATOM-128 that manages who is signed in to the sub schema + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String redherringOne = new String("returnUserRole"); + String redherringTwo = new String("returnPassword"); + String redherringThr = new String("adminDetected"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sessionManagement.sessionManagement8", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle( + "i18n.servlets.challenges.sessionManagement.sessionManagement8", locale); - try - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("challengeRole") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - String htmlOutput = new String(); - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); + try { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("challengeRole") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + String htmlOutput = new String(); + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); - if(theCookie.getValue().equals("nmHqLjQknlHs")) - { - log.debug("Super User Cookie detected"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.superUserClub") + "

" + - "

" + - bundle.getString("response.welcomeSuperUser") + " " + - "" + userKey + "" + - "

"; - } - else if (!theCookie.getValue().equals("LmH6nmbC")) - { - log.debug("Tampered role cookie detected: " + theCookie.getValue()); - htmlOutput += ""; - } - else - { - log.debug("No change to role cookie submitted"); - } - } - else - { - log.debug("No Role Cookie Submitted"); - } - if(htmlOutput.isEmpty()) - { - log.debug("Challenge Not Complete"); - boolean hackDetected = false; - hackDetected = !(request.getParameter(redherringOne) != null && request.getParameter(redherringTwo) != null && request.getParameter(redherringThr) != null); - if(!hackDetected) - { - String paramOne = request.getParameter(redherringOne).toString(); - String paramTwo = request.getParameter(redherringTwo).toString(); - String paramThr = request.getParameter(redherringThr).toString(); - log.debug("Param value of " + redherringOne + ":" + paramOne); - log.debug("Param value of " + redherringTwo + ":" + paramTwo); - log.debug("Param value of " + redherringThr + ":" + paramThr); - hackDetected = !(paramOne.equalsIgnoreCase("false") && paramTwo.equalsIgnoreCase("false") && paramThr.equalsIgnoreCase("false")); - } - if(!hackDetected) - { - htmlOutput = "

" + bundle.getString("response.notPrivileged") + "

" + - "

" + - bundle.getString("response.notPrivileged.message") + - "

"; - } - else - { - htmlOutput = "

" + bundle.getString("response.hackDetected") + "

" + - "

" + - bundle.getString("response.hackDetected.message") + - "

"; - } - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (theCookie.getValue().equals("nmHqLjQknlHs")) { + log.debug("Super User Cookie detected"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.superUserClub") + + "

" + + "

" + + bundle.getString("response.welcomeSuperUser") + + " " + + "" + + userKey + + "" + + "

"; + } else if (!theCookie.getValue().equals("LmH6nmbC")) { + log.debug("Tampered role cookie detected: " + theCookie.getValue()); + htmlOutput += ""; + } else { + log.debug("No change to role cookie submitted"); + } + } else { + log.debug("No Role Cookie Submitted"); + } + if (htmlOutput.isEmpty()) { + log.debug("Challenge Not Complete"); + boolean hackDetected = false; + hackDetected = + !(request.getParameter(redherringOne) != null + && request.getParameter(redherringTwo) != null + && request.getParameter(redherringThr) != null); + if (!hackDetected) { + String paramOne = request.getParameter(redherringOne).toString(); + String paramTwo = request.getParameter(redherringTwo).toString(); + String paramThr = request.getParameter(redherringThr).toString(); + log.debug("Param value of " + redherringOne + ":" + paramOne); + log.debug("Param value of " + redherringTwo + ":" + paramTwo); + log.debug("Param value of " + redherringThr + ":" + paramThr); + hackDetected = + !(paramOne.equalsIgnoreCase("false") + && paramTwo.equalsIgnoreCase("false") + && paramThr.equalsIgnoreCase("false")); + } + if (!hackDetected) { + htmlOutput = + "

" + + bundle.getString("response.notPrivileged") + + "

" + + "

" + + bundle.getString("response.notPrivileged.message") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.hackDetected") + + "

" + + "

" + + bundle.getString("response.hackDetected.message") + + "

"; + } + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection1.java b/src/main/java/servlets/module/challenge/SqlInjection1.java index 25766fe64..3601a8e8a 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection1.java +++ b/src/main/java/servlets/module/challenge/SqlInjection1.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,126 +9,132 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Challenge 1 - Does not use User specific keys - *

+ * SQL Injection Challenge 1 - Does not use User specific keys
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection1 extends HttpServlet -{ - //SQL Challenge 1 - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection1.class); - private static String levelName = "SQL Injection Challenge 1"; - public static String levelHash = "e1e109444bf5d7ae3d67b816538613e64f7d0f51c432a164efc8418513711b0a"; - // private static String levelResult = ""; //Stored in vulnerable DB. Not user Specific - /** - * This function is used to make a call to a database and process its results. The call made to the database is secured using an insufficient privilege. - * Players must overcome this filter to complete the module - * @param aUserId Used to filter database results - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SqlInjection1 extends HttpServlet { + + // SQL Challenge 1 + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection1.class); + private static String levelName = "SQL Injection Challenge 1"; + public static String levelHash = + "e1e109444bf5d7ae3d67b816538613e64f7d0f51c432a164efc8418513711b0a"; + // private static String levelResult = ""; //Stored in vulnerable DB. Not user Specific + + /** + * This function is used to make a call to a database and process its results. The call made to + * the database is secured using an insufficient privilege. Players must overcome this filter to + * complete the module + * + * @param aUserId Used to filter database results + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli1", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli1", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); + String htmlOutput = new String(); - try - { - String aUserId = request.getParameter("aUserId"); - log.debug("User Submitted - " + aUserId); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + try { + String aUserId = request.getParameter("aUserId"); + log.debug("User Submitted - " + aUserId); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - log.debug("Getting Connection to Database"); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeOne"); - Statement stmt = conn.createStatement(); - log.debug("Gathering result set"); - ResultSet resultSet = stmt.executeQuery("SELECT * FROM customers WHERE customerId = \"" + aUserId + "\""); + log.debug("Getting Connection to Database"); + Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeOne"); + Statement stmt = conn.createStatement(); + log.debug("Gathering result set"); + ResultSet resultSet = + stmt.executeQuery("SELECT * FROM customers WHERE customerId = \"" + aUserId + "\""); - int i = 0; - htmlOutput = "

" + bundle.getString("response.searchResults")+ "

"; - htmlOutput += ""; + int i = 0; + htmlOutput = "

" + bundle.getString("response.searchResults") + "

"; + htmlOutput += + "
"+ bundle.getString("response.table.name") +""+ bundle.getString("response.table.address") +""+ bundle.getString("response.table.comment") +"
"; - log.debug("Opening Result Set from query"); - while(resultSet.next()) - { - log.debug("Adding Customer " + resultSet.getString(2)); - htmlOutput += ""; - i++; - } - htmlOutput += "
" + + bundle.getString("response.table.name") + + "" + + bundle.getString("response.table.address") + + "" + + bundle.getString("response.table.comment") + + "
" - + Encode.forHtml(resultSet.getString(2)) + "" - + Encode.forHtml(resultSet.getString(3)) + "" - + Encode.forHtml(resultSet.getString(4)) + "
"; - if(i == 0) - { - htmlOutput = "

"+bundle.getString("response.noResults")+"

"; - } - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - htmlOutput += "

"+errors.getString("error.detected")+"

" + - "

" + Encode.forHtml(e.toString()) + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + log.debug("Opening Result Set from query"); + while (resultSet.next()) { + log.debug("Adding Customer " + resultSet.getString(2)); + htmlOutput += + "" + + Encode.forHtml(resultSet.getString(2)) + + "" + + Encode.forHtml(resultSet.getString(3)) + + "" + + Encode.forHtml(resultSet.getString(4)) + + ""; + i++; + } + htmlOutput += ""; + if (i == 0) { + htmlOutput = "

" + bundle.getString("response.noResults") + "

"; + } + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + htmlOutput += + "

" + + errors.getString("error.detected") + + "

" + + "

" + + Encode.forHtml(e.toString()) + + "

"; + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection3.java b/src/main/java/servlets/module/challenge/SqlInjection3.java index 283833b09..5898ee89d 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection3.java +++ b/src/main/java/servlets/module/challenge/SqlInjection3.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,128 +9,123 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.SqlFilter; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Challenge Three - Does not use user specific key - *

+ * SQL Injection Challenge Three - Does not use user specific key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection3 extends HttpServlet -{ - //Sql Challenge 3 - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection3.class); - private static String levelName = "SQL Injection Challenge Three"; - public static String levelHash = "b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6"; - // private static String levelResult = ""; // Stored in Vulnerable DB. Not User Specific - /** - * Users have to use SQL injection to get a specific users credit card number. The query they are injecting into by default only outputs usernames. - * The input they enter is also been filtered. - * @param theUserName User name used in database look up. - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - //Attempting to recover user name of session that made request - HttpSession ses = request.getSession(true); +public class SqlInjection3 extends HttpServlet { + + // Sql Challenge 3 + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection3.class); + private static String levelName = "SQL Injection Challenge Three"; + public static String levelHash = + "b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6"; + // private static String levelResult = ""; // Stored in Vulnerable DB. Not User Specific + + /** + * Users have to use SQL injection to get a specific users credit card number. The query they are + * injecting into by default only outputs usernames. The input they enter is also been filtered. + * + * @param theUserName User name used in database look up. + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + // Attempting to recover user name of session that made request + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli3", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli3", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String theUserName = request.getParameter("theUserName"); - log.debug("User Submitted - " + theUserName); - theUserName = SqlFilter.levelThree(theUserName); - log.debug("Filtered to " + theUserName); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + try { + String theUserName = request.getParameter("theUserName"); + log.debug("User Submitted - " + theUserName); + theUserName = SqlFilter.levelThree(theUserName); + log.debug("Filtered to " + theUserName); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - log.debug("Getting Connection to Database"); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeThree"); - Statement stmt = conn.createStatement(); - log.debug("Gathering result set"); - ResultSet resultSet = stmt.executeQuery("SELECT customerName FROM customers WHERE customerName = '" + theUserName + "'"); + log.debug("Getting Connection to Database"); + Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeThree"); + Statement stmt = conn.createStatement(); + log.debug("Gathering result set"); + ResultSet resultSet = + stmt.executeQuery( + "SELECT customerName FROM customers WHERE customerName = '" + theUserName + "'"); - int i = 0; - htmlOutput = "

" + bundle.getString("response.searchResults")+ "

";; - htmlOutput += ""; + int i = 0; + htmlOutput = "

" + bundle.getString("response.searchResults") + "

"; + ; + htmlOutput += "
"+ bundle.getString("response.table.name")+ "
"; - log.debug("Opening Result Set from query"); - while(resultSet.next()) - { - log.debug("Adding Customer " + resultSet.getString(1)); - htmlOutput += ""; - i++; - } - htmlOutput += "
" + bundle.getString("response.table.name") + "
" - + Encode.forHtml(resultSet.getString(1)) + "
"; - if(i == 0) - { - htmlOutput = "

"+bundle.getString("response.table.noResults")+"

"; - } - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - htmlOutput += "

"+errors.getString("error.detected")+"

" + - "

" + Encode.forHtml(e.toString()) + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + log.debug("Opening Result Set from query"); + while (resultSet.next()) { + log.debug("Adding Customer " + resultSet.getString(1)); + htmlOutput += "" + Encode.forHtml(resultSet.getString(1)) + ""; + i++; + } + htmlOutput += ""; + if (i == 0) { + htmlOutput = "

" + bundle.getString("response.table.noResults") + "

"; + } + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + htmlOutput += + "

" + + errors.getString("error.detected") + + "

" + + "

" + + Encode.forHtml(e.toString()) + + "

"; + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection4.java b/src/main/java/servlets/module/challenge/SqlInjection4.java index 8495226b5..b41060519 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection4.java +++ b/src/main/java/servlets/module/challenge/SqlInjection4.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,136 +9,148 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.SqlFilter; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Challenge Four - Does not use user specific key - *

+ * SQL Injection Challenge Four - Does not use user specific key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection4 extends HttpServlet -{ - //Sql Challenge 4 - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection4.class); - private static String levelName = "SqlInjection4"; - private static String levelResult = "d316e80045d50bdf8ed49d48f130b4acf4a878c82faef34daff8eb1b98763b6f"; - public static String levelHash = "1feccf2205b4c5ddf743630b46aece3784d61adc56498f7603ccd7cb8ae92629"; - /** - * Users have to defeat SQL injection that blocks single quotes. - * The input they enter is also been filtered. - * @param theUserName User name used in database look up. - * @param thePassword User password used in database look up - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SqlInjection4 extends HttpServlet { + + // Sql Challenge 4 + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection4.class); + private static String levelName = "SqlInjection4"; + private static String levelResult = + "d316e80045d50bdf8ed49d48f130b4acf4a878c82faef34daff8eb1b98763b6f"; + public static String levelHash = + "1feccf2205b4c5ddf743630b46aece3784d61adc56498f7603ccd7cb8ae92629"; + + /** + * Users have to defeat SQL injection that blocks single quotes. The input they enter is also been + * filtered. + * + * @param theUserName User name used in database look up. + * @param thePassword User password used in database look up + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli4", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli4", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String theUserName = request.getParameter("theUserName"); - log.debug("User Submitted - " + theUserName); - theUserName = SqlFilter.levelFour(theUserName); - log.debug("Filtered to " + theUserName); - String thePassword = request.getParameter("thePassword"); - log.debug("thePassword Submitted - " + thePassword); - thePassword = SqlFilter.levelFour(thePassword); - log.debug("Filtered to " + thePassword); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + try { + String theUserName = request.getParameter("theUserName"); + log.debug("User Submitted - " + theUserName); + theUserName = SqlFilter.levelFour(theUserName); + log.debug("Filtered to " + theUserName); + String thePassword = request.getParameter("thePassword"); + log.debug("thePassword Submitted - " + thePassword); + thePassword = SqlFilter.levelFour(thePassword); + log.debug("Filtered to " + thePassword); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - log.debug("Getting Connection to Database"); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeFour"); - Statement stmt = conn.createStatement(); - log.debug("Gathering result set"); - ResultSet resultSet = stmt.executeQuery("SELECT userName FROM users WHERE userName = '" + theUserName + "' AND userPassword = '" + thePassword + "'"); + log.debug("Getting Connection to Database"); + Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeFour"); + Statement stmt = conn.createStatement(); + log.debug("Gathering result set"); + ResultSet resultSet = + stmt.executeQuery( + "SELECT userName FROM users WHERE userName = '" + + theUserName + + "' AND userPassword = '" + + thePassword + + "'"); - int i = 0; - htmlOutput = "

" + bundle.getString("response.loginResults")+ "

"; + int i = 0; + htmlOutput = "

" + bundle.getString("response.loginResults") + "

"; - log.debug("Opening Result Set from query"); - if(resultSet.next()) - { - log.debug("Signed in as " + resultSet.getString(1)); - htmlOutput += "

" + bundle.getString("response.signedInAs")+ "" + Encode.forHtml(resultSet.getString(1)) + "

"; - if(resultSet.getString(1).equalsIgnoreCase("admin")) - { - htmlOutput += "

" + bundle.getString("response.adminResultKey")+ "" - + "" + Encode.forHtml(levelResult) + ""; - } - else - { - htmlOutput += "

" + bundle.getString("response.adminsFun")+ "

"; - } - i++; - } - if(i == 0) - { - htmlOutput = "

" + bundle.getString("response.loginResults")+ "

" + bundle.getString("response.superSecure")+ "

"; - } - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - htmlOutput += "

"+errors.getString("error.detected")+"

" + - "

" + Encode.forHtml(e.toString()) + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + log.debug("Opening Result Set from query"); + if (resultSet.next()) { + log.debug("Signed in as " + resultSet.getString(1)); + htmlOutput += + "

" + + bundle.getString("response.signedInAs") + + "" + + Encode.forHtml(resultSet.getString(1)) + + "

"; + if (resultSet.getString(1).equalsIgnoreCase("admin")) { + htmlOutput += + "

" + + bundle.getString("response.adminResultKey") + + "" + + "" + + Encode.forHtml(levelResult) + + ""; + } else { + htmlOutput += "

" + bundle.getString("response.adminsFun") + "

"; + } + i++; + } + if (i == 0) { + htmlOutput = + "

" + + bundle.getString("response.loginResults") + + "

" + + bundle.getString("response.superSecure") + + "

"; + } + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + htmlOutput += + "

" + + errors.getString("error.detected") + + "

" + + "

" + + Encode.forHtml(e.toString()) + + "

"; + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection5.java b/src/main/java/servlets/module/challenge/SqlInjection5.java index 41f8d11d9..daa459864 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection5.java +++ b/src/main/java/servlets/module/challenge/SqlInjection5.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,176 +8,175 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; + /** - * Level : SQL Injection 5 - *

+ * Level : SQL Injection 5
+ *
* - * This file is part of the Security Shepherd Project. + *

This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection5 extends HttpServlet -{ - private static final String levelName = "SQLi C5 Shop"; - public static String levelHash = "8edf0a8ed891e6fef1b650935a6c46b03379a0eebab36afcd1d9076f65d4ce62"; - private static String levelSolution = "343f2e424d5d7a2eff7f9ee5a5a72fd97d5a19ef7bff3ef2953e033ea32dd7ee"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection5.class); +public class SqlInjection5 extends HttpServlet { - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + private static final String levelName = "SQLi C5 Shop"; + public static String levelHash = + "8edf0a8ed891e6fef1b650935a6c46b03379a0eebab36afcd1d9076f65d4ce62"; + private static String levelSolution = + "343f2e424d5d7a2eff7f9ee5a5a72fd97d5a19ef7bff3ef2953e033ea32dd7ee"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection5.class); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli5", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - String applicationRoot = getServletContext().getRealPath(""); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - try - { - int pineappleAmount = validateAmount(Integer.parseInt(request.getParameter("pineappleAmount"))); - log.debug("pineappleAmount - " + pineappleAmount); - int orangeAmount = validateAmount(Integer.parseInt(request.getParameter("orangeAmount"))); - log.debug("orangeAmount - " + orangeAmount); - int appleAmount = validateAmount(Integer.parseInt(request.getParameter("appleAmount"))); - log.debug("appleAmount - " + appleAmount); - int bananaAmount = validateAmount(Integer.parseInt(request.getParameter("bananaAmount"))); - log.debug("bananaAmount - " + bananaAmount); - String couponCode = request.getParameter("couponCode"); - log.debug("couponCode - " + couponCode); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli5", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + String applicationRoot = getServletContext().getRealPath(""); - //Working out costs - int pineappleCost = pineappleAmount * 30; - int orangeCost = orangeAmount * 3000; - int appleCost = appleAmount * 45; - int bananaCost = bananaAmount * 15; - int perCentOffPineapple = 0; // Will search for coupons in DB and update this int - int perCentOffOrange = 0; // Will search for coupons in DB and update this int - int perCentOffApple = 0; // Will search for coupons in DB and update this int - int perCentOffBanana = 0; // Will search for coupons in DB and update this int + try { + int pineappleAmount = + validateAmount(Integer.parseInt(request.getParameter("pineappleAmount"))); + log.debug("pineappleAmount - " + pineappleAmount); + int orangeAmount = validateAmount(Integer.parseInt(request.getParameter("orangeAmount"))); + log.debug("orangeAmount - " + orangeAmount); + int appleAmount = validateAmount(Integer.parseInt(request.getParameter("appleAmount"))); + log.debug("appleAmount - " + appleAmount); + int bananaAmount = validateAmount(Integer.parseInt(request.getParameter("bananaAmount"))); + log.debug("bananaAmount - " + bananaAmount); + String couponCode = request.getParameter("couponCode"); + log.debug("couponCode - " + couponCode); - htmlOutput = new String(); - Connection conn = Database.getChallengeConnection(applicationRoot, "SqlInjectionChallenge5Shop"); - log.debug("Looking for Coupons"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT itemId, perCentOff FROM coupons WHERE couponCode = ?" - + "UNION SELECT itemId, perCentOff FROM vipCoupons WHERE couponCode = ?"); - prepstmt.setString(1, couponCode); - prepstmt.setString(2, couponCode); - ResultSet coupons = prepstmt.executeQuery(); - try - { - if(coupons.next()) - { - if(coupons.getInt(1) == 1) // Pineapple - { - log.debug("Found coupon for %" + coupons.getInt(2) + " off Pineapple"); - perCentOffPineapple = coupons.getInt(2); - } - else if (coupons.getInt(1) == 2) // Orange - { - log.debug("Found coupon for %" + coupons.getInt(2) + " off Orange"); - perCentOffOrange = coupons.getInt(2); - } - else if (coupons.getInt(1) == 3) // Apple - { - log.debug("Found coupon for %" + coupons.getInt(2) + " off Apple"); - perCentOffApple = coupons.getInt(2); - } - else if (coupons.getInt(1) == 4) // Banana - { - log.debug("Found coupon for %" + coupons.getInt(2) + " off Banana"); - perCentOffBanana = coupons.getInt(2); - } + // Working out costs + int pineappleCost = pineappleAmount * 30; + int orangeCost = orangeAmount * 3000; + int appleCost = appleAmount * 45; + int bananaCost = bananaAmount * 15; + int perCentOffPineapple = 0; // Will search for coupons in DB and update this int + int perCentOffOrange = 0; // Will search for coupons in DB and update this int + int perCentOffApple = 0; // Will search for coupons in DB and update this int + int perCentOffBanana = 0; // Will search for coupons in DB and update this int - } - } - catch(Exception e) - { - log.debug("Could Not Find Coupon: " + e.toString()); - } - conn.close(); + htmlOutput = new String(); + Connection conn = + Database.getChallengeConnection(applicationRoot, "SqlInjectionChallenge5Shop"); + log.debug("Looking for Coupons"); + PreparedStatement prepstmt = + conn.prepareStatement( + "SELECT itemId, perCentOff FROM coupons WHERE couponCode = ?" + + "UNION SELECT itemId, perCentOff FROM vipCoupons WHERE couponCode = ?"); + prepstmt.setString(1, couponCode); + prepstmt.setString(2, couponCode); + ResultSet coupons = prepstmt.executeQuery(); + try { + if (coupons.next()) { + if (coupons.getInt(1) == 1) // Pineapple + { + log.debug("Found coupon for %" + coupons.getInt(2) + " off Pineapple"); + perCentOffPineapple = coupons.getInt(2); + } else if (coupons.getInt(1) == 2) // Orange + { + log.debug("Found coupon for %" + coupons.getInt(2) + " off Orange"); + perCentOffOrange = coupons.getInt(2); + } else if (coupons.getInt(1) == 3) // Apple + { + log.debug("Found coupon for %" + coupons.getInt(2) + " off Apple"); + perCentOffApple = coupons.getInt(2); + } else if (coupons.getInt(1) == 4) // Banana + { + log.debug("Found coupon for %" + coupons.getInt(2) + " off Banana"); + perCentOffBanana = coupons.getInt(2); + } + } + } catch (Exception e) { + log.debug("Could Not Find Coupon: " + e.toString()); + } + conn.close(); - //Work Out Final Cost - pineappleCost = pineappleCost - (pineappleCost * (perCentOffPineapple/100)); - appleCost = appleCost - (appleCost * (perCentOffApple/100)); - bananaCost = bananaCost - (bananaCost * (perCentOffBanana/100)); - orangeCost = orangeCost - (orangeCost * (perCentOffOrange/100)); - int finalCost = pineappleCost + appleCost + bananaCost + orangeCost; + // Work Out Final Cost + pineappleCost = pineappleCost - (pineappleCost * (perCentOffPineapple / 100)); + appleCost = appleCost - (appleCost * (perCentOffApple / 100)); + bananaCost = bananaCost - (bananaCost * (perCentOffBanana / 100)); + orangeCost = orangeCost - (orangeCost * (perCentOffOrange / 100)); + int finalCost = pineappleCost + appleCost + bananaCost + orangeCost; - //Output Order - htmlOutput = "

" + bundle.getString("response.orderComplete")+ "

" - + "" + bundle.getString("response.orderComplete.p1")+ "

" - + "" + bundle.getString("response.orderComplete.p2")+ "$" + finalCost + ""; - if (orangeAmount > 0 && orangeCost == 0) - { - htmlOutput += "

" + bundle.getString("response.orangesFreeSolution")+ "" + Encode.forHtml(levelSolution) + ""; - } - } - catch(Exception e) - { - log.debug("Didn't complete order: " + e.toString()); - htmlOutput += "

" + bundle.getString("response.orderFailed")+ "

"; - } - try - { - Thread.sleep(1000); - } - catch(Exception e) - { - log.error("Failed to Pause: " + e.toString()); - } - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + // Output Order + htmlOutput = + "

" + + bundle.getString("response.orderComplete") + + "

" + + "" + + bundle.getString("response.orderComplete.p1") + + "

" + + "" + + bundle.getString("response.orderComplete.p2") + + "$" + + finalCost + + ""; + if (orangeAmount > 0 && orangeCost == 0) { + htmlOutput += + "

" + + bundle.getString("response.orangesFreeSolution") + + "" + + Encode.forHtml(levelSolution) + + ""; + } + } catch (Exception e) { + log.debug("Didn't complete order: " + e.toString()); + htmlOutput += "

" + bundle.getString("response.orderFailed") + "

"; + } + try { + Thread.sleep(1000); + } catch (Exception e) { + log.error("Failed to Pause: " + e.toString()); + } + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } - private static int validateAmount (int amount) throws IllegalArgumentException - { - if(amount > 9000) - throw new IllegalArgumentException(); - if (amount < 0) - amount = 0; - return amount; - } + private static int validateAmount(int amount) throws IllegalArgumentException { + if (amount > 9000) { + throw new IllegalArgumentException(); + } + if (amount < 0) { + amount = 0; + } + return amount; + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection5CouponCheck.java b/src/main/java/servlets/module/challenge/SqlInjection5CouponCheck.java index dee480867..c276ebbaa 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection5CouponCheck.java +++ b/src/main/java/servlets/module/challenge/SqlInjection5CouponCheck.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,123 +8,117 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Level : SQL Injection Challenge 5 - *

+ * Level : SQL Injection Challenge 5
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ -public class SqlInjection5CouponCheck extends HttpServlet -{ - private static final String levelName = "SQLi C5 CouponCheck"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection5CouponCheck.class); - /** - * //TODO - JavaDoc - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SqlInjection5CouponCheck extends HttpServlet { + private static final String levelName = "SQLi C5 CouponCheck"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection5CouponCheck.class); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli5", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + /** //TODO - JavaDoc */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - String htmlOutput = new String(); - String applicationRoot = getServletContext().getRealPath(""); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli5", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - try - { - String couponCode = request.getParameter("couponCode"); - log.debug("couponCode - " + couponCode); - if (couponCode == null || couponCode.isEmpty()) - couponCode = new String(); + String htmlOutput = new String(); + String applicationRoot = getServletContext().getRealPath(""); - htmlOutput = new String(""); - Connection conn = Database.getChallengeConnection(applicationRoot, "SqlInjectionChallenge5ShopCoupon"); - log.debug("Looking for Coupons Insecurely"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT itemId, perCentOff, itemName FROM coupons JOIN items USING (itemId) WHERE couponCode = '" + couponCode + "';"); - ResultSet coupons = prepstmt.executeQuery(); - try - { - if(coupons.next()) - { - htmlOutput = new String("Valid Coupon for "); - log.debug("Found coupon for %" + coupons.getInt(2)); - log.debug("For Item Name " + coupons.getString(3)); - htmlOutput += "" + bundle.getString("response.percent")+ "" + coupons.getInt(2) + " " + bundle.getString("response.off")+ " " + Encode.forHtml(coupons.getString(3)) + " " + bundle.getString("response.items")+ ""; - } - else - { - htmlOutput = "" + bundle.getString("response.noCoupon")+ ""; - } - } - catch(Exception e) - { - log.debug("Could Not Find Coupon: " + e.toString()); + try { + String couponCode = request.getParameter("couponCode"); + log.debug("couponCode - " + couponCode); + if (couponCode == null || couponCode.isEmpty()) { + couponCode = new String(); + } - } - conn.close(); - } - catch(Exception e) - { - log.debug("Did complete Check: " + e.toString()); - htmlOutput = "" + bundle.getString("errors.occured")+ "" + Encode.forHtml(e.toString()); - } - try - { - Thread.sleep(1000); - } - catch(Exception e) - { - log.error("Failed to Pause: " + e.toString()); - } - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + htmlOutput = new String(""); + Connection conn = + Database.getChallengeConnection(applicationRoot, "SqlInjectionChallenge5ShopCoupon"); + log.debug("Looking for Coupons Insecurely"); + PreparedStatement prepstmt = + conn.prepareStatement( + "SELECT itemId, perCentOff, itemName FROM coupons JOIN items USING (itemId) WHERE" + + " couponCode = '" + + couponCode + + "';"); + ResultSet coupons = prepstmt.executeQuery(); + try { + if (coupons.next()) { + htmlOutput = new String("Valid Coupon for "); + log.debug("Found coupon for %" + coupons.getInt(2)); + log.debug("For Item Name " + coupons.getString(3)); + htmlOutput += + "" + + bundle.getString("response.percent") + + "" + + coupons.getInt(2) + + " " + + bundle.getString("response.off") + + " " + + Encode.forHtml(coupons.getString(3)) + + " " + + bundle.getString("response.items") + + ""; + } else { + htmlOutput = "" + bundle.getString("response.noCoupon") + ""; + } + } catch (Exception e) { + log.debug("Could Not Find Coupon: " + e.toString()); + } + conn.close(); + } catch (Exception e) { + log.debug("Did complete Check: " + e.toString()); + htmlOutput = "" + bundle.getString("errors.occured") + "" + Encode.forHtml(e.toString()); + } + try { + Thread.sleep(1000); + } catch (Exception e) { + log.error("Failed to Pause: " + e.toString()); + } + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection5VipCheck.java b/src/main/java/servlets/module/challenge/SqlInjection5VipCheck.java index 0c2db5b92..7d3ee75f9 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection5VipCheck.java +++ b/src/main/java/servlets/module/challenge/SqlInjection5VipCheck.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,120 +8,118 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * Level : SQL Injection 5 - *

+ * Level : SQL Injection 5
+ *
* - * This file is part of the Security Shepherd Project. + *

This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection5VipCheck extends HttpServlet -{ - private static final String levelName = "SQLi C5 VIPCouponCheck"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection5VipCheck.class); +public class SqlInjection5VipCheck extends HttpServlet { + + private static final String levelName = "SQLi C5 VIPCouponCheck"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection5VipCheck.class); - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli5", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli5", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - String htmlOutput = new String(); - String applicationRoot = getServletContext().getRealPath(""); + String htmlOutput = new String(); + String applicationRoot = getServletContext().getRealPath(""); - try - { - String couponCode = request.getParameter("couponCode"); - log.debug("couponCode - " + couponCode); - if (couponCode == null || couponCode.isEmpty()) - couponCode = new String(); + try { + String couponCode = request.getParameter("couponCode"); + log.debug("couponCode - " + couponCode); + if (couponCode == null || couponCode.isEmpty()) { + couponCode = new String(); + } - htmlOutput = new String(""); - Connection conn = Database.getChallengeConnection(applicationRoot, "SqlInjectionChallenge5ShopVipCoupon"); - log.debug("Looking for VipCoupons Insecurely"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT itemId, perCentOff, itemName FROM vipCoupons JOIN items USING (itemId) WHERE couponCode = '" + couponCode + "';"); - ResultSet coupons = prepstmt.executeQuery(); - try - { - if(coupons.next()) - { - htmlOutput = new String("Valid Coupon for "); - log.debug("Found coupon for %" + coupons.getInt(2)); - log.debug("For Item Name " + coupons.getString(3)); - htmlOutput += "" + bundle.getString("response.percent")+ "" + coupons.getInt(2) + " " + bundle.getString("response.off")+ " " + Encode.forHtml(coupons.getString(3)) + " " + bundle.getString("response.items")+ ""; - } - else - { - htmlOutput = "" + bundle.getString("response.noCoupon")+ ""; - } - } - catch(Exception e) - { - log.debug("Could Not Find VIP Coupon: " + e.toString()); - htmlOutput += "

" + bundle.getString("response.checkFailed")+ "

"; - } - conn.close(); - } - catch(Exception e) - { - log.debug("Did complete VIP Check: " + e.toString()); - htmlOutput += "

" + bundle.getString("response.checkFailed")+ "

"; - } - try - { - Thread.sleep(1000); - } - catch(Exception e) - { - log.error("Failed to Pause: " + e.toString()); - } - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + htmlOutput = new String(""); + Connection conn = + Database.getChallengeConnection(applicationRoot, "SqlInjectionChallenge5ShopVipCoupon"); + log.debug("Looking for VipCoupons Insecurely"); + PreparedStatement prepstmt = + conn.prepareStatement( + "SELECT itemId, perCentOff, itemName FROM vipCoupons JOIN items USING (itemId)" + + " WHERE couponCode = '" + + couponCode + + "';"); + ResultSet coupons = prepstmt.executeQuery(); + try { + if (coupons.next()) { + htmlOutput = new String("Valid Coupon for "); + log.debug("Found coupon for %" + coupons.getInt(2)); + log.debug("For Item Name " + coupons.getString(3)); + htmlOutput += + "" + + bundle.getString("response.percent") + + "" + + coupons.getInt(2) + + " " + + bundle.getString("response.off") + + " " + + Encode.forHtml(coupons.getString(3)) + + " " + + bundle.getString("response.items") + + ""; + } else { + htmlOutput = "" + bundle.getString("response.noCoupon") + ""; + } + } catch (Exception e) { + log.debug("Could Not Find VIP Coupon: " + e.toString()); + htmlOutput += "

" + bundle.getString("response.checkFailed") + "

"; + } + conn.close(); + } catch (Exception e) { + log.debug("Did complete VIP Check: " + e.toString()); + htmlOutput += "

" + bundle.getString("response.checkFailed") + "

"; + } + try { + Thread.sleep(1000); + } catch (Exception e) { + log.error("Failed to Pause: " + e.toString()); + } + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection6.java b/src/main/java/servlets/module/challenge/SqlInjection6.java index 607b43ce8..2ffd9318d 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection6.java +++ b/src/main/java/servlets/module/challenge/SqlInjection6.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,133 +8,136 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; + /** - * Level : SQL Injection 6 - *

+ * Level : SQL Injection 6
+ *
* - * This file is part of the Security Shepherd Project. + *

This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection6 extends HttpServlet -{ - private static final String levelName = "SQLi C6"; - // private static String levelSolution = "17f999a8b3fbfde54124d6e94b256a264652e5087b14622e1644c884f8a33f82"; - public static String levelHash = "d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection6.class); - /** - * This controller makes an insecure call to a MySQL interpreter. - * User Input is first filtered for UTF-8 attacks and afterwards is decoded from \xHEX format to UTF-8 before sent to the interpreter - * - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SqlInjection6 extends HttpServlet { + + private static final String levelName = "SQLi C6"; + // private static String levelSolution = + // "17f999a8b3fbfde54124d6e94b256a264652e5087b14622e1644c884f8a33f82"; + public static String levelHash = + "d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection6.class); + + /** + * This controller makes an insecure call to a MySQL interpreter. User Input is first filtered for + * UTF-8 attacks and afterwards is decoded from \xHEX format to UTF-8 before sent to the + * interpreter + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli6", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - String applicationRoot = getServletContext().getRealPath(""); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli6", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + String applicationRoot = getServletContext().getRealPath(""); - try - { - String userPin = (String) request.getParameter("pinNumber"); - log.debug("userPin - " + userPin); - userPin = userPin.replaceAll("\\\\", "\\\\\\\\").replaceAll("'", ""); // Escape single quotes - log.debug("userPin scrubbed - " + userPin); - userPin = java.net.URLDecoder.decode(userPin.replaceAll("\\\\\\\\x", "%"), "UTF-8"); //Decode \x encoding - log.debug("searchTerm decoded to - " + userPin); - Connection conn = Database.getChallengeConnection(applicationRoot, "SqlChallengeSix"); - log.debug("Looking for users"); - PreparedStatement prepstmt = - conn.prepareStatement("SELECT userName FROM users WHERE userPin = '" + userPin + "'"); - ResultSet users = prepstmt.executeQuery(); - try - { - if(users.next()) - { - htmlOutput = "

" + bundle.getString("response.welcomeBack")+ "" + Encode.forHtml(users.getString(1)) + "

" - + "

" + bundle.getString("response.authNumber")+ "" + Encode.forHtml(Hash.randomString()) + "

"; - } - else - { - htmlOutput = "

" + bundle.getString("response.incorrectCreds")+ "

" + bundle.getString("response.carefulNow")+ "

"; - } - } - catch(Exception e) - { - htmlOutput = "

" + bundle.getString("response.incorrectCreds")+ "

" + bundle.getString("response.carefulNow")+ "

"; - log.debug("Could Not Find User: " + e.toString()); - try - { - Thread.sleep(1000); - } - catch(Exception e1) - { - log.error("Failed to Pause: " + e1.toString()); - } - } - conn.close(); - } - catch(Exception e) - { - log.debug("Could not Search for User: " + e.toString()); - htmlOutput += "

" + bundle.getString("response.badRequest")+ "

"; - try - { - Thread.sleep(1000); - } - catch(Exception e2) - { - log.error("Failed to Pause: " + e2.toString()); - } - } - log.debug("*** SQLi C6 End ***"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + try { + String userPin = (String) request.getParameter("pinNumber"); + log.debug("userPin - " + userPin); + userPin = + userPin.replaceAll("\\\\", "\\\\\\\\").replaceAll("'", ""); // Escape single quotes + log.debug("userPin scrubbed - " + userPin); + userPin = + java.net.URLDecoder.decode( + userPin.replaceAll("\\\\\\\\x", "%"), "UTF-8"); // Decode \x encoding + log.debug("searchTerm decoded to - " + userPin); + Connection conn = Database.getChallengeConnection(applicationRoot, "SqlChallengeSix"); + log.debug("Looking for users"); + PreparedStatement prepstmt = + conn.prepareStatement("SELECT userName FROM users WHERE userPin = '" + userPin + "'"); + ResultSet users = prepstmt.executeQuery(); + try { + if (users.next()) { + htmlOutput = + "

" + + bundle.getString("response.welcomeBack") + + "" + + Encode.forHtml(users.getString(1)) + + "

" + + "

" + + bundle.getString("response.authNumber") + + "" + + Encode.forHtml(Hash.randomString()) + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.incorrectCreds") + + "

" + + bundle.getString("response.carefulNow") + + "

"; + } + } catch (Exception e) { + htmlOutput = + "

" + + bundle.getString("response.incorrectCreds") + + "

" + + bundle.getString("response.carefulNow") + + "

"; + log.debug("Could Not Find User: " + e.toString()); + try { + Thread.sleep(1000); + } catch (Exception e1) { + log.error("Failed to Pause: " + e1.toString()); + } + } + conn.close(); + } catch (Exception e) { + log.debug("Could not Search for User: " + e.toString()); + htmlOutput += "

" + bundle.getString("response.badRequest") + "

"; + try { + Thread.sleep(1000); + } catch (Exception e2) { + log.error("Failed to Pause: " + e2.toString()); + } + } + log.debug("*** SQLi C6 End ***"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjection7.java b/src/main/java/servlets/module/challenge/SqlInjection7.java index 4d5ed65a7..05257539e 100644 --- a/src/main/java/servlets/module/challenge/SqlInjection7.java +++ b/src/main/java/servlets/module/challenge/SqlInjection7.java @@ -1,5 +1,7 @@ package servlets.module.challenge; +import dbProcs.Database; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,138 +9,139 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; -import dbProcs.Getter; + /** - * Level : SQL Injection 7 - *

+ * Level : SQL Injection 7
+ *
* - * This file is part of the Security Shepherd Project. + *

This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjection7 extends HttpServlet -{ - private static final String levelName = "SQLi C7"; - private static String levelHash = "8c2dd7e9818e5c6a9f8562feefa002dc0e455f0e92c8a46ab0cf519b1547eced"; - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjection7.class); +public class SqlInjection7 extends HttpServlet { + + private static final String levelName = "SQLi C7"; + private static String levelHash = + "8c2dd7e9818e5c6a9f8562feefa002dc0e455f0e92c8a46ab0cf519b1547eced"; + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjection7.class); - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli7", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - String applicationRoot = getServletContext().getRealPath(""); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqli7", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + String applicationRoot = getServletContext().getRealPath(""); - try - { - String subEmail = Validate.validateParameter(request.getParameter("subEmail"), 60); - log.debug("subEmail - " + subEmail.replaceAll("\n", " \\\\n ")); //Escape \n's - String subPassword = Validate.validateParameter(request.getParameter("subPassword"), 40); - log.debug("subPassword - " + subPassword); - boolean validEmail = Validate.isValidEmailAddress(subEmail.replaceAll("\n", "")); //Ignore \n 's - if(!subPassword.isEmpty() && !subPassword.isEmpty() && validEmail) - { - Connection conn = Database.getChallengeConnection(applicationRoot, "SqlChallengeSeven"); - try - { - log.debug("Signing in with subitted details"); - PreparedStatement prepstmt = conn.prepareStatement("SELECT userName FROM users WHERE userEmail = '" + subEmail + "' AND userPassword = ?;"); - prepstmt.setString(1, subPassword); - ResultSet users = prepstmt.executeQuery(); - if(users.next()) - { - htmlOutput = "

" + bundle.getString("response.welcome")+ " " + Encode.forHtml(users.getString(1)) + "

" - + "

" + bundle.getString("response.resultKey")+ "" + Hash.generateUserSolution(Getter.getModuleResultFromHash(applicationRoot, levelHash), (String)ses.getAttribute("userName")) + "

"; - } - else - { - htmlOutput = "

" + bundle.getString("response.incorrectCreds")+ "

" + bundle.getString("response.carefulNow")+ "

"; - } - } - catch(Exception e) - { - htmlOutput = "

" + bundle.getString("response.incorrectCreds")+ "

" + bundle.getString("response.carefulNow")+ "

"; - log.debug("Could Not Find User: " + e.toString()); - try - { - Thread.sleep(1000); - } - catch(Exception e1) - { - log.error("Failed to Pause: " + e1.toString()); - } - } - conn.close(); - } - else - { - htmlOutput = new String("Invalid data submitted"); - if(!validEmail) - htmlOutput += "" + bundle.getString("response.badEmail")+ ""; - } - } - catch(Exception e) - { - log.debug("Could not perform user login: " + e.toString()); - htmlOutput += "

" + bundle.getString("response.badRequest")+ "

"; - try - { - Thread.sleep(1000); - } - catch(Exception e2) - { - log.error("Failed to Pause: " + e2.toString()); - } - } - log.debug("*** " + levelName + " End ***"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + try { + String subEmail = Validate.validateParameter(request.getParameter("subEmail"), 60); + log.debug("subEmail - " + subEmail.replaceAll("\n", " \\\\n ")); // Escape \n's + String subPassword = Validate.validateParameter(request.getParameter("subPassword"), 40); + log.debug("subPassword - " + subPassword); + boolean validEmail = + Validate.isValidEmailAddress(subEmail.replaceAll("\n", "")); // Ignore \n 's + if (!subPassword.isEmpty() && !subPassword.isEmpty() && validEmail) { + Connection conn = Database.getChallengeConnection(applicationRoot, "SqlChallengeSeven"); + try { + log.debug("Signing in with subitted details"); + PreparedStatement prepstmt = + conn.prepareStatement( + "SELECT userName FROM users WHERE userEmail = '" + + subEmail + + "' AND userPassword = ?;"); + prepstmt.setString(1, subPassword); + ResultSet users = prepstmt.executeQuery(); + if (users.next()) { + htmlOutput = + "

" + + bundle.getString("response.welcome") + + " " + + Encode.forHtml(users.getString(1)) + + "

" + + "

" + + bundle.getString("response.resultKey") + + "" + + Hash.generateUserSolution( + Getter.getModuleResultFromHash(applicationRoot, levelHash), + (String) ses.getAttribute("userName")) + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.incorrectCreds") + + "

" + + bundle.getString("response.carefulNow") + + "

"; + } + } catch (Exception e) { + htmlOutput = + "

" + + bundle.getString("response.incorrectCreds") + + "

" + + bundle.getString("response.carefulNow") + + "

"; + log.debug("Could Not Find User: " + e.toString()); + try { + Thread.sleep(1000); + } catch (Exception e1) { + log.error("Failed to Pause: " + e1.toString()); + } + } + conn.close(); + } else { + htmlOutput = new String("Invalid data submitted"); + if (!validEmail) { + htmlOutput += "" + bundle.getString("response.badEmail") + ""; + } + } + } catch (Exception e) { + log.debug("Could not perform user login: " + e.toString()); + htmlOutput += "

" + bundle.getString("response.badRequest") + "

"; + try { + Thread.sleep(1000); + } catch (Exception e2) { + log.error("Failed to Pause: " + e2.toString()); + } + } + log.debug("*** " + levelName + " End ***"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjectionEmail.java b/src/main/java/servlets/module/challenge/SqlInjectionEmail.java index afb17f30e..e84e321a9 100644 --- a/src/main/java/servlets/module/challenge/SqlInjectionEmail.java +++ b/src/main/java/servlets/module/challenge/SqlInjectionEmail.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,133 +9,143 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Challenge Two - Does not use user specific keys - *

+ * SQL Injection Challenge Two - Does not use user specific keys
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjectionEmail extends HttpServlet -{ - //SQL Challenge One - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjectionEmail.class); - private static String levelName = "SQL Injection Challenge Two"; - public static String levelHash = "ffd39cb26727f34cbf9fce3e82b9d703404e99cdef54d2aa745f497abe070b"; - // private static String levelResult = ""; // Stored in Vulnerable DB. Not user Specific - /** - * This function is used to make a call to a database and process its results. The call made to the database is secured using an insufficient privilege. - * Players must overcome this filter to complete the module - * @param userIdentity Used to filter database results - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SqlInjectionEmail extends HttpServlet { + + // SQL Challenge One + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjectionEmail.class); + private static String levelName = "SQL Injection Challenge Two"; + public static String levelHash = "ffd39cb26727f34cbf9fce3e82b9d703404e99cdef54d2aa745f497abe070b"; + // private static String levelResult = ""; // Stored in Vulnerable DB. Not user Specific + + /** + * This function is used to make a call to a database and process its results. The call made to + * the database is secured using an insufficient privilege. Players must overcome this filter to + * complete the module + * + * @param userIdentity Used to filter database results + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqliEmail", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqliEmail", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String userIdentity = request.getParameter("userIdentity"); - log.debug("User Submitted - " + userIdentity); - if(Validate.isValidEmailAddress(userIdentity)) - { - log.debug("Filtered to " + userIdentity); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); + try { + String userIdentity = request.getParameter("userIdentity"); + log.debug("User Submitted - " + userIdentity); + if (Validate.isValidEmailAddress(userIdentity)) { + log.debug("Filtered to " + userIdentity); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); - log.debug("Getting Connection to Database"); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeEmail"); - Statement stmt = conn.createStatement(); - log.debug("Gathering result set"); - ResultSet resultSet = stmt.executeQuery("SELECT * FROM customers WHERE customerAddress = '" + userIdentity + "'"); + log.debug("Getting Connection to Database"); + Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeEmail"); + Statement stmt = conn.createStatement(); + log.debug("Gathering result set"); + ResultSet resultSet = + stmt.executeQuery( + "SELECT * FROM customers WHERE customerAddress = '" + userIdentity + "'"); - int i = 0; - htmlOutput = "

" + bundle.getString("response.searchResults")+ "

"; - htmlOutput += ""; + int i = 0; + htmlOutput = "

" + bundle.getString("response.searchResults") + "

"; + htmlOutput += + "
"+ bundle.getString("response.table.name") +""+ bundle.getString("response.table.address") +""+ bundle.getString("response.table.comment") +"
"; - log.debug("Opening Result Set from query"); - while(resultSet.next()) - { - log.debug("Adding Customer " + resultSet.getString(2)); - htmlOutput += ""; - i++; - } - conn.close(); - htmlOutput += "
" + + bundle.getString("response.table.name") + + "" + + bundle.getString("response.table.address") + + "" + + bundle.getString("response.table.comment") + + "
" - + Encode.forHtml(resultSet.getString(2)) + "" - + Encode.forHtml(resultSet.getString(3)) + "" - + Encode.forHtml(resultSet.getString(4)) + "
"; - if(i == 0) - { - htmlOutput = "

"+bundle.getString("response.noResults")+"

"; - } - } - else - { - htmlOutput = new String("

"+bundle.getString("response.searchError")+"

"+bundle.getString("response.invalidEmail")+""); - } - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - htmlOutput += "

"+errors.getString("error.detected")+"

" + - "

" + Encode.forHtml(e.toString()) + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + log.debug("Opening Result Set from query"); + while (resultSet.next()) { + log.debug("Adding Customer " + resultSet.getString(2)); + htmlOutput += + "" + + Encode.forHtml(resultSet.getString(2)) + + "" + + Encode.forHtml(resultSet.getString(3)) + + "" + + Encode.forHtml(resultSet.getString(4)) + + ""; + i++; + } + conn.close(); + htmlOutput += ""; + if (i == 0) { + htmlOutput = "

" + bundle.getString("response.noResults") + "

"; + } + } else { + htmlOutput = + new String( + "

" + + bundle.getString("response.searchError") + + "

" + + bundle.getString("response.invalidEmail") + + ""); + } + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + htmlOutput += + "

" + + errors.getString("error.detected") + + "

" + + "

" + + Encode.forHtml(e.toString()) + + "

"; + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjectionEscaping.java b/src/main/java/servlets/module/challenge/SqlInjectionEscaping.java index 5da544737..2255130e6 100644 --- a/src/main/java/servlets/module/challenge/SqlInjectionEscaping.java +++ b/src/main/java/servlets/module/challenge/SqlInjectionEscaping.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,123 +9,129 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Escape Challenge - Does not use User specific keys - *

+ * SQL Injection Escape Challenge - Does not use User specific keys
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjectionEscaping extends HttpServlet -{ - //SQL Escaping Challenge - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjectionEscaping.class); - private static String levelName = "SQL Injection Escaping Challenge"; - public static String levelHash = "8c3c35c30cdbbb73b7be3a4f8587aa9d88044dc43e248984a252c6e861f673d4"; - //private static String levelResult = ""; //Stored in vulnerable DB. Not user Specific - /** - * This SQL Injection Module Class uses a poor escaping method to sanitise user data being sent to a MySQL interpreter - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class SqlInjectionEscaping extends HttpServlet { + + // SQL Escaping Challenge + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjectionEscaping.class); + private static String levelName = "SQL Injection Escaping Challenge"; + public static String levelHash = + "8c3c35c30cdbbb73b7be3a4f8587aa9d88044dc43e248984a252c6e861f673d4"; + // private static String levelResult = ""; //Stored in vulnerable DB. Not user Specific + + /** + * This SQL Injection Module Class uses a poor escaping method to sanitise user data being sent to + * a MySQL interpreter + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqliEscaping", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqliEscaping", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String aUserId = request.getParameter("aUserId"); - log.debug("User Submitted - " + aUserId); - aUserId = aUserId.replaceAll("'", "\\\\'"); //Replace ' with \' - log.debug("Escaped to - " + aUserId); - String ApplicationRoot = getServletContext().getRealPath(""); + try { + String aUserId = request.getParameter("aUserId"); + log.debug("User Submitted - " + aUserId); + aUserId = aUserId.replaceAll("'", "\\\\'"); // Replace ' with \' + log.debug("Escaped to - " + aUserId); + String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Getting Connection to Database"); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeEscape"); - Statement stmt = conn.createStatement(); - log.debug("Gathering result set"); - ResultSet resultSet = stmt.executeQuery("SELECT * FROM customers WHERE customerId = '" + aUserId + "'"); + log.debug("Getting Connection to Database"); + Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeEscape"); + Statement stmt = conn.createStatement(); + log.debug("Gathering result set"); + ResultSet resultSet = + stmt.executeQuery("SELECT * FROM customers WHERE customerId = '" + aUserId + "'"); - int i = 0; - htmlOutput = "

" + bundle.getString("response.searchResults")+ "

"; - htmlOutput += ""; + int i = 0; + htmlOutput = "

" + bundle.getString("response.searchResults") + "

"; + htmlOutput += + "
"+ bundle.getString("response.table.name") +""+ bundle.getString("response.table.address") +""+ bundle.getString("response.table.comment") +"
"; - log.debug("Opening Result Set from query"); - while(resultSet.next()) - { - log.debug("Adding Customer " + resultSet.getString(2)); - htmlOutput += ""; - i++; - } - htmlOutput += "
" + + bundle.getString("response.table.name") + + "" + + bundle.getString("response.table.address") + + "" + + bundle.getString("response.table.comment") + + "
" - + Encode.forHtml(resultSet.getString(2)) + "" - + Encode.forHtml(resultSet.getString(3)) + "" - + Encode.forHtml(resultSet.getString(4)) + "
"; - if(i == 0) - { - htmlOutput = "

"+bundle.getString("response.noResults")+"

"; - } - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - htmlOutput += "

"+errors.getString("error.detected")+"

" + - "

" + Encode.forHtml(e.toString()) + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + log.debug("Opening Result Set from query"); + while (resultSet.next()) { + log.debug("Adding Customer " + resultSet.getString(2)); + htmlOutput += + "" + + Encode.forHtml(resultSet.getString(2)) + + "" + + Encode.forHtml(resultSet.getString(3)) + + "" + + Encode.forHtml(resultSet.getString(4)) + + ""; + i++; + } + htmlOutput += ""; + if (i == 0) { + htmlOutput = "

" + bundle.getString("response.noResults") + "

"; + } + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + htmlOutput += + "

" + + errors.getString("error.detected") + + "

" + + "

" + + Encode.forHtml(e.toString()) + + "

"; + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/SqlInjectionStoredProcedure.java b/src/main/java/servlets/module/challenge/SqlInjectionStoredProcedure.java index e4d624e68..94b40aba7 100644 --- a/src/main/java/servlets/module/challenge/SqlInjectionStoredProcedure.java +++ b/src/main/java/servlets/module/challenge/SqlInjectionStoredProcedure.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,120 +9,124 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Stored Procedure Challenge - Does not use user specific keys - *

+ * SQL Injection Stored Procedure Challenge - Does not use user specific keys
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjectionStoredProcedure extends HttpServlet -{ - //SQL Challenge One - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjectionStoredProcedure.class); - private static String levelName = "SQL Injection Stored Procedure Challenge"; - public static String levelHash = "7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7"; - // private static String levelResult = ""; // Stored in Vulnerable DB. Not user Specific +public class SqlInjectionStoredProcedure extends HttpServlet { + + // SQL Challenge One + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjectionStoredProcedure.class); + private static String levelName = "SQL Injection Stored Procedure Challenge"; + public static String levelHash = + "7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7"; + // private static String levelResult = ""; // Stored in Vulnerable DB. Not user Specific - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqliStoreProcedure", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.sqli.sqliStoreProcedure", locale); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String userIdentity = request.getParameter("userIdentity"); - log.debug("User Submitted - " + userIdentity); - String ApplicationRoot = getServletContext().getRealPath(""); + try { + String userIdentity = request.getParameter("userIdentity"); + log.debug("User Submitted - " + userIdentity); + String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Getting Connection to Database"); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeStoredProc"); - //CallableStatement callstmt = conn.prepareCall("CALL findUser('" + userIdentity + "');"); - Statement stmt = conn.createStatement(); - ResultSet resultSet = stmt.executeQuery("CALL findUser('" + userIdentity + "');"); + log.debug("Getting Connection to Database"); + Connection conn = + Database.getChallengeConnection(ApplicationRoot, "SqlChallengeStoredProc"); + // CallableStatement callstmt = conn.prepareCall("CALL findUser('" + userIdentity + "');"); + Statement stmt = conn.createStatement(); + ResultSet resultSet = stmt.executeQuery("CALL findUser('" + userIdentity + "');"); - int i = 0; - htmlOutput = "

" + bundle.getString("response.searchResults")+ "

"; - htmlOutput += ""; + int i = 0; + htmlOutput = "

" + bundle.getString("response.searchResults") + "

"; + htmlOutput += + "
"+ bundle.getString("response.table.name") +""+ bundle.getString("response.table.address") +""+ bundle.getString("response.table.comment") +"
"; - log.debug("Opening Result Set from query"); - while(resultSet.next()) - { - log.debug("Adding Customer " + resultSet.getString(2)); - htmlOutput += ""; - i++; - } - conn.close(); - htmlOutput += "
" + + bundle.getString("response.table.name") + + "" + + bundle.getString("response.table.address") + + "" + + bundle.getString("response.table.comment") + + "
" - + Encode.forHtml(resultSet.getString(2)) + "" - + Encode.forHtml(resultSet.getString(3)) + "" - + Encode.forHtml(resultSet.getString(4)) + "
"; - if(i == 0) - { - htmlOutput = "

"+bundle.getString("response.noResults")+"

"; - } - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - htmlOutput += "

"+errors.getString("error.detected")+"

" + - "

" + Encode.forHtml(e.toString()) + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + log.debug("Opening Result Set from query"); + while (resultSet.next()) { + log.debug("Adding Customer " + resultSet.getString(2)); + htmlOutput += + "" + + Encode.forHtml(resultSet.getString(2)) + + "" + + Encode.forHtml(resultSet.getString(3)) + + "" + + Encode.forHtml(resultSet.getString(4)) + + ""; + i++; + } + conn.close(); + htmlOutput += ""; + if (i == 0) { + htmlOutput = "

" + bundle.getString("response.noResults") + "

"; + } + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + htmlOutput += + "

" + + errors.getString("error.detected") + + "

" + + "

" + + Encode.forHtml(e.toString()) + + "

"; + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/UrlAccess1.java b/src/main/java/servlets/module/challenge/UrlAccess1.java index b29c43440..1663a2b78 100644 --- a/src/main/java/servlets/module/challenge/UrlAccess1.java +++ b/src/main/java/servlets/module/challenge/UrlAccess1.java @@ -4,102 +4,108 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; /** - * Failure to Restrict URL Access Challenge 1 - *

- * This class is a red herring, displaying guest type functionality for the challenge. - * The information required to find the admin version of this function is - * contained in the javascript of the JSP page associated with the level - *

+ * Failure to Restrict URL Access Challenge 1
+ *
+ * This class is a red herring, displaying guest type functionality for the challenge. The + * information required to find the admin version of this function is contained in the javascript of + * the JSP page associated with the level
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UrlAccess1 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UrlAccess1.class); - private static String levelName = "URL Access 1 (User)"; - /** - * This class is the User Level Function Call that works correctly from the level's view without manipulation - * This is not the correct function to target to retrieve the Result Key - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class UrlAccess1 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UrlAccess1.class); + private static String levelName = "URL Access 1 (User)"; + + /** + * This class is the User Level Function Call that works correctly from the level's view without + * manipulation This is not the correct function to target to retrieve the Result Key + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess1", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess1", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String userData = request.getParameter("userData"); - boolean tamperedRequest = !userData.equalsIgnoreCase("4816283"); - if(!tamperedRequest) - log.debug("No request tampering detected"); - else - log.debug("User Submitted - " + userData); + try { + String userData = request.getParameter("userData"); + boolean tamperedRequest = !userData.equalsIgnoreCase("4816283"); + if (!tamperedRequest) { + log.debug("No request tampering detected"); + } else { + log.debug("User Submitted - " + userData); + } - if(!tamperedRequest) - htmlOutput = "

" + bundle.getString("response.status") + "

" - + "

" + bundle.getString("response.status.message") + "

"; - else - htmlOutput = "

" + bundle.getString("response.statusFail") + "

" - + "

" + bundle.getString("response.statusFail.message") + "

" - + ""; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (!tamperedRequest) { + htmlOutput = + "

" + + bundle.getString("response.status") + + "

" + + "

" + + bundle.getString("response.status.message") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.statusFail") + + "

" + + "

" + + bundle.getString("response.statusFail.message") + + "

" + + ""; + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/UrlAccess1Admin.java b/src/main/java/servlets/module/challenge/UrlAccess1Admin.java index 4b1edf484..7ef36b0d5 100644 --- a/src/main/java/servlets/module/challenge/UrlAccess1Admin.java +++ b/src/main/java/servlets/module/challenge/UrlAccess1Admin.java @@ -4,111 +4,119 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Failure to Restrict URL Access Challenge 1 (Admin) - *

- * This class is the target functionality for the challenge. - * The information required to find this admin function is - * contained in the JavaScript of the JSP page associated with the level. This level returns - * a user specific key. - *

+ * Failure to Restrict URL Access Challenge 1 (Admin)
+ *
+ * This class is the target functionality for the challenge. The information required to find this + * admin function is contained in the JavaScript of the JSP page associated with the level. This + * level returns a user specific key.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UrlAccess1Admin extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UrlAccess1Admin.class); - private static String levelResult = "c776572b6a9d5b5c6e4aa672a4771213"; - private static String levelName = "URL Access 1 (Admin)"; //Used for Logging - /** - * This class is the Admin Level Function Call that does not work correctly from the level's view without manipulation. - * The player must construct the request to this servlet by using the JavaScript Ajax Method as a blueprint - * This is not the correct function to target to retrieve the Result Key - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class UrlAccess1Admin extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UrlAccess1Admin.class); + private static String levelResult = "c776572b6a9d5b5c6e4aa672a4771213"; + private static String levelName = "URL Access 1 (Admin)"; // Used for Logging + + /** + * This class is the Admin Level Function Call that does not work correctly from the level's view + * without manipulation. The player must construct the request to this servlet by using the + * JavaScript Ajax Method as a blueprint This is not the correct function to target to retrieve + * the Result Key + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess1", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess1", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String userData = request.getParameter("userData"); - boolean tamperedRequest = !userData.equalsIgnoreCase("4816283"); - if(!tamperedRequest) - log.debug("No request tampering detected"); - else - log.debug("User Submitted - " + userData); + try { + String userData = request.getParameter("userData"); + boolean tamperedRequest = !userData.equalsIgnoreCase("4816283"); + if (!tamperedRequest) { + log.debug("No request tampering detected"); + } else { + log.debug("User Submitted - " + userData); + } - if(!tamperedRequest) - { - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("response.status") + "

" - + "

" + bundle.getString("result.keyMessage.1") + "
" - + "" + userKey + "
" - + bundle.getString("result.keyMessage.2") + "

"; - } - else - htmlOutput = "

" + bundle.getString("response.statusFail") + "

" - + "

" + bundle.getString("response.statusFail.message") + "

" - + ""; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (!tamperedRequest) { + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("response.status") + + "

" + + "

" + + bundle.getString("result.keyMessage.1") + + "
" + + "" + + userKey + + "
" + + bundle.getString("result.keyMessage.2") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.statusFail") + + "

" + + "

" + + bundle.getString("response.statusFail.message") + + "

" + + ""; + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/UrlAccess2.java b/src/main/java/servlets/module/challenge/UrlAccess2.java index 6dcb35310..0a3e33a0d 100644 --- a/src/main/java/servlets/module/challenge/UrlAccess2.java +++ b/src/main/java/servlets/module/challenge/UrlAccess2.java @@ -4,99 +4,104 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; /** - * Failure to Restrict URL Access Challenge 2 - *

- * This class is a red herring, displaying guest type functionality for the challenge. - * The information required to find the admin version of this function is - * contained in the javascript of the JSP page associated with the level - *

+ * Failure to Restrict URL Access Challenge 2
+ *
+ * This class is a red herring, displaying guest type functionality for the challenge. The + * information required to find the admin version of this function is contained in the javascript of + * the JSP page associated with the level
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UrlAccess2 extends HttpServlet -{ - //URL Access 2 - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UrlAccess2.class); - private static String levelName = "URL Access 2 (Guest)"; - /** - * This class is the User Level Function Call that works correctly from the level's view without manipulation - * This is not the correct function to target to retrieve the Result Key - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); +public class UrlAccess2 extends HttpServlet { + + // URL Access 2 + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UrlAccess2.class); + private static String levelName = "URL Access 2 (Guest)"; + + /** + * This class is the User Level Function Call that works correctly from the level's view without + * manipulation This is not the correct function to target to retrieve the Result Key + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess2", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess2", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); - try - { - String userData = request.getParameter("guestData"); - boolean tamperedRequest = !userData.equalsIgnoreCase("sOdjh318UD8ismcoa98smcj21dmdoaoIS9"); - if(!tamperedRequest) - log.debug("No request tampering detected"); - else - log.debug("User Submitted - " + userData); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); + try { + String userData = request.getParameter("guestData"); + boolean tamperedRequest = !userData.equalsIgnoreCase("sOdjh318UD8ismcoa98smcj21dmdoaoIS9"); + if (!tamperedRequest) { + log.debug("No request tampering detected"); + } else { + log.debug("User Submitted - " + userData); + } - if(!tamperedRequest) - htmlOutput = "

" + bundle.getString("request.normal") + "

" - + "

" + bundle.getString("message.boring") + "

"; - else - htmlOutput = "

" + bundle.getString("request.notNormal") + "

" - + "

" + bundle.getString("message.different") + "

"; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (!tamperedRequest) { + htmlOutput = + "

" + + bundle.getString("request.normal") + + "

" + + "

" + + bundle.getString("message.boring") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("request.notNormal") + + "

" + + "

" + + bundle.getString("message.different") + + "

"; + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/UrlAccess2Admin.java b/src/main/java/servlets/module/challenge/UrlAccess2Admin.java index 1a0c7312f..0614491a5 100644 --- a/src/main/java/servlets/module/challenge/UrlAccess2Admin.java +++ b/src/main/java/servlets/module/challenge/UrlAccess2Admin.java @@ -4,108 +4,114 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Failure to Restrict URL Access Challenge 2 (Admin) - *

- * This class is the target functionality for the challenge. - * The information required to find this admin function is - * contained in the javascript of the JSP page associated with the level. This level returns - * a user specific key. - *

+ * Failure to Restrict URL Access Challenge 2 (Admin)
+ *
+ * This class is the target functionality for the challenge. The information required to find this + * admin function is contained in the javascript of the JSP page associated with the level. This + * level returns a user specific key.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UrlAccess2Admin extends HttpServlet -{ - //Sql Challenge 4 - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UrlAccess2Admin.class); - private static String levelResult = "40b675e3d404c52b36abe31d05842b283975ec62e8"; - private static String levelName = "URL Access 2 (Admin)"; +public class UrlAccess2Admin extends HttpServlet { + + // Sql Challenge 4 + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UrlAccess2Admin.class); + private static String levelResult = "40b675e3d404c52b36abe31d05842b283975ec62e8"; + private static String levelName = "URL Access 2 (Admin)"; - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess2", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess2", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - String userData = request.getParameter("adminData"); - boolean tamperedRequest = !userData.equalsIgnoreCase("youAreAnAdminOfAwesomenessWoopWoop"); - if(!tamperedRequest) - log.debug("No request tampering detected"); - else - log.debug("User Submitted - " + userData); + try { + String userData = request.getParameter("adminData"); + boolean tamperedRequest = !userData.equalsIgnoreCase("youAreAnAdminOfAwesomenessWoopWoop"); + if (!tamperedRequest) { + log.debug("No request tampering detected"); + } else { + log.debug("User Submitted - " + userData); + } - if(!tamperedRequest) - { - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("admin.clicked") + "

" - + "

" + bundle.getString("admin.keyMessage.1") + "
" - + "" + userKey + "
" - + bundle.getString("admin.keyMessage.2") + "

"; - } - else - htmlOutput = "

" + bundle.getString("response.failue") + "

" - + "

" + bundle.getString("response.failue.message") + "

" - + ""; - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + if (!tamperedRequest) { + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("admin.clicked") + + "

" + + "

" + + bundle.getString("admin.keyMessage.1") + + "
" + + "" + + userKey + + "
" + + bundle.getString("admin.keyMessage.2") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.failue") + + "

" + + "

" + + bundle.getString("response.failue.message") + + "

" + + ""; + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/UrlAccess3.java b/src/main/java/servlets/module/challenge/UrlAccess3.java index bbff16ece..9a896b9f9 100644 --- a/src/main/java/servlets/module/challenge/UrlAccess3.java +++ b/src/main/java/servlets/module/challenge/UrlAccess3.java @@ -1,179 +1,177 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - import org.apache.commons.codec.binary.Base64; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Failure to Restrict URL Access 3 - *

+ * Failure to Restrict URL Access 3
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UrlAccess3 extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UrlAccess3.class); - private static String levelName = "Failure to Restrict URL Access 3"; - private static String levelHash = "e40333fc2c40b8e0169e433366350f55c77b82878329570efa894838980de5b4"; - /** - * Users must take advance of the broken session management in this application by - * modifying the tracking cookie "currentPerson" which is encoded in Base64. - * They must modify this cookie to be equal a super admin to access the result key. - * @param userId Red herring that is pre set to d3d9446802a44259755d38e6d163e820 - * @param secure Red herring that is pre set to true - * @param adminDetected Red herring - * @param currentPerson Cookie encoded base64 that manages who is signed in to the sub schema - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - String redherringOne = new String("userId"); - String redherringTwo = new String("secure"); +public class UrlAccess3 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UrlAccess3.class); + private static String levelName = "Failure to Restrict URL Access 3"; + private static String levelHash = + "e40333fc2c40b8e0169e433366350f55c77b82878329570efa894838980de5b4"; + + /** + * Users must take advance of the broken session management in this application by modifying the + * tracking cookie "currentPerson" which is encoded in Base64. They must modify this cookie to be + * equal a super admin to access the result key. + * + * @param userId Red herring that is pre set to d3d9446802a44259755d38e6d163e820 + * @param secure Red herring that is pre set to true + * @param adminDetected Red herring + * @param currentPerson Cookie encoded base64 that manages who is signed in to the sub schema + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String redherringOne = new String("userId"); + String redherringTwo = new String("secure"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess3", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.urlAccess.urlAccess3", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("currentPerson") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - String htmlOutput = null; - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("currentPerson") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + String htmlOutput = null; + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); - if(decodedCookie.equals("MrJohnReillyTheSecond")) - { - log.debug("Super Admin Cookie detected"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), (String)ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("admin.superAdminClub") + "

" + - "

" + - bundle.getString("admin.superAdminClub.keyMessage") + " " + - "" + userKey + "" + - "

"; - } - else if (!decodedCookie.equals("aGuest")) - { - log.debug("Tampered role cookie detected: " + decodedCookie); - htmlOutput = ""; - } - else - { - log.debug("No change to role cookie submitted"); - } - } - else - { - log.debug("No Role Cookie Submitted"); - } - if(htmlOutput == null) - { - log.debug("Challenge Not Complete"); - boolean hackDetected = false; - boolean badUserId = false; - hackDetected = !(request.getParameter(redherringOne) != null && request.getParameter(redherringTwo) != null); - if(!hackDetected) - { - String paramOne = request.getParameter(redherringOne).toString(); - String paramTwo = request.getParameter(redherringTwo).toString(); - log.debug("Param value of " + redherringOne + ":" + paramOne); - log.debug("Param value of " + redherringTwo + ":" + paramTwo); - badUserId = paramOne.equalsIgnoreCase("d3d9446802a44259755d38e6d163e820"); - hackDetected = !badUserId && !paramTwo.equalsIgnoreCase("true"); - } - if(!hackDetected) - { - htmlOutput = "

" + bundle.getString("response.notSuperAdmin") + "

" + - "

" + - bundle.getString("response.notSuperAdmin.message") + - "

"; - } - else - { - if(badUserId) - { - htmlOutput = "

" + bundle.getString("response.whoAreYou") + "

" + - "

" + - bundle.getString("response.whoAreYou.message") + - "

"; - } - else - { - htmlOutput = "

" + bundle.getString("response.hackDetected") + "

" + - "

" + - bundle.getString("response.hackDetected.message") + - "

"; - } - } - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + if (decodedCookie.equals("MrJohnReillyTheSecond")) { + log.debug("Super Admin Cookie detected"); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution( + Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")); + htmlOutput = + "

" + + bundle.getString("admin.superAdminClub") + + "

" + + "

" + + bundle.getString("admin.superAdminClub.keyMessage") + + " " + + "" + + userKey + + "" + + "

"; + } else if (!decodedCookie.equals("aGuest")) { + log.debug("Tampered role cookie detected: " + decodedCookie); + htmlOutput = ""; + } else { + log.debug("No change to role cookie submitted"); + } + } else { + log.debug("No Role Cookie Submitted"); + } + if (htmlOutput == null) { + log.debug("Challenge Not Complete"); + boolean hackDetected = false; + boolean badUserId = false; + hackDetected = + !(request.getParameter(redherringOne) != null + && request.getParameter(redherringTwo) != null); + if (!hackDetected) { + String paramOne = request.getParameter(redherringOne).toString(); + String paramTwo = request.getParameter(redherringTwo).toString(); + log.debug("Param value of " + redherringOne + ":" + paramOne); + log.debug("Param value of " + redherringTwo + ":" + paramTwo); + badUserId = paramOne.equalsIgnoreCase("d3d9446802a44259755d38e6d163e820"); + hackDetected = !badUserId && !paramTwo.equalsIgnoreCase("true"); + } + if (!hackDetected) { + htmlOutput = + "

" + + bundle.getString("response.notSuperAdmin") + + "

" + + "

" + + bundle.getString("response.notSuperAdmin.message") + + "

"; + } else { + if (badUserId) { + htmlOutput = + "

" + + bundle.getString("response.whoAreYou") + + "

" + + "

" + + bundle.getString("response.whoAreYou.message") + + "

"; + } else { + htmlOutput = + "

" + + bundle.getString("response.hackDetected") + + "

" + + "

" + + bundle.getString("response.hackDetected.message") + + "

"; + } + } + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/UrlAccess3UserList.java b/src/main/java/servlets/module/challenge/UrlAccess3UserList.java index c4828df15..4db149c50 100644 --- a/src/main/java/servlets/module/challenge/UrlAccess3UserList.java +++ b/src/main/java/servlets/module/challenge/UrlAccess3UserList.java @@ -1,5 +1,6 @@ package servlets.module.challenge; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -7,123 +8,110 @@ import java.sql.ResultSet; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - import org.apache.commons.codec.binary.Base64; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - -import dbProcs.Database; import utils.ShepherdLogManager; import utils.Validate; /** - * Failure to Restrict URL Access Challenge 3 (UserList) - *

- * This class is the target functionality for the challenge. - * The information required to find this admin function is - * contained in the javascript of the JSP page associated with the level. This level returns - * a user specific key. - *

+ * Failure to Restrict URL Access Challenge 3 (UserList)
+ *
+ * This class is the target functionality for the challenge. The information required to find this + * admin function is contained in the javascript of the JSP page associated with the level. This + * level returns a user specific key.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UrlAccess3UserList extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UrlAccess3UserList.class); - private static String levelName = "URL Access 3 (UserList)"; +public class UrlAccess3UserList extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UrlAccess3UserList.class); + private static String levelName = "URL Access 3 (UserList)"; - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - HttpSession ses = request.getSession(true); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + HttpSession ses = request.getSession(true); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - String htmlOutput = new String(); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + String htmlOutput = new String(); - try - { - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("currentPerson") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - String currentUser = new String("aGuest"); - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); - byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); - String decodedCookie = new String(decodedCookieBytes, "UTF-8"); - log.debug("Decoded Cookie: " + decodedCookie); - currentUser = decodedCookie; - } - String ApplicationRoot = getServletContext().getRealPath(""); - Connection conn = Database.getChallengeConnection(ApplicationRoot, "UrlAccessThree"); - PreparedStatement callstmt; - callstmt = conn.prepareStatement("SELECT userName FROM users WHERE userRole = \"admin\" OR userName = \"" + currentUser + "\";"); - log.debug("Getting User List"); - htmlOutput = new String(); - ResultSet rs = callstmt.executeQuery(); - while(rs.next()) - { - htmlOutput += Encode.forHtml(rs.getString(1)) + "
"; - if(rs.getString(1).equalsIgnoreCase("MrJohnReillyTheSecond")) - { - log.debug("Super Admin contained in response"); - } - } - } - catch(Exception e) - { - htmlOutput = new String(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + try { + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("currentPerson") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + String currentUser = new String("aGuest"); + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); + byte[] decodedCookieBytes = Base64.decodeBase64(theCookie.getValue()); + String decodedCookie = new String(decodedCookieBytes, "UTF-8"); + log.debug("Decoded Cookie: " + decodedCookie); + currentUser = decodedCookie; + } + String ApplicationRoot = getServletContext().getRealPath(""); + Connection conn = Database.getChallengeConnection(ApplicationRoot, "UrlAccessThree"); + PreparedStatement callstmt; + callstmt = + conn.prepareStatement( + "SELECT userName FROM users WHERE userRole = \"admin\" OR userName = \"" + + currentUser + + "\";"); + log.debug("Getting User List"); + htmlOutput = new String(); + ResultSet rs = callstmt.executeQuery(); + while (rs.next()) { + htmlOutput += Encode.forHtml(rs.getString(1)) + "
"; + if (rs.getString(1).equalsIgnoreCase("MrJohnReillyTheSecond")) { + log.debug("Super Admin contained in response"); + } + } + } catch (Exception e) { + htmlOutput = new String(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/challenge/XssChallengeFive.java b/src/main/java/servlets/module/challenge/XssChallengeFive.java index 57b1d5101..5305be2bc 100644 --- a/src/main/java/servlets/module/challenge/XssChallengeFive.java +++ b/src/main/java/servlets/module/challenge/XssChallengeFive.java @@ -1,114 +1,121 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; import utils.XssFilter; + /** - * Cross Site Scripting Challenge Five control class. - *

+ * Cross Site Scripting Challenge Five control class.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssChallengeFive extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssChallengeFive.class); - private static final String levelHash = "f37d45f597832cdc6e91358dca3f53039d4489c94df2ee280d6203b389dd5671"; - private static String levelName = "XSS Challenge 5"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and there fore only is executable against the person initiating the function. - * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-Site Scripting Challenge Five Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssChallengeFive extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssChallengeFive.class); + private static final String levelHash = + "f37d45f597832cdc6e91358dca3f53039d4489c94df2ee280d6203b389dd5671"; + private static String levelName = "XSS Challenge 5"; + + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and + * there fore only is executable against the person initiating the function. + * + * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-Site Scripting Challenge Five Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss5", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss5", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String htmlOutput = new String(); - String userPost = new String(); - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - searchTerm = XssFilter.badUrlValidate(searchTerm); - userPost = "Your HTTP Link!"; - log.debug("After WhiteListing - " + searchTerm); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String htmlOutput = new String(); + String userPost = new String(); + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + searchTerm = XssFilter.badUrlValidate(searchTerm); + userPost = "Your HTTP Link!"; + log.debug("After WhiteListing - " + searchTerm); - boolean xssDetected = FindXSS.search(userPost); - if(xssDetected) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), - (String)ses.getAttribute("userName") - ) - + ""; - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.yourPost") + "

" + - "

" + bundle.getString("response.linkPosted") + "

" + - userPost + - "

"; - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal("Cross Site Scripting Challenge 5 - " + e.toString()); - } - } + boolean xssDetected = FindXSS.search(userPost); + if (xssDetected) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.yourPost") + + "

" + + "

" + + bundle.getString("response.linkPosted") + + "

" + + userPost + + "

"; + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal("Cross Site Scripting Challenge 5 - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/XssChallengeFour.java b/src/main/java/servlets/module/challenge/XssChallengeFour.java index f0a83d321..f8ca05acd 100644 --- a/src/main/java/servlets/module/challenge/XssChallengeFour.java +++ b/src/main/java/servlets/module/challenge/XssChallengeFour.java @@ -1,126 +1,134 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; import utils.XssFilter; + /** - * Cross Site Scripting Challenge Four control class. - *

+ * Cross Site Scripting Challenge Four control class.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssChallengeFour extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssChallengeFour.class); - private static final String levelHash = "06f81ca93f26236112f8e31f32939bd496ffe8c9f7b564bce32bd5e3a8c2f751"; - private static String levelName = "XSS Challenge 4"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and there fore only is executable against the person initiating the function. - * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-Site Scripting Challenge Four Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssChallengeFour extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssChallengeFour.class); + private static final String levelHash = + "06f81ca93f26236112f8e31f32939bd496ffe8c9f7b564bce32bd5e3a8c2f751"; + private static String levelName = "XSS Challenge 4"; + + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and + * there fore only is executable against the person initiating the function. + * + * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-Site Scripting Challenge Four Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss4", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss4", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String htmlOutput = new String(); - String userPost = new String(); - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - if(!searchTerm.startsWith("http")) - { - searchTerm = "https://www.owasp.org/index.php/OWASP_Security_Shepherd"; - userPost = "" + searchTerm + ""; - } - else - { + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String htmlOutput = new String(); + String userPost = new String(); + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + if (!searchTerm.startsWith("http")) { + searchTerm = "https://www.owasp.org/index.php/OWASP_Security_Shepherd"; + userPost = + "" + + searchTerm + + ""; + } else { - searchTerm = XssFilter.encodeForHtml(searchTerm); - userPost = "" + searchTerm + ""; - log.debug("After Encoding - " + searchTerm); - if(FindXSS.search(userPost)) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), - (String)ses.getAttribute("userName") - ) - + ""; - } - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.yourPost") + "

" + - "

" + bundle.getString("response.linkPosted") + "

" + - userPost + - "

"; - out.write(htmlOutput); - } - } - else - { - log.error(levelName + " servlet was accessed without a valid session"); - out.write(errors.getString("error.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal("Cross Site Scripting Challenge 4 - " + e.toString()); - } - } + searchTerm = XssFilter.encodeForHtml(searchTerm); + userPost = + "" + searchTerm + ""; + log.debug("After Encoding - " + searchTerm); + if (FindXSS.search(userPost)) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.yourPost") + + "

" + + "

" + + bundle.getString("response.linkPosted") + + "

" + + userPost + + "

"; + out.write(htmlOutput); + } + } else { + log.error(levelName + " servlet was accessed without a valid session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal("Cross Site Scripting Challenge 4 - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/XssChallengeOne.java b/src/main/java/servlets/module/challenge/XssChallengeOne.java index cea1d365f..0045385f4 100644 --- a/src/main/java/servlets/module/challenge/XssChallengeOne.java +++ b/src/main/java/servlets/module/challenge/XssChallengeOne.java @@ -1,21 +1,18 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; @@ -23,91 +20,99 @@ import utils.XssFilter; /** - * Cross Site Scripting Challenge One - *

+ * Cross Site Scripting Challenge One
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssChallengeOne extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssChallengeOne.class); - private static String levelName = "Cross Site Scripting Challenge One"; - private static String levelHash = "d72ca2694422af2e6b3c5d90e4c11e7b4575a7bc12ee6d0a384ac2469449e8fa"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotly deployed, and therfore only is executable against the person initating the funciton. - * @param searchTerm To be spat back out at the user after been filtered - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssChallengeOne extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssChallengeOne.class); + private static String levelName = "Cross Site Scripting Challenge One"; + private static String levelHash = + "d72ca2694422af2e6b3c5d90e4c11e7b4575a7bc12ee6d0a384ac2469449e8fa"; + + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotly deployed, and + * therfore only is executable against the person initating the funciton. + * + * @param searchTerm To be spat back out at the user after been filtered + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss1", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss1", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - searchTerm = XssFilter.levelOne(searchTerm); - log.debug("After Filtering - " + searchTerm); - String htmlOutput = new String(); - if(FindXSS.search(searchTerm)) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash - ), (String)ses.getAttribute("userName") - ) - + - ""; - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.searchResults") + "

" + - "

" + bundle.getString("response.noResults") + " " + - searchTerm + - "

"; - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + searchTerm = XssFilter.levelOne(searchTerm); + log.debug("After Filtering - " + searchTerm); + String htmlOutput = new String(); + if (FindXSS.search(searchTerm)) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.searchResults") + + "

" + + "

" + + bundle.getString("response.noResults") + + " " + + searchTerm + + "

"; + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/XssChallengeSix.java b/src/main/java/servlets/module/challenge/XssChallengeSix.java index cbe7632df..6aa964c7d 100644 --- a/src/main/java/servlets/module/challenge/XssChallengeSix.java +++ b/src/main/java/servlets/module/challenge/XssChallengeSix.java @@ -1,114 +1,121 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; import utils.XssFilter; + /** - * Cross Site Scripting Challenge Six control class. - *

+ * Cross Site Scripting Challenge Six control class.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssChallengeSix extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssChallengeSix.class); - private static final String levelHash = "d330dea1acf21886b685184ee222ea8e0a60589c3940afd6ebf433469e997caf"; - private static final String levelName = "Cross-Site Scripting Challenge Six"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and there fore only is executable against the person initiating the function. - * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssChallengeSix extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssChallengeSix.class); + private static final String levelHash = + "d330dea1acf21886b685184ee222ea8e0a60589c3940afd6ebf433469e997caf"; + private static final String levelName = "Cross-Site Scripting Challenge Six"; + + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely exploited, and + * there fore only is executable against the person initiating the function. + * + * @param searchTerm To be spat back out at the user after been encoded for wrong HTML Context + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss6", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss6", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String htmlOutput = new String(); - String userPost = new String(); - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - searchTerm = XssFilter.anotherBadUrlValidate(searchTerm); - userPost = "Your HTTP Link!"; - log.debug("After Sanitising - " + searchTerm); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String htmlOutput = new String(); + String userPost = new String(); + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + searchTerm = XssFilter.anotherBadUrlValidate(searchTerm); + userPost = "Your HTTP Link!"; + log.debug("After Sanitising - " + searchTerm); - boolean xssDetected = FindXSS.search(userPost); - if(xssDetected) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), - (String)ses.getAttribute("userName") - ) - + ""; - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.yourPost") + "

" + - "

" + bundle.getString("response.linkPosted") + "

" + - userPost + - "

"; - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + boolean xssDetected = FindXSS.search(userPost); + if (xssDetected) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.yourPost") + + "

" + + "

" + + bundle.getString("response.linkPosted") + + "

" + + userPost + + "

"; + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/XssChallengeThree.java b/src/main/java/servlets/module/challenge/XssChallengeThree.java index ef99924fe..b88469c24 100644 --- a/src/main/java/servlets/module/challenge/XssChallengeThree.java +++ b/src/main/java/servlets/module/challenge/XssChallengeThree.java @@ -1,113 +1,118 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; import utils.XssFilter; + /** - * Cross Site Scripting Challenge Three control class. - *

+ * Cross Site Scripting Challenge Three control class.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssChallengeThree extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssChallengeThree.class); - private static String levelName = "Cross Site Scripting Challenge Three"; - private static String levelHash = "ad2628bcc79bf10dd54ee62de148ab44b7bd028009a908ce3f1b4d019886d0e"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotly deployed, and therfore only is executable against the person initating the funciton. - * @param searchTerm To be spat back out at the user after been filtered - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssChallengeThree extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssChallengeThree.class); + private static String levelName = "Cross Site Scripting Challenge Three"; + private static String levelHash = + "ad2628bcc79bf10dd54ee62de148ab44b7bd028009a908ce3f1b4d019886d0e"; - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss3", locale); + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotly deployed, and + * therfore only is executable against the person initating the funciton. + * + * @param searchTerm To be spat back out at the user after been filtered + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss3", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - searchTerm = XssFilter.levelThree(searchTerm); - log.debug("After Filtering - " + searchTerm); - String htmlOutput = new String(); - if(FindXSS.search(searchTerm)) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash - ), (String)ses.getAttribute("userName") - ) - + - ""; - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.searchResults") + "

" + - "

" + bundle.getString("response.noResults") + " " + - searchTerm + - "

"; - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + searchTerm = XssFilter.levelThree(searchTerm); + log.debug("After Filtering - " + searchTerm); + String htmlOutput = new String(); + if (FindXSS.search(searchTerm)) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.searchResults") + + "

" + + "

" + + bundle.getString("response.noResults") + + " " + + searchTerm + + "

"; + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/XssChallengeTwo.java b/src/main/java/servlets/module/challenge/XssChallengeTwo.java index b86afed64..a21f70a01 100644 --- a/src/main/java/servlets/module/challenge/XssChallengeTwo.java +++ b/src/main/java/servlets/module/challenge/XssChallengeTwo.java @@ -1,21 +1,18 @@ package servlets.module.challenge; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; @@ -23,97 +20,104 @@ import utils.XssFilter; /** - * Cross Site Scripting Challenge Two - *

+ * Cross Site Scripting Challenge Two
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssChallengeTwo extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssChallengeTwo.class); - private static String levelName = "Cross Site Scripting Challenge Two"; - private static String levelHash = "t227357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. As there is no CSRF risk, this XSS flaw cannot be remotely exploited, and therefore is only is executable against the person initiating the function. - * @param searchTerm To be spat back out at the user after been filtered - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelHash + " Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssChallengeTwo extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssChallengeTwo.class); + private static String levelName = "Cross Site Scripting Challenge Two"; + private static String levelHash = + "t227357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888"; + + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. As there is no CSRF risk, this XSS + * flaw cannot be remotely exploited, and therefore is only is executable against the person + * initiating the function. + * + * @param searchTerm To be spat back out at the user after been filtered + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelHash + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss2", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.xss.xss2", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - searchTerm = XssFilter.levelTwo(searchTerm); - log.debug("After Filtering - " + searchTerm); - String htmlOutput = new String(); - if(FindXSS.search(searchTerm)) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash - ), (String)ses.getAttribute("userName") - ) - + - ""; - log.debug(levelName + " completed"); - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.searchResults") + "

" + - "

" + bundle.getString("response.noResults") + " " + - searchTerm + - "

"; - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - else - { - log.error(levelName + " servlet was accessed without a valid session"); - out.write(errors.getString("error.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("errors.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + searchTerm = XssFilter.levelTwo(searchTerm); + log.debug("After Filtering - " + searchTerm); + String htmlOutput = new String(); + if (FindXSS.search(searchTerm)) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + log.debug(levelName + " completed"); + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.searchResults") + + "

" + + "

" + + bundle.getString("response.noResults") + + " " + + searchTerm + + "

"; + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } else { + log.error(levelName + " servlet was accessed without a valid session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("errors.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/challenge/XxeChallenge1.java b/src/main/java/servlets/module/challenge/XxeChallenge1.java index 707890aca..34bbc3764 100644 --- a/src/main/java/servlets/module/challenge/XxeChallenge1.java +++ b/src/main/java/servlets/module/challenge/XxeChallenge1.java @@ -2,22 +2,6 @@ import dbProcs.FileInputProperties; import dbProcs.Getter; -import org.apache.commons.io.FileUtils; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; -import org.json.simple.JSONObject; -import org.json.simple.parser.JSONParser; -import org.json.simple.parser.ParseException; -import org.owasp.encoder.Encode; -import utils.ShepherdLogManager; -import utils.Validate; - -import javax.servlet.ServletException; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; @@ -27,156 +11,172 @@ import java.nio.charset.StandardCharsets; import java.util.Locale; import java.util.ResourceBundle; +import javax.servlet.ServletException; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import org.apache.commons.io.FileUtils; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; +import org.owasp.encoder.Encode; +import utils.ShepherdLogManager; +import utils.Validate; /** - * XXE Challenge 1 - *

+ * XXE Challenge 1
+ *
* This file is part of the Security Shepherd Project. - *

- * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
- *

- * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
- *

- * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . + * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author ismisepaul */ -public class XxeChallenge1 - extends HttpServlet { - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XxeChallenge1.class); - private static final String LEVEL_NAME = "XXE Challenge 1"; - private static final String LEVEL_HASH = "ac8f3f6224b1ea3fb8a0f017aadd0d84013ea2c80e232c980e54dd753700123e"; - - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, LEVEL_HASH); - - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(LEVEL_NAME + " Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.challenges.injection.xxe1", locale); - - try { - HttpSession ses = request.getSession(true); - if (Validate.validateSession(ses)) - { - if (Getter.isModuleOpen(getServletContext().getRealPath(""), moduleId)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), - ses.getAttribute("userName").toString()); - log.debug(LEVEL_NAME + " accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenHeader = request.getHeader("csrfToken").toString(); - - if (Validate.validateTokens(tokenCookie, tokenHeader)) { - InputStream json = request.getInputStream(); - String emailAddr = readJson(json, errors); - emailAddr = Encode.forHtml(emailAddr); - log.debug("Email Addr: " + emailAddr); - - String htmlOutput = new String(); - - if (emailAddr == null) { - htmlOutput += "

" + bundle.getString("response.blank.email") + "

"; - out.write(htmlOutput + emailAddr); - } else if (Validate.isValidEmailAddress(emailAddr)) { - log.debug("User Submitted - " + emailAddr); - - htmlOutput += "

" + bundle.getString("response.success.reset") + ": " + emailAddr - + " has been reset

"; - out.write(htmlOutput); - } else { - htmlOutput += "

" + bundle.getString("response.invalid.email") + ": " - + emailAddr + "

"; - out.write(htmlOutput); - } - } - } - else - { - log.error(LEVEL_NAME + " accessed but level is closed"); - out.write(errors.getString("error.notOpen")); - } +public class XxeChallenge1 extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XxeChallenge1.class); + private static final String LEVEL_NAME = "XXE Challenge 1"; + private static final String LEVEL_HASH = + "ac8f3f6224b1ea3fb8a0f017aadd0d84013ea2c80e232c980e54dd753700123e"; + + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, LEVEL_HASH); + + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(LEVEL_NAME + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.injection.xxe1", locale); + + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + if (Getter.isModuleOpen(getServletContext().getRealPath(""), moduleId)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(LEVEL_NAME + " accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenHeader = request.getHeader("csrfToken").toString(); + + if (Validate.validateTokens(tokenCookie, tokenHeader)) { + InputStream json = request.getInputStream(); + String emailAddr = readJson(json, errors); + emailAddr = Encode.forHtml(emailAddr); + log.debug("Email Addr: " + emailAddr); + + String htmlOutput = new String(); + + if (emailAddr == null) { + htmlOutput += "

" + bundle.getString("response.blank.email") + "

"; + out.write(htmlOutput + emailAddr); + } else if (Validate.isValidEmailAddress(emailAddr)) { + log.debug("User Submitted - " + emailAddr); + + htmlOutput += + "

" + + bundle.getString("response.success.reset") + + ": " + + emailAddr + + " has been reset

"; + out.write(htmlOutput); } else { - log.error(LEVEL_NAME + " accessed with no session"); - out.write(errors.getString("error.noSession")); + htmlOutput += + "

" + bundle.getString("response.invalid.email") + ": " + emailAddr + "

"; + out.write(htmlOutput); } - } catch (Exception e) { - out.write(errors.getString("error.funky")); - log.fatal(LEVEL_NAME + " - " + e.toString()); + } + } else { + log.error(LEVEL_NAME + " accessed but level is closed"); + out.write(errors.getString("error.notOpen")); } - log.debug("End of " + LEVEL_NAME + " Servlet"); + } else { + log.error(LEVEL_NAME + " accessed with no session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(LEVEL_NAME + " - " + e.toString()); } - - public static String readJson(InputStream jsonEmail, ResourceBundle errors) { - String result; - - JSONParser jsonParser = new JSONParser(); - JSONObject jsonObject; - try - { - jsonObject = (JSONObject)jsonParser.parse( - new InputStreamReader(jsonEmail, StandardCharsets.UTF_8)); - result = jsonObject.get("email").toString(); - return result; - } catch (IOException e) { - e.printStackTrace(); - } catch (ParseException e) { - e.printStackTrace(); - return errors.getString("error.funky"); - } - - return null; + log.debug("End of " + LEVEL_NAME + " Servlet"); + } + + public static String readJson(InputStream jsonEmail, ResourceBundle errors) { + String result; + + JSONParser jsonParser = new JSONParser(); + JSONObject jsonObject; + try { + jsonObject = + (JSONObject) jsonParser.parse(new InputStreamReader(jsonEmail, StandardCharsets.UTF_8)); + result = jsonObject.get("email").toString(); + return result; + } catch (IOException e) { + e.printStackTrace(); + } catch (ParseException e) { + e.printStackTrace(); + return errors.getString("error.funky"); } - /** - * Creates the file with the solution key needed to pass the level - */ - public static boolean createXxeChallenge1SolutionFile(){ - - File lessonFile; - String filename; - String solution; - - try { - filename = FileInputProperties.readPropFileClassLoader("fileSystemKeys.properties", "xxe.challenge.1.file"); - solution = FileInputProperties.readPropFileClassLoader("fileSystemKeys.properties", "xxe.challenge.1.solution"); - - lessonFile = new File(filename); - - if(lessonFile.exists()) { - log.info("XXE Challenge 1 Solution File " + filename + " already exists"); - FileUtils.deleteQuietly(lessonFile); - log.info("XXE Challenge 1 Solution File " + filename + " deleted"); - } - FileUtils.write(lessonFile, solution, "UTF-8"); - log.info("XXE Challenge 1 Solution File " + filename + " created"); - return true; - } - catch (FileNotFoundException e) { - log.error(e); - throw new RuntimeException(e); - - } catch (IOException e) { - log.error(e); - throw new RuntimeException(e); - } - + return null; + } + + /** Creates the file with the solution key needed to pass the level */ + public static boolean createXxeChallenge1SolutionFile() { + + File lessonFile; + String filename; + String solution; + + try { + filename = + FileInputProperties.readPropFileClassLoader( + "fileSystemKeys.properties", "xxe.challenge.1.file"); + solution = + FileInputProperties.readPropFileClassLoader( + "fileSystemKeys.properties", "xxe.challenge.1.solution"); + + lessonFile = new File(filename); + + if (lessonFile.exists()) { + log.info("XXE Challenge 1 Solution File " + filename + " already exists"); + FileUtils.deleteQuietly(lessonFile); + log.info("XXE Challenge 1 Solution File " + filename + " deleted"); + } + FileUtils.write(lessonFile, solution, "UTF-8"); + log.info("XXE Challenge 1 Solution File " + filename + " created"); + return true; + } catch (FileNotFoundException e) { + log.error(e); + throw new RuntimeException(e); + + } catch (IOException e) { + log.error(e); + throw new RuntimeException(e); } + } } diff --git a/src/main/java/servlets/module/lesson/CsrfLesson.java b/src/main/java/servlets/module/lesson/CsrfLesson.java index 9c32b4205..e375a10b1 100644 --- a/src/main/java/servlets/module/lesson/CsrfLesson.java +++ b/src/main/java/servlets/module/lesson/CsrfLesson.java @@ -1,122 +1,131 @@ package servlets.module.lesson; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - -import dbProcs.Getter; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * CSRF Lesson - * Currently does not use user specific result key because of current CSRF blanket rule - *

+ * CSRF Lesson Currently does not use user specific result key because of current CSRF blanket rule + *
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfLesson extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfLesson.class); - private static String levelName = "CSRF Lesson"; - private static String levelHash = "ed4182af119d97728b2afca6da7cdbe270a9e9dd714065f0f775cd40dc296bc7"; - /** - * User submission is parsed for a valid HTML IMG tag. The SRC attribute of this tag is then used to construct a URL object. This URL object is then checked to ensure a valid attack - * @param falseId User's session stored tempId - * @param messageForAdmin CSRF Submission - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); +public class CsrfLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfLesson.class); + private static String levelName = "CSRF Lesson"; + private static String levelHash = + "ed4182af119d97728b2afca6da7cdbe270a9e9dd714065f0f775cd40dc296bc7"; + + /** + * User submission is parsed for a valid HTML IMG tag. The SRC attribute of this tag is then used + * to construct a URL object. This URL object is then checked to ensure a valid attack + * + * @param falseId User's session stored tempId + * @param messageForAdmin CSRF Submission + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.csrfLesson", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.csrfLesson", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug("Current User: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String falseId = (String) ses.getAttribute("falseId"); - log.debug("falseId = " + falseId); - String messageForAdmin = request.getParameter("messageForAdmin").toLowerCase(); - log.debug("User Submitted - " + messageForAdmin); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug("Current User: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String falseId = (String) ses.getAttribute("falseId"); + log.debug("falseId = " + falseId); + String messageForAdmin = request.getParameter("messageForAdmin").toLowerCase(); + log.debug("User Submitted - " + messageForAdmin); - String htmlOutput = new String(); - boolean validLessonAttack = FindXSS.findCsrfAttackUrl(messageForAdmin, "/root/grantComplete/csrflesson", "userId", falseId); + String htmlOutput = new String(); + boolean validLessonAttack = + FindXSS.findCsrfAttackUrl( + messageForAdmin, "/root/grantComplete/csrflesson", "userId", falseId); - if(validLessonAttack) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.theKeyIs") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash - ), (String)ses.getAttribute("userName") - ) - + - ""; - } - log.debug("Adding searchTerm to Html: " + messageForAdmin); - htmlOutput += "

" + bundle.getString("challenge.messageSent") + "

" + - "

" + - "
" + bundle.getString("challenge.sentTo") + ": administrator@SecurityShepherd.com
" + bundle.getString("challenge.message") + ": " + - "" + - "

"; - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("End of " + levelName + " Servlet"); - } + if (validLessonAttack) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.theKeyIs") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + log.debug("Adding searchTerm to Html: " + messageForAdmin); + htmlOutput += + "

" + + bundle.getString("challenge.messageSent") + + "

" + + "

" + + "
" + + bundle.getString("challenge.sentTo") + + ": administrator@SecurityShepherd.com
" + + bundle.getString("challenge.message") + + ": " + + "" + + "

"; + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("End of " + levelName + " Servlet"); + } } diff --git a/src/main/java/servlets/module/lesson/CsrfLessonTarget.java b/src/main/java/servlets/module/lesson/CsrfLessonTarget.java index 4cebc0fb9..3e154e514 100644 --- a/src/main/java/servlets/module/lesson/CsrfLessonTarget.java +++ b/src/main/java/servlets/module/lesson/CsrfLessonTarget.java @@ -4,75 +4,67 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; /** - * CSRF Lesson module Target - Does not return result key - *

+ * CSRF Lesson module Target - Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class CsrfLessonTarget extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(CsrfLesson.class); - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Cross-Site Request Forgery Lesson Target Servlet"); +public class CsrfLessonTarget extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(CsrfLesson.class); + + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Cross-Site Request Forgery Lesson Target Servlet"); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.csrfLesson", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.csrfLesson", locale); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateAdminSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug("Current User: " + ses.getAttribute("userName").toString()); - log.debug("CSRF Lesson Target Hit By Admin"); - out.write("

" + bundle.getString("target.success") + "

"); - } - else - { - log.debug("CSRF Lesson Target Hit"); - out.write("

" + bundle.getString("target.notAdmin") + "

"); - } - } - catch(Exception e) - { - log.error("CsrfLessonTarget Error: " + e.toString()); - } - } + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateAdminSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug("Current User: " + ses.getAttribute("userName").toString()); + log.debug("CSRF Lesson Target Hit By Admin"); + out.write("

" + bundle.getString("target.success") + "

"); + } else { + log.debug("CSRF Lesson Target Hit"); + out.write("

" + bundle.getString("target.notAdmin") + "

"); + } + } catch (Exception e) { + log.error("CsrfLessonTarget Error: " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/lesson/DirectObjectLesson.java b/src/main/java/servlets/module/lesson/DirectObjectLesson.java index 231b50e60..ff7737fd0 100644 --- a/src/main/java/servlets/module/lesson/DirectObjectLesson.java +++ b/src/main/java/servlets/module/lesson/DirectObjectLesson.java @@ -4,126 +4,152 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Insecure Direct Object Lesson - *

+ * Insecure Direct Object Lesson
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan */ -public class DirectObjectLesson extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(DirectObjectLesson.class); - private static String levelName = "Insecure Direct Object Lesson"; - public static String levelhash = "fdb94122d0f032821019c7edf09dc62ea21e25ca619ed9107bcc50e4a8dbc100"; - private static String levelResult = "59e571b1e59441e76e0c85e5b49"; - /** - * System users are insecurely directed by their user name in a post request parameter. Users can abuse this to retrieve an administrator's information. - * @param username User name of profile to retrieve - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); +public class DirectObjectLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(DirectObjectLesson.class); + private static String levelName = "Insecure Direct Object Lesson"; + public static String levelhash = + "fdb94122d0f032821019c7edf09dc62ea21e25ca619ed9107bcc50e4a8dbc100"; + private static String levelResult = "59e571b1e59441e76e0c85e5b49"; + + /** + * System users are insecurely directed by their user name in a post request parameter. Users can + * abuse this to retrieve an administrator's information. + * + * @param username User name of profile to retrieve + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.directObject", locale); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.directObject", locale); + // Attempting to recover username of session that made request + HttpSession ses = request.getSession(true); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + try { + String userName = request.getParameter("username"); + log.debug("User Submitted - " + userName); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); + String htmlOutput = new String(); + if (userName.equalsIgnoreCase("guest")) { + log.debug("Guest Profile Found"); + htmlOutput = htmlGuest(bundle); + } else if (userName.equalsIgnoreCase("admin")) { + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + log.debug("Admin Profile Found"); + htmlOutput = htmlAdmin(bundle, userKey); + } else { + log.debug("No Profile Found"); - //Attempting to recover username of session that made request - HttpSession ses = request.getSession(true); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - try - { - String userName = request.getParameter("username"); - log.debug("User Submitted - " + userName); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); - String htmlOutput = new String(); - if(userName.equalsIgnoreCase("guest")) - { - log.debug("Guest Profile Found"); - htmlOutput = htmlGuest(bundle); - } - else if(userName.equalsIgnoreCase("admin")) - { - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - log.debug("Admin Profile Found"); - htmlOutput = htmlAdmin(bundle, userKey); - } - else - { - log.debug("No Profile Found"); + htmlOutput = + "

" + + bundle.getString("response.user") + + ": " + + bundle.getString("response.notFound") + + "

" + + bundle.getString("response.user") + + " '" + + Encode.forHtml(userName) + + "' " + + bundle.getString("response.couldNotFind") + + ".

"; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal("Insecure Direct Object Lesson Lesson - " + e.toString()); + } + } else { + out.write(errors.getString("error.noSession")); + log.error(levelName + " servlet accessed with no session"); + } + } - htmlOutput = "

" + bundle.getString("response.user") + ": " + bundle.getString("response.notFound") + "

" + bundle.getString("response.user") + " '" + Encode.forHtml(userName) + "' " + bundle.getString("response.couldNotFind") + ".

"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal("Insecure Direct Object Lesson Lesson - " + e.toString()); - } - } - else - { - out.write(errors.getString("error.noSession")); - log.error(levelName + " servlet accessed with no session"); - } - } - private static String htmlGuest (ResourceBundle bundle) - { - return "

" + bundle.getString("response.user") + ": Guest

" + - "" + - "" + - "
" + bundle.getString("response.age") + ":22
" + bundle.getString("response.address") + ":54 Kevin Street, Dublin
" + bundle.getString("response.email") + ":guestAccount@securityShepherd.com
" + bundle.getString("response.message") + ":" + bundle.getString("response.noMessage") + "
"; - } + private static String htmlGuest(ResourceBundle bundle) { + return "

" + + bundle.getString("response.user") + + ": Guest

" + + "" + + "" + + "
" + + bundle.getString("response.age") + + ":22
" + + bundle.getString("response.address") + + ":54 Kevin Street, Dublin
" + + bundle.getString("response.email") + + ":guestAccount@securityShepherd.com
" + + bundle.getString("response.message") + + ":" + + bundle.getString("response.noMessage") + + "
"; + } - private static String htmlAdmin (ResourceBundle bundle, String key) - { - return "

" + bundle.getString("response.user") + ": Admin

" + - "" + - "" + - "" + - "
" + bundle.getString("response.age") + ":43
" + bundle.getString("response.address") + ":12 Bolton Street, Dublin
" + bundle.getString("response.email") + ":administratorAccount@securityShepherd.com
" + bundle.getString("response.message") + ":" + bundle.getString("result.resultKey") + ": " + key + "
"; - } + private static String htmlAdmin(ResourceBundle bundle, String key) { + return "

" + + bundle.getString("response.user") + + ": Admin

" + + "" + + "" + + "" + + "
" + + bundle.getString("response.age") + + ":43
" + + bundle.getString("response.address") + + ":12 Bolton Street, Dublin
" + + bundle.getString("response.email") + + ":administratorAccount@securityShepherd.com
" + + bundle.getString("response.message") + + ":" + + bundle.getString("result.resultKey") + + ": " + + key + + "
"; + } } diff --git a/src/main/java/servlets/module/lesson/PoorValidationLesson.java b/src/main/java/servlets/module/lesson/PoorValidationLesson.java index 11833398c..e9eff1316 100644 --- a/src/main/java/servlets/module/lesson/PoorValidationLesson.java +++ b/src/main/java/servlets/module/lesson/PoorValidationLesson.java @@ -4,100 +4,112 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Poor Validation Lesson - *

+ * Poor Validation Lesson
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan */ -public class PoorValidationLesson extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(PoorValidationLesson.class); - private static String levelName = "Poor Validation Lesson"; - public static String levelhash = "4d8d50a458ca5f1f7e2506dd5557ae1f7da21282795d0ed86c55fefe41eb874f"; - private static String levelResult = "6680b08b175c9f3d521764b41349fcbd3c0ad0a76655a10d42372ebccdfdb4bb"; - /** - * Data is only validated on the client side. No Server Side Validation is Performed - * @param userdata data submitted by user - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); +public class PoorValidationLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(PoorValidationLesson.class); + private static String levelName = "Poor Validation Lesson"; + public static String levelhash = + "4d8d50a458ca5f1f7e2506dd5557ae1f7da21282795d0ed86c55fefe41eb874f"; + private static String levelResult = + "6680b08b175c9f3d521764b41349fcbd3c0ad0a76655a10d42372ebccdfdb4bb"; + + /** + * Data is only validated on the client side. No Server Side Validation is Performed + * + * @param userdata data submitted by user + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.poorValidation", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.lessons.poorValidation", locale); - //Attempting to recover username of session that made request - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - try - { - String userData = request.getParameter("userdata"); - log.debug("User Submitted - " + userData); - String htmlOutput = new String(); - int userNumber = Integer.parseInt(userData); - if(userNumber < 0) - { - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); - log.debug("Negative Number Submitted"); - htmlOutput = "

" + bundle.getString("result.validationBypassed") + "

" + bundle.getString("result.youDidIt") + ". " + bundle.getString("result.resultKey") + ": " + userKey + "

"; - } - else - { - log.debug("Valid Number Submitted"); - htmlOutput = "

" + bundle.getString("response.validNumber") + "

" + bundle.getString("response.theNumber") + " " + userNumber + " " + bundle.getString("response.valid") + "."; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - } - } + // Attempting to recover username of session that made request + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + try { + String userData = request.getParameter("userdata"); + log.debug("User Submitted - " + userData); + String htmlOutput = new String(); + int userNumber = Integer.parseInt(userData); + if (userNumber < 0) { + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); + log.debug("Negative Number Submitted"); + htmlOutput = + "

" + + bundle.getString("result.validationBypassed") + + "

" + + bundle.getString("result.youDidIt") + + ". " + + bundle.getString("result.resultKey") + + ": " + + userKey + + "

"; + } else { + log.debug("Valid Number Submitted"); + htmlOutput = + "

" + + bundle.getString("response.validNumber") + + "

" + + bundle.getString("response.theNumber") + + " " + + userNumber + + " " + + bundle.getString("response.valid") + + "."; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + } + } } diff --git a/src/main/java/servlets/module/lesson/Redirect.java b/src/main/java/servlets/module/lesson/Redirect.java index 28b0887ac..7035741e9 100644 --- a/src/main/java/servlets/module/lesson/Redirect.java +++ b/src/main/java/servlets/module/lesson/Redirect.java @@ -4,87 +4,74 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - - - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; /** - * Hardened Vulnerable Redirect example. Does not return result key - *

+ * Hardened Vulnerable Redirect example. Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class Redirect extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(Redirect.class); +public class Redirect extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(Redirect.class); - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Redirect Lesson Target Lesson Target Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Redirect Lesson Target Lesson Target Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.unvalidatedRedirect", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.lessons.unvalidatedRedirect", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug("Current User: " + ses.getAttribute("userName").toString()); - try - { - out.write(bundle.getString("target.example") + "..."); - //No actual redirecting - } - catch(Exception e) - { - log.error("Invalid URL submitted to Redirect Function: " + e.toString()); - out.write(bundle.getString("target.example") + "..."); - } - } - else - { - log.debug("RedirectLessonTarget Lesson Target Hit"); - out.write("

" + errors.getString("error.noSession") + "

"); - } - } - catch(Exception e) - { - log.error("RedirectLessonTarget Error: " + e.toString()); - } - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug("Current User: " + ses.getAttribute("userName").toString()); + try { + out.write(bundle.getString("target.example") + "..."); + // No actual redirecting + } catch (Exception e) { + log.error("Invalid URL submitted to Redirect Function: " + e.toString()); + out.write(bundle.getString("target.example") + "..."); + } + } else { + log.debug("RedirectLessonTarget Lesson Target Hit"); + out.write("

" + errors.getString("error.noSession") + "

"); + } + } catch (Exception e) { + log.error("RedirectLessonTarget Error: " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/lesson/RedirectLessonTarget.java b/src/main/java/servlets/module/lesson/RedirectLessonTarget.java index 02e44d9fa..a78694677 100644 --- a/src/main/java/servlets/module/lesson/RedirectLessonTarget.java +++ b/src/main/java/servlets/module/lesson/RedirectLessonTarget.java @@ -4,78 +4,70 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.ShepherdLogManager; import utils.Validate; /** - * Unvalidated and redirect lesson targer. Does not return result key - *

+ * Unvalidated and redirect lesson targer. Does not return result key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class RedirectLessonTarget extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(RedirectLessonTarget.class); +public class RedirectLessonTarget extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(RedirectLessonTarget.class); - public void doGet (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug("Redirect Lesson Target Lesson Target Servlet"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug("Redirect Lesson Target Lesson Target Servlet"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.unvalidatedRedirect", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.lessons.unvalidatedRedirect", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateAdminSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug("Current User: " + ses.getAttribute("userName").toString()); - log.debug("RedirectLessonTarget Lesson Target Hit By Admin"); - out.write("

" + bundle.getString("target.completed") + "

"); - } - else - { - log.debug("RedirectLessonTarget Lesson Target Hit"); - out.write("

" + bundle.getString("target.completed") + "

"); - } - } - catch(Exception e) - { - log.error("RedirectLessonTarget Error: " + e.toString()); - out.write(errors.getString("error.shouldNotBeHere")); - } - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateAdminSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug("Current User: " + ses.getAttribute("userName").toString()); + log.debug("RedirectLessonTarget Lesson Target Hit By Admin"); + out.write("

" + bundle.getString("target.completed") + "

"); + } else { + log.debug("RedirectLessonTarget Lesson Target Hit"); + out.write("

" + bundle.getString("target.completed") + "

"); + } + } catch (Exception e) { + log.error("RedirectLessonTarget Error: " + e.toString()); + out.write(errors.getString("error.shouldNotBeHere")); + } + } } diff --git a/src/main/java/servlets/module/lesson/SecurityMisconfigLesson.java b/src/main/java/servlets/module/lesson/SecurityMisconfigLesson.java index eec2e72a2..154aaa7b7 100644 --- a/src/main/java/servlets/module/lesson/SecurityMisconfigLesson.java +++ b/src/main/java/servlets/module/lesson/SecurityMisconfigLesson.java @@ -4,109 +4,111 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Security Misconfiguration Lesson - *

+ * Security Misconfiguration Lesson
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan */ -public class SecurityMisconfigLesson extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SecurityMisconfigLesson.class); - private static String levelName = "Security Misconfig Lesson"; - public static String levelhash = "fe04648f43cdf2d523ecf1675f1ade2cde04a7a2e9a7f1a80dbb6dc9f717c833"; - private static String levelResult = "55b34717d014a5a355f6eced4386878fab0b2793e1d1dbfd23e6262cd510ea96"; +public class SecurityMisconfigLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SecurityMisconfigLesson.class); + private static String levelName = "Security Misconfig Lesson"; + public static String levelhash = + "fe04648f43cdf2d523ecf1675f1ade2cde04a7a2e9a7f1a80dbb6dc9f717c833"; + private static String levelResult = + "55b34717d014a5a355f6eced4386878fab0b2793e1d1dbfd23e6262cd510ea96"; - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - //Attempting to recover username of session that made request - HttpSession ses = request.getSession(true); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + // Attempting to recover username of session that made request + HttpSession ses = request.getSession(true); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.securityMisconfig", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.lessons.securityMisconfig", locale); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - try - { - String userName = request.getParameter("userName"); - log.debug("User Name - " + userName); - String userPass = request.getParameter("userPass"); - log.debug("User Pass - " + userName); - boolean loggedIn = userName.contentEquals("admin") && userPass.contentEquals("password"); - String htmlOutput = new String(); - if(!loggedIn) - { - if(userName.contentEquals("admin")) - htmlOutput = bundle.getString("response.incorrectPassword"); - else - { + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + try { + String userName = request.getParameter("userName"); + log.debug("User Name - " + userName); + String userPass = request.getParameter("userPass"); + log.debug("User Pass - " + userName); + boolean loggedIn = userName.contentEquals("admin") && userPass.contentEquals("password"); + String htmlOutput = new String(); + if (!loggedIn) { + if (userName.contentEquals("admin")) { + htmlOutput = bundle.getString("response.incorrectPassword"); + } else { - htmlOutput = bundle.getString("response.noUserFound") + " \"" + Encode.forHtml(userName) + "\""; - } - htmlOutput = "

" + bundle.getString("response.authError") + "

" + htmlOutput + "

"; - } - else - { - // Default username and password were used - log.debug("User has signed in as admin"); - htmlOutput = "

" + bundle.getString("response.authSuccess") + "

" - + bundle.getString("result.youDidIt") + "

" - + bundle.getString("result.key") + ": " + Hash.generateUserSolution(levelResult, ses.getAttribute("userName").toString()) + ""; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } - else - { - log.error(levelName + " servlet accessed with no session"); - out.write(errors.getString("error.noSession")); - } - } + htmlOutput = + bundle.getString("response.noUserFound") + " \"" + Encode.forHtml(userName) + "\""; + } + htmlOutput = + "

" + + bundle.getString("response.authError") + + "

" + + htmlOutput + + "

"; + } else { + // Default username and password were used + log.debug("User has signed in as admin"); + htmlOutput = + "

" + + bundle.getString("response.authSuccess") + + "

" + + bundle.getString("result.youDidIt") + + "

" + + bundle.getString("result.key") + + ": " + + Hash.generateUserSolution(levelResult, ses.getAttribute("userName").toString()) + + ""; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } else { + log.error(levelName + " servlet accessed with no session"); + out.write(errors.getString("error.noSession")); + } + } } diff --git a/src/main/java/servlets/module/lesson/SessionManagementLesson.java b/src/main/java/servlets/module/lesson/SessionManagementLesson.java index 659791ea1..104da57e6 100644 --- a/src/main/java/servlets/module/lesson/SessionManagementLesson.java +++ b/src/main/java/servlets/module/lesson/SessionManagementLesson.java @@ -4,123 +4,124 @@ import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - +import org.apache.logging.log4j.Logger; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Session Management Lesson - *

+ * Session Management Lesson
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SessionManagementLesson extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SessionManagementLesson.class); - private static String levelName = "Session Management Lesson"; - public static String levelHash = "b8c19efd1a7cc64301f239f9b9a7a32410a0808138bbefc98986030f9ea83806"; - private static String levelResult = "6594dec9ff7c4e60d9f8945ca0d4"; - /** - * Controller is tracking the user completion through the "lessonComplete" cookie. If this cookie is changed the user can complete the level - * @param lessonComplete Tracking cookie - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class SessionManagementLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SessionManagementLesson.class); + private static String levelName = "Session Management Lesson"; + public static String levelHash = + "b8c19efd1a7cc64301f239f9b9a7a32410a0808138bbefc98986030f9ea83806"; + private static String levelResult = "6594dec9ff7c4e60d9f8945ca0d4"; + + /** + * Controller is tracking the user completion through the "lessonComplete" cookie. If this cookie + * is changed the user can complete the level + * + * @param lessonComplete Tracking cookie + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.sessionManagement", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.lessons.sessionManagement", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - Cookie userCookies[] = request.getCookies(); - int i = 0; - Cookie theCookie = null; - for(i = 0; i < userCookies.length; i++) - { - if(userCookies[i].getName().compareTo("lessonComplete") == 0) - { - theCookie = userCookies[i]; - break; //End Loop, because we found the token - } - } - String htmlOutput = null; - if(theCookie != null) - { - log.debug("Cookie value: " + theCookie.getValue()); + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + Cookie userCookies[] = request.getCookies(); + int i = 0; + Cookie theCookie = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("lessonComplete") == 0) { + theCookie = userCookies[i]; + break; // End Loop, because we found the token + } + } + String htmlOutput = null; + if (theCookie != null) { + log.debug("Cookie value: " + theCookie.getValue()); - if(theCookie.getValue().equals("lessonComplete")) - { - log.debug("Lesson Complete"); + if (theCookie.getValue().equals("lessonComplete")) { + log.debug("Lesson Complete"); - // Get key and add it to the output - String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); + // Get key and add it to the output + String userKey = + Hash.generateUserSolution(levelResult, (String) ses.getAttribute("userName")); - htmlOutput = "

" + bundle.getString("result.lessonComplete") + "

" + - "

" + - bundle.getString("result.youDidIt") + " " + - ""+ userKey + "" + - "

"; - } - } - if(htmlOutput == null) - { - log.debug("Lesson Not Complete"); - htmlOutput = "

" + bundle.getString("response.lessonNotComplete") + "

" + - "

" + - bundle.getString("response.youDidntDoIt") + - "

"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " servlet accessed with no session"); - out.write(errors.getString("error.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + htmlOutput = + "

" + + bundle.getString("result.lessonComplete") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + " " + + "" + + userKey + + "" + + "

"; + } + } + if (htmlOutput == null) { + log.debug("Lesson Not Complete"); + htmlOutput = + "

" + + bundle.getString("response.lessonNotComplete") + + "

" + + "

" + + bundle.getString("response.youDidntDoIt") + + "

"; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " servlet accessed with no session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } } diff --git a/src/main/java/servlets/module/lesson/SqlInjectionLesson.java b/src/main/java/servlets/module/lesson/SqlInjectionLesson.java index 84876202d..72f0d84fe 100644 --- a/src/main/java/servlets/module/lesson/SqlInjectionLesson.java +++ b/src/main/java/servlets/module/lesson/SqlInjectionLesson.java @@ -1,5 +1,6 @@ package servlets.module.lesson; +import dbProcs.Database; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; @@ -8,153 +9,146 @@ import java.sql.Statement; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Database; /** - * SQL Injection Lesson - Does not use User Specific Key - *

+ * SQL Injection Lesson - Does not use User Specific Key
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlInjectionLesson -extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(SqlInjectionLesson.class); - private static String levelName = "SQL Injection Lesson"; - public static String levelHash = "e881086d4d8eb2604d8093d93ae60986af8119c4f643894775433dbfb6faa594"; - // private static String levelResult = ""; // Stored in Vulnerable DB. Not User Specific - /** - * Uses user input in an insecure fashion when executing queries in database. Vulnerable to SQL injection. - * @param aUserName User submitted filter for database results - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class SqlInjectionLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(SqlInjectionLesson.class); + private static String levelName = "SQL Injection Lesson"; + public static String levelHash = + "e881086d4d8eb2604d8093d93ae60986af8119c4f643894775433dbfb6faa594"; + // private static String levelResult = ""; // Stored in Vulnerable DB. Not User Specific + + /** + * Uses user input in an insecure fashion when executing queries in database. Vulnerable to SQL + * injection. + * + * @param aUserName User submitted filter for database results + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.sqlInjection", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.sqlInjection", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); - String aUserName = request.getParameter("aUserName"); - log.debug("User Submitted - " + aUserName); - String ApplicationRoot = getServletContext().getRealPath(""); - log.debug("Servlet root = " + ApplicationRoot ); - String[][] output = getSqlInjectionResult(ApplicationRoot, aUserName); - log.debug("output returned. [0][0] is " + output[0][0]); - String htmlOutput = "

" + bundle.getString("response.searchResults") + "

"; - if (output[0][0] == null) - { - htmlOutput += "

" + bundle.getString("response.noResults") + "

"; - } - else if(output[0][0].equalsIgnoreCase("error")) - { - log.debug("Setting Error Message"); - htmlOutput += "

" + errors.getString("error.detected") + "

" + - "

" + output[0][1] + "

"; - } - else - { - log.debug("Adding table"); - int i = 0; - log.debug("outputLength = " + output.length); - htmlOutput += ""; - do - { - log.debug("Adding User " + output[i][1]); - htmlOutput += ""; - i++; + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " servlet accessed by: " + ses.getAttribute("userName").toString()); + String aUserName = request.getParameter("aUserName"); + log.debug("User Submitted - " + aUserName); + String ApplicationRoot = getServletContext().getRealPath(""); + log.debug("Servlet root = " + ApplicationRoot); + String[][] output = getSqlInjectionResult(ApplicationRoot, aUserName); + log.debug("output returned. [0][0] is " + output[0][0]); + String htmlOutput = + "

" + bundle.getString("response.searchResults") + "

"; + if (output[0][0] == null) { + htmlOutput += "

" + bundle.getString("response.noResults") + "

"; + } else if (output[0][0].equalsIgnoreCase("error")) { + log.debug("Setting Error Message"); + htmlOutput += + "

" + errors.getString("error.detected") + "

" + "

" + output[0][1] + "

"; + } else { + log.debug("Adding table"); + int i = 0; + log.debug("outputLength = " + output.length); + htmlOutput += + "
" + bundle.getString("response.userId") + "" + bundle.getString("response.userName") + "" + bundle.getString("response.comment") + "
" + output[i][0] + "" + output[i][1] + "" - + output[i][2] + "
"; + do { + log.debug("Adding User " + output[i][1]); + htmlOutput += + ""; + i++; - } - while(i < output.length && output[i][0] != null); - htmlOutput += "
" + + bundle.getString("response.userId") + + "" + + bundle.getString("response.userName") + + "" + + bundle.getString("response.comment") + + "
" + + output[i][0] + + "" + + output[i][1] + + "" + + output[i][2] + + "
"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - else - { - log.error(levelName + " accessed with no session"); - out.write(errors.getString("error.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - } + } while (i < output.length && output[i][0] != null); + htmlOutput += ""; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } else { + log.error(levelName + " accessed with no session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + } - public static String[][] getSqlInjectionResult (String ApplicationRoot, String username) - { + public static String[][] getSqlInjectionResult(String ApplicationRoot, String username) { - String[][] result = new String[10][3]; - try - { - Connection conn = Database.getSqlInjLessonConnection(ApplicationRoot); - Statement stmt; - stmt = conn.createStatement(); - ResultSet resultSet = stmt.executeQuery("SELECT * FROM tb_users WHERE username = '" + username + "'"); - log.debug("Opening Result Set from query"); - for(int i = 0; resultSet.next(); i++) - { - log.debug("Row " + i + ": User ID = " + resultSet.getString(1)); - result[i][0] = Encode.forHtml(resultSet.getString(1)); - result[i][1] = Encode.forHtml(resultSet.getString(2)); - result[i][2] = Encode.forHtml(resultSet.getString(3)); - } - log.debug("That's All"); - } - catch (SQLException e) - { - log.debug("SQL Error caught - " + e.toString()); - result[0][0] = "error"; - result[0][1] = Encode.forHtml(e.toString()); - } - catch (Exception e) - { - log.fatal("Error: " + e.toString()); - } - return result; - } + String[][] result = new String[10][3]; + try { + Connection conn = Database.getSqlInjLessonConnection(ApplicationRoot); + Statement stmt; + stmt = conn.createStatement(); + ResultSet resultSet = + stmt.executeQuery("SELECT * FROM tb_users WHERE username = '" + username + "'"); + log.debug("Opening Result Set from query"); + for (int i = 0; resultSet.next(); i++) { + log.debug("Row " + i + ": User ID = " + resultSet.getString(1)); + result[i][0] = Encode.forHtml(resultSet.getString(1)); + result[i][1] = Encode.forHtml(resultSet.getString(2)); + result[i][2] = Encode.forHtml(resultSet.getString(3)); + } + log.debug("That's All"); + } catch (SQLException e) { + log.debug("SQL Error caught - " + e.toString()); + result[0][0] = "error"; + result[0][1] = Encode.forHtml(e.toString()); + } catch (Exception e) { + log.fatal("Error: " + e.toString()); + } + return result; + } } diff --git a/src/main/java/servlets/module/lesson/UnvalidatedForwardsLesson.java b/src/main/java/servlets/module/lesson/UnvalidatedForwardsLesson.java index 6ab7eedb0..27f0d0f46 100644 --- a/src/main/java/servlets/module/lesson/UnvalidatedForwardsLesson.java +++ b/src/main/java/servlets/module/lesson/UnvalidatedForwardsLesson.java @@ -1,165 +1,177 @@ package servlets.module.lesson; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.net.MalformedURLException; import java.net.URL; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - - import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; -import dbProcs.Getter; + /** - * Unvalidated Redirects and Forwards Lesson - *

+ * Unvalidated Redirects and Forwards Lesson
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class UnvalidatedForwardsLesson extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(UnvalidatedForwardsLesson.class); - private static String levelName = "Unvalidated Redirects and Forwards Lesson"; - private static String levelHash = "f15f2766c971e16e68aa26043e6016a0a7f6879283c873d9476a8e7e94ea736f"; +public class UnvalidatedForwardsLesson extends HttpServlet { - /** - * User submission is parsed for a valid URL. This is then used to construct a URL object. This URL object is then checked to ensure a valid attack - * @param tempId User's session stored temporary id - * @param messageForAdmin Users lesson submission - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName +" Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(UnvalidatedForwardsLesson.class); + private static String levelName = "Unvalidated Redirects and Forwards Lesson"; + private static String levelHash = + "f15f2766c971e16e68aa26043e6016a0a7f6879283c873d9476a8e7e94ea736f"; + /** + * User submission is parsed for a valid URL. This is then used to construct a URL object. This + * URL object is then checked to ensure a valid attack + * + * @param tempId User's session stored temporary id + * @param messageForAdmin Users lesson submission + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.unvalidatedRedirect", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.lessons.unvalidatedRedirect", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug("Current User: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String tempId = (String) ses.getAttribute("tempId"); - log.debug("tempId = " + tempId); - String userName = (String) ses.getAttribute("userName"); - String messageForAdmin = request.getParameter("messageForAdmin").toLowerCase(); - log.debug("User Submitted - " + messageForAdmin); - String htmlOutput = new String(); - boolean validUrl = true; - boolean validSolution = false; - boolean validAttack = false; - try - { - URL csrfUrl = new URL(messageForAdmin); - log.debug("Url Host: " + csrfUrl.getHost()); - log.debug("Url Port: " + csrfUrl.getPort()); - log.debug("Url Path: " + csrfUrl.getPath()); - log.debug("Url Query: " + csrfUrl.getQuery()); - validSolution = csrfUrl.getPath().toLowerCase().equalsIgnoreCase("/user/redirect"); - if(!validSolution) - log.debug("Invalid Solution: Bad Path or Above"); - validSolution = csrfUrl.getQuery().toLowerCase().startsWith(("to=").toLowerCase()) && validSolution; - if(!validSolution) - log.debug("Invalid Solution: Bad Query or Above"); - if(validSolution) - { - log.debug("Redirect URL Correct: Now checking the Redirected URL for valid CSRF Attack"); - int csrfStart = 0; - int csrfEnd = 0; - csrfStart = csrfUrl.getQuery().indexOf("to=") + 3; - csrfEnd = csrfUrl.getQuery().indexOf("&"); - if(csrfEnd == -1) - { - csrfEnd = csrfUrl.getQuery().length(); - } - String csrfAttack = csrfUrl.getQuery().substring(csrfStart, csrfEnd); - log.debug("csrfAttack Found to be: " + csrfAttack); - validAttack = FindXSS.findCsrfAttackUrl(csrfAttack, "/root/grantComplete/unvalidatedredirectlesson", "userId", tempId); - } - } - catch(MalformedURLException e) - { - log.error("Invalid URL: " + e.toString()); - validUrl = false; - validSolution = false; - validAttack = false; - messageForAdmin = ""; - htmlOutput="Invalid URL"; - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug("Current User: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String tempId = (String) ses.getAttribute("tempId"); + log.debug("tempId = " + tempId); + String userName = (String) ses.getAttribute("userName"); + String messageForAdmin = request.getParameter("messageForAdmin").toLowerCase(); + log.debug("User Submitted - " + messageForAdmin); + String htmlOutput = new String(); + boolean validUrl = true; + boolean validSolution = false; + boolean validAttack = false; + try { + URL csrfUrl = new URL(messageForAdmin); + log.debug("Url Host: " + csrfUrl.getHost()); + log.debug("Url Port: " + csrfUrl.getPort()); + log.debug("Url Path: " + csrfUrl.getPath()); + log.debug("Url Query: " + csrfUrl.getQuery()); + validSolution = csrfUrl.getPath().toLowerCase().equalsIgnoreCase("/user/redirect"); + if (!validSolution) { + log.debug("Invalid Solution: Bad Path or Above"); + } + validSolution = + csrfUrl.getQuery().toLowerCase().startsWith(("to=").toLowerCase()) && validSolution; + if (!validSolution) { + log.debug("Invalid Solution: Bad Query or Above"); + } + if (validSolution) { + log.debug( + "Redirect URL Correct: Now checking the Redirected URL for valid CSRF Attack"); + int csrfStart = 0; + int csrfEnd = 0; + csrfStart = csrfUrl.getQuery().indexOf("to=") + 3; + csrfEnd = csrfUrl.getQuery().indexOf("&"); + if (csrfEnd == -1) { + csrfEnd = csrfUrl.getQuery().length(); + } + String csrfAttack = csrfUrl.getQuery().substring(csrfStart, csrfEnd); + log.debug("csrfAttack Found to be: " + csrfAttack); + validAttack = + FindXSS.findCsrfAttackUrl( + csrfAttack, + "/root/grantComplete/unvalidatedredirectlesson", + "userId", + tempId); + } + } catch (MalformedURLException e) { + log.error("Invalid URL: " + e.toString()); + validUrl = false; + validSolution = false; + validAttack = false; + messageForAdmin = ""; + htmlOutput = "Invalid URL"; + } - if(validSolution && validAttack) - { - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - bundle.getString("result.resultKey") + " " + - Hash.generateUserSolution( - Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), - (String)ses.getAttribute("userName")) - +""; - } - if(validUrl) - { - log.debug("Adding message to Html: " + messageForAdmin); - htmlOutput += "

" + bundle.getString("response.messageSent") + "

" + - "

" + - "
" + bundle.getString("response.sentTo") + ": administrator@SecurityShepherd.com
" + bundle.getString("response.message") + ": " + Encode.forHtml("" + bundle.getString("response.linkFrom") + " " + userName) + - "

"; - } - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("End of " + levelName + " Servlet"); - } + if (validSolution && validAttack) { + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + bundle.getString("result.resultKey") + + " " + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")) + + ""; + } + if (validUrl) { + log.debug("Adding message to Html: " + messageForAdmin); + htmlOutput += + "

" + + bundle.getString("response.messageSent") + + "

" + + "

" + + "
" + + bundle.getString("response.sentTo") + + ": administrator@SecurityShepherd.com
" + + bundle.getString("response.message") + + ": " + + Encode.forHtml("" + bundle.getString("response.linkFrom") + " " + userName) + + "

"; + } + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("End of " + levelName + " Servlet"); + } } diff --git a/src/main/java/servlets/module/lesson/XssLesson.java b/src/main/java/servlets/module/lesson/XssLesson.java index fce5a2a18..3ade358f8 100644 --- a/src/main/java/servlets/module/lesson/XssLesson.java +++ b/src/main/java/servlets/module/lesson/XssLesson.java @@ -1,113 +1,119 @@ package servlets.module.lesson; +import dbProcs.Getter; import java.io.IOException; import java.io.PrintWriter; import java.util.Locale; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; +import org.apache.logging.log4j.Logger; import utils.FindXSS; import utils.Hash; import utils.ShepherdLogManager; import utils.Validate; /** - * Cross Site Scripting Lesson - *

+ * Cross Site Scripting Lesson
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssLesson -extends HttpServlet -{ - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XssLesson.class); - private static String levelName = "XSS Lesson"; - private static String levelHash = "zf8ed52591579339e590e0726c7b24009f3ac54cdff1b81a65db1688d86efb3a"; - /** - * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely deployed, and therefore only is executable against the person initiating the function. - * @param searchTerm To be spat back out at the user - */ - public void doPost (HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException - { - //Setting IpAddress To Log and taking header for original IP if forwarded from proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(levelName + " Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); +public class XssLesson extends HttpServlet { + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XssLesson.class); + private static String levelName = "XSS Lesson"; + private static String levelHash = + "zf8ed52591579339e590e0726c7b24009f3ac54cdff1b81a65db1688d86efb3a"; + + /** + * Cross Site Request Forgery safe Reflected XSS vulnerability. cannot be remotely deployed, and + * therefore only is executable against the person initiating the function. + * + * @param searchTerm To be spat back out at the user + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // Setting IpAddress To Log and taking header for original IP if forwarded from proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(levelName + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); - //Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.xss", locale); + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.xss", locale); - try - { - HttpSession ses = request.getSession(true); - if(Validate.validateSession(ses)) - { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); - log.debug(levelName + " accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenParmeter = request.getParameter("csrfToken"); - if(Validate.validateTokens(tokenCookie, tokenParmeter)) - { - String searchTerm = request.getParameter("searchTerm"); - log.debug("User Submitted - " + searchTerm); - String htmlOutput = new String(); - if(FindXSS.search(searchTerm)) - { - log.debug("XSS Lesson Completed!"); - htmlOutput = "

" + bundle.getString("result.wellDone") + "

" + - "

" + bundle.getString("result.youDidIt") + "
" + - "" + bundle.getString("result.resultKey") + - Hash.generateUserSolution(Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), (String)ses.getAttribute("userName")); - } - log.debug("Adding searchTerm to Html: " + searchTerm); - htmlOutput += "

" + bundle.getString("response.searchResults") + "

" + - "

" + bundle.getString("response.noResults") + " '" + - searchTerm + - "'

"; - log.debug("Outputting HTML"); - out.write(htmlOutput); - } - } - else - { - log.error(levelName + " accessed with no session"); - out.write(errors.getString("error.noSession")); - } - } - catch(Exception e) - { - out.write(errors.getString("error.funky")); - log.fatal(levelName + " - " + e.toString()); - } - log.debug("End of " + levelName + " Servlet"); - } + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(levelName + " accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenParmeter = request.getParameter("csrfToken"); + if (Validate.validateTokens(tokenCookie, tokenParmeter)) { + String searchTerm = request.getParameter("searchTerm"); + log.debug("User Submitted - " + searchTerm); + String htmlOutput = new String(); + if (FindXSS.search(searchTerm)) { + log.debug("XSS Lesson Completed!"); + htmlOutput = + "

" + + bundle.getString("result.wellDone") + + "

" + + "

" + + bundle.getString("result.youDidIt") + + "
" + + "" + + bundle.getString("result.resultKey") + + Hash.generateUserSolution( + Getter.getModuleResultFromHash( + getServletContext().getRealPath(""), levelHash), + (String) ses.getAttribute("userName")); + } + log.debug("Adding searchTerm to Html: " + searchTerm); + htmlOutput += + "

" + + bundle.getString("response.searchResults") + + "

" + + "

" + + bundle.getString("response.noResults") + + " '" + + searchTerm + + "'

"; + log.debug("Outputting HTML"); + out.write(htmlOutput); + } + } else { + log.error(levelName + " accessed with no session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(levelName + " - " + e.toString()); + } + log.debug("End of " + levelName + " Servlet"); + } } diff --git a/src/main/java/servlets/module/lesson/XxeLesson.java b/src/main/java/servlets/module/lesson/XxeLesson.java index b401300c0..0b47e2f5a 100644 --- a/src/main/java/servlets/module/lesson/XxeLesson.java +++ b/src/main/java/servlets/module/lesson/XxeLesson.java @@ -1,5 +1,6 @@ package servlets.module.lesson; +import dbProcs.Getter; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -8,7 +9,6 @@ import java.util.Locale; import java.util.Properties; import java.util.ResourceBundle; - import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; @@ -16,178 +16,181 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import javax.xml.parsers.DocumentBuilder; - import org.apache.commons.io.FileUtils; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.xml.sax.InputSource; import org.xml.sax.SAXException; - -import dbProcs.Getter; import utils.ShepherdLogManager; import utils.Validate; import utils.XmlDocumentBuilder; /** - * XXE Lesson - *

+ * XXE Lesson
+ *
* This file is part of the Security Shepherd Project. - *

- * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
- *

- * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
- *

- * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author ismisepaul */ public class XxeLesson extends HttpServlet { - private static final long serialVersionUID = 1L; - private static final Logger log = LogManager.getLogger(XxeLesson.class); - private static final String LEVEL_NAME = "XXE Lesson"; - private static final String LEVEL_HASH = "57dda1bf9a2ca1c34e04f815491ef40836d9b710179cd19754ec5b3c31f27d1a"; - - public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - String ApplicationRoot = getServletContext().getRealPath(""); - String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, LEVEL_HASH); - - // Setting IpAddress To Log and taking header for original IP if forwarded from - // proxy - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); - log.debug(LEVEL_NAME + " Servlet Accessed"); - PrintWriter out = response.getWriter(); - out.print(getServletInfo()); - - // Translation Stuff - Locale locale = new Locale(Validate.validateLanguage(request.getSession())); - ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); - ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.xxe", locale); - - try { - HttpSession ses = request.getSession(true); - if (Validate.validateSession(ses)) { - if (Getter.isModuleOpen(getServletContext().getRealPath(""), moduleId)) { - ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), - ses.getAttribute("userName").toString()); - log.debug(LEVEL_NAME + " accessed by: " + ses.getAttribute("userName").toString()); - Cookie tokenCookie = Validate.getToken(request.getCookies()); - Object tokenHeader = request.getHeader("csrfToken").toString(); - - if (Validate.validateTokens(tokenCookie, tokenHeader)) { - InputStream xml = request.getInputStream(); - String emailAddr = readXml(xml); - log.debug("Email Addr: " + emailAddr); - - String htmlOutput = new String(); - - if (emailAddr == null) { - htmlOutput += "

" + bundle.getString("response.blank.email") + "

"; - out.write(htmlOutput + emailAddr); - } else if (Validate.isValidEmailAddress(emailAddr)) { - log.debug("User Submitted - " + emailAddr); - - htmlOutput += "

" + bundle.getString("response.success.reset") + ": " + emailAddr - + " has been reset

"; - out.write(htmlOutput); - } else { - htmlOutput += "

" + bundle.getString("response.invalid.email") + ": " + emailAddr - + "

"; - out.write(htmlOutput); - } - } - } else { - log.error(LEVEL_NAME + " accessed but level is closed"); - out.write(errors.getString("error.notOpen")); - } - } else { - log.error(LEVEL_NAME + " accessed with no session"); - out.write(errors.getString("error.noSession")); - } - } catch (Exception e) { - out.write(errors.getString("error.funky")); - log.fatal(LEVEL_NAME + " - " + e.toString()); - } - log.debug("End of " + LEVEL_NAME + " Servlet"); - } - - public static String readXml(InputStream xmlEmail) { - - Document doc; - String result = null; - - DocumentBuilder dBuilder = XmlDocumentBuilder.xmlDocBuilder(false, true, true, true, true, true); - InputSource is = new InputSource(xmlEmail); - - try { - doc = dBuilder.parse(is); - Element root = doc.getDocumentElement(); - result = root.getTextContent(); - return Encode.forHtml(result.toString()); - } catch (SAXException e) { - log.error(e.toString()); - } catch (IOException e) { - log.error(e.toString()); - } - - return result; - } - - /** - * Creates the file with the solution key needed to pass the level - */ - public static boolean createXxeLessonSolutionFile() { - - File lessonFile; - - Properties prop = new Properties(); - - try (InputStream xxe_input = new FileInputStream( - System.getProperty("user.dir") + "/src/main/resources/fileSystemKeys.properties")) { - - prop.load(xxe_input); - - } catch (IOException e) { - log.error("Could not load properties file: " + e.toString()); - throw new RuntimeException(e); - } - - String errorBase = "Missing property :"; - - String filename = prop.getProperty("xxe.lesson.file"); - if (filename == null) { - throw new RuntimeException(errorBase + "xxe.lesson.file"); - } - String solution = prop.getProperty("xxe.lesson.solution"); - if (solution == null) { - throw new RuntimeException(errorBase + "xxe.lesson.solution"); - } - - lessonFile = new File(filename); - - if (lessonFile.exists()) { - log.info("XXE Lesson Solution File " + filename + " already exists"); - FileUtils.deleteQuietly(lessonFile); - log.info("XXE Lesson Solution File " + filename + " deleted"); - } - try { - FileUtils.write(lessonFile, solution, "UTF-8"); - } catch (IOException e) { - log.error("Could not load properties file: " + e.toString()); - throw new RuntimeException(e); - } - log.info("XXE Lesson Solution File " + filename + " created"); - return true; - - } + + private static final long serialVersionUID = 1L; + private static final Logger log = LogManager.getLogger(XxeLesson.class); + private static final String LEVEL_NAME = "XXE Lesson"; + private static final String LEVEL_HASH = + "57dda1bf9a2ca1c34e04f815491ef40836d9b710179cd19754ec5b3c31f27d1a"; + + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + + String ApplicationRoot = getServletContext().getRealPath(""); + String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, LEVEL_HASH); + + // Setting IpAddress To Log and taking header for original IP if forwarded from + // proxy + ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For")); + log.debug(LEVEL_NAME + " Servlet Accessed"); + PrintWriter out = response.getWriter(); + out.print(getServletInfo()); + + // Translation Stuff + Locale locale = new Locale(Validate.validateLanguage(request.getSession())); + ResourceBundle errors = ResourceBundle.getBundle("i18n.servlets.errors", locale); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.servlets.lessons.xxe", locale); + + try { + HttpSession ses = request.getSession(true); + if (Validate.validateSession(ses)) { + if (Getter.isModuleOpen(getServletContext().getRealPath(""), moduleId)) { + ShepherdLogManager.setRequestIp( + request.getRemoteAddr(), + request.getHeader("X-Forwarded-For"), + ses.getAttribute("userName").toString()); + log.debug(LEVEL_NAME + " accessed by: " + ses.getAttribute("userName").toString()); + Cookie tokenCookie = Validate.getToken(request.getCookies()); + Object tokenHeader = request.getHeader("csrfToken").toString(); + + if (Validate.validateTokens(tokenCookie, tokenHeader)) { + InputStream xml = request.getInputStream(); + String emailAddr = readXml(xml); + log.debug("Email Addr: " + emailAddr); + + String htmlOutput = new String(); + + if (emailAddr == null) { + htmlOutput += "

" + bundle.getString("response.blank.email") + "

"; + out.write(htmlOutput + emailAddr); + } else if (Validate.isValidEmailAddress(emailAddr)) { + log.debug("User Submitted - " + emailAddr); + + htmlOutput += + "

" + + bundle.getString("response.success.reset") + + ": " + + emailAddr + + " has been reset

"; + out.write(htmlOutput); + } else { + htmlOutput += + "

" + bundle.getString("response.invalid.email") + ": " + emailAddr + "

"; + out.write(htmlOutput); + } + } + } else { + log.error(LEVEL_NAME + " accessed but level is closed"); + out.write(errors.getString("error.notOpen")); + } + } else { + log.error(LEVEL_NAME + " accessed with no session"); + out.write(errors.getString("error.noSession")); + } + } catch (Exception e) { + out.write(errors.getString("error.funky")); + log.fatal(LEVEL_NAME + " - " + e.toString()); + } + log.debug("End of " + LEVEL_NAME + " Servlet"); + } + + public static String readXml(InputStream xmlEmail) { + + Document doc; + String result = null; + + DocumentBuilder dBuilder = + XmlDocumentBuilder.xmlDocBuilder(false, true, true, true, true, true); + InputSource is = new InputSource(xmlEmail); + + try { + doc = dBuilder.parse(is); + Element root = doc.getDocumentElement(); + result = root.getTextContent(); + return Encode.forHtml(result.toString()); + } catch (SAXException e) { + log.error(e.toString()); + } catch (IOException e) { + log.error(e.toString()); + } + + return result; + } + + /** Creates the file with the solution key needed to pass the level */ + public static boolean createXxeLessonSolutionFile() { + + File lessonFile; + + Properties prop = new Properties(); + + try (InputStream xxe_input = + new FileInputStream( + System.getProperty("user.dir") + "/src/main/resources/fileSystemKeys.properties")) { + + prop.load(xxe_input); + + } catch (IOException e) { + log.error("Could not load properties file: " + e.toString()); + throw new RuntimeException(e); + } + + String errorBase = "Missing property :"; + + String filename = prop.getProperty("xxe.lesson.file"); + if (filename == null) { + throw new RuntimeException(errorBase + "xxe.lesson.file"); + } + String solution = prop.getProperty("xxe.lesson.solution"); + if (solution == null) { + throw new RuntimeException(errorBase + "xxe.lesson.solution"); + } + + lessonFile = new File(filename); + + if (lessonFile.exists()) { + log.info("XXE Lesson Solution File " + filename + " already exists"); + FileUtils.deleteQuietly(lessonFile); + log.info("XXE Lesson Solution File " + filename + " deleted"); + } + try { + FileUtils.write(lessonFile, solution, "UTF-8"); + } catch (IOException e) { + log.error("Could not load properties file: " + e.toString()); + throw new RuntimeException(e); + } + log.info("XXE Lesson Solution File " + filename + " created"); + return true; + } } diff --git a/src/main/java/utils/Analytics.java b/src/main/java/utils/Analytics.java index 55c28f421..a0f1d0043 100644 --- a/src/main/java/utils/Analytics.java +++ b/src/main/java/utils/Analytics.java @@ -5,37 +5,44 @@ /** * Manages What Google Analytics is used by the Shepherd instance. If Any - * @author Mark Denihan * + * @author Mark Denihan */ -public class Analytics -{ +public class Analytics { + + public static boolean googleAnalyticsOn = false; + public static String googleAnalyticsScript = + ""; + public static String mobileVmLinkBlurb = + new String( + "To complete this challenge you'll need to use the Security Shepherd Android Virtual" + + " Machine that contains the app. "); - public static boolean googleAnalyticsOn = false; - public static String googleAnalyticsScript = ""; - public static String mobileVmLinkBlurb = new String("" - + "To complete this challenge you'll need to use the Security Shepherd Android Virtual Machine that contains the app. "); - public static String sponsorshipMessage(Locale locale) - { - //Get Language Bundle - ResourceBundle bundle = ResourceBundle.getBundle("i18n.text", locale); - return new String("

" + bundle.getString("sponsorship.title") + "

" + - "

" + - bundle.getString("sponsorship.message.1") + - "

" + - "\"BCC" + - "\"EdgeScan\"" + - "
" + - "" + - "
" + - "

"); - } + public static String sponsorshipMessage(Locale locale) { + // Get Language Bundle + ResourceBundle bundle = ResourceBundle.getBundle("i18n.text", locale); + return new String( + "

" + + bundle.getString("sponsorship.title") + + "

" + + "

" + + bundle.getString("sponsorship.message.1") + + "



"); + } } diff --git a/src/main/java/utils/CheatSheetStatus.java b/src/main/java/utils/CheatSheetStatus.java index 35ca4f91d..d78fb7ae2 100644 --- a/src/main/java/utils/CheatSheetStatus.java +++ b/src/main/java/utils/CheatSheetStatus.java @@ -1,144 +1,138 @@ package utils; -import java.sql.SQLException; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - import dbProcs.Getter; import dbProcs.Setter; +import java.sql.SQLException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * Class that holds the status of the avilablility of the Cheat Sheet - * functionality
- *
+ * Class that holds the status of the avilablility of the Cheat Sheet functionality
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class CheatSheetStatus { - private static final Logger log = LogManager.getLogger(CheatSheetStatus.class); - - private static boolean adminEnabled = false; - private static boolean playerEnabled = false; - - private static boolean isLoaded = false; - - public static void disableForAll() { - - if (!isLoaded) { - loadCheatStatus(); - } - - adminEnabled = false; - playerEnabled = false; - saveCheatStatus(); - } - - public static void enableForAdminsOnly() { - if (!isLoaded) { - loadCheatStatus(); - } - playerEnabled = false; - adminEnabled = true; - saveCheatStatus(); - } - - public static void enableForAll() { - if (!isLoaded) { - loadCheatStatus(); - } - adminEnabled = true; - playerEnabled = true; - saveCheatStatus(); - } - - public static boolean getStatusForAll() { - if (!isLoaded) { - loadCheatStatus(); - } - return adminEnabled && playerEnabled; - } - - public static boolean isEnabledForAdminsOnly() { - if (!isLoaded) { - loadCheatStatus(); - } - return !playerEnabled && adminEnabled; - } - - public static boolean isEnabledForPlayers() { - if (!isLoaded) { - loadCheatStatus(); - } - return playerEnabled; - } - - public static boolean isEnabledAtAll() { - if (!isLoaded) { - loadCheatStatus(); - } - return adminEnabled || playerEnabled; - } - - /** - * Returns boolean to tell view's whether Cheat Sheets are available for a - * specific user role or not - * - * @param userRole - * @return - */ - public static boolean showCheat(String userRole) { - boolean show = false; - if (isEnabledAtAll()) { - if (isEnabledForPlayers()) - show = true; - else { - if (isEnabledForAdminsOnly() && userRole.compareTo("admin") == 0) - show = true; - } - } - return show; - } - - private static void saveCheatStatus() { - try { - - Setter.setAdminCheatStatus("", adminEnabled); - Setter.setPlayerCheatStatus("", playerEnabled); - - } catch (SQLException e) { - log.fatal("Could not save cheat sheet status in database: " + e.toString()); - throw new RuntimeException(e); - } - } - - private static void loadCheatStatus() { - try { - - adminEnabled = Getter.getAdminCheatStatus(""); - playerEnabled = Getter.getPlayerCheatStatus(""); - - } catch (SQLException e) { - log.fatal("Could not save cheat sheet status in database: " + e.toString()); - throw new RuntimeException(e); - } - isLoaded = true; - } - + private static final Logger log = LogManager.getLogger(CheatSheetStatus.class); + + private static boolean adminEnabled = false; + private static boolean playerEnabled = false; + + private static boolean isLoaded = false; + + public static void disableForAll() { + + if (!isLoaded) { + loadCheatStatus(); + } + + adminEnabled = false; + playerEnabled = false; + saveCheatStatus(); + } + + public static void enableForAdminsOnly() { + if (!isLoaded) { + loadCheatStatus(); + } + playerEnabled = false; + adminEnabled = true; + saveCheatStatus(); + } + + public static void enableForAll() { + if (!isLoaded) { + loadCheatStatus(); + } + adminEnabled = true; + playerEnabled = true; + saveCheatStatus(); + } + + public static boolean getStatusForAll() { + if (!isLoaded) { + loadCheatStatus(); + } + return adminEnabled && playerEnabled; + } + + public static boolean isEnabledForAdminsOnly() { + if (!isLoaded) { + loadCheatStatus(); + } + return !playerEnabled && adminEnabled; + } + + public static boolean isEnabledForPlayers() { + if (!isLoaded) { + loadCheatStatus(); + } + return playerEnabled; + } + + public static boolean isEnabledAtAll() { + if (!isLoaded) { + loadCheatStatus(); + } + return adminEnabled || playerEnabled; + } + + /** + * Returns boolean to tell view's whether Cheat Sheets are available for a specific user role or + * not + * + * @param userRole + * @return + */ + public static boolean showCheat(String userRole) { + boolean show = false; + if (isEnabledAtAll()) { + if (isEnabledForPlayers()) { + show = true; + } else { + if (isEnabledForAdminsOnly() && userRole.compareTo("admin") == 0) { + show = true; + } + } + } + return show; + } + + private static void saveCheatStatus() { + try { + + Setter.setAdminCheatStatus("", adminEnabled); + Setter.setPlayerCheatStatus("", playerEnabled); + + } catch (SQLException e) { + log.fatal("Could not save cheat sheet status in database: " + e.toString()); + throw new RuntimeException(e); + } + } + + private static void loadCheatStatus() { + try { + + adminEnabled = Getter.getAdminCheatStatus(""); + playerEnabled = Getter.getPlayerCheatStatus(""); + + } catch (SQLException e) { + log.fatal("Could not save cheat sheet status in database: " + e.toString()); + throw new RuntimeException(e); + } + isLoaded = true; + } } diff --git a/src/main/java/utils/CountdownHandler.java b/src/main/java/utils/CountdownHandler.java index 765e285d1..b8b1ef446 100644 --- a/src/main/java/utils/CountdownHandler.java +++ b/src/main/java/utils/CountdownHandler.java @@ -1,322 +1,314 @@ package utils; +import dbProcs.Getter; +import dbProcs.Setter; import java.sql.SQLException; import java.time.LocalDateTime; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; - -import dbProcs.Getter; -import dbProcs.Setter; +import org.apache.logging.log4j.Logger; /** - * - *
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class CountdownHandler { - private static final Logger log = LogManager.getLogger(CountdownHandler.class); - - private static LocalDateTime startTime; - private static boolean hasStartTime = false; - private static LocalDateTime lockTime; - private static boolean hasLockTime = false; - private static LocalDateTime endTime; - private static boolean hasEndTime = false; - - private static boolean isLoaded = false; - - private static boolean validate() throws InvalidCountdownStateException { - - if (!isLoaded) { - loadCountdowns(); - } - - if (hasStartTime && hasLockTime) { - if (startTime.isAfter(lockTime)) { - throw new InvalidCountdownStateException("Start time must be before or equal to lock time"); - } - } - - if (hasStartTime && hasEndTime) { - if (startTime.isAfter(endTime)) { - throw new InvalidCountdownStateException("Start time must be before or equal to end time"); - } - } - - if (hasLockTime && hasEndTime) { - if (lockTime.isAfter(endTime)) { - throw new InvalidCountdownStateException("Lock time must be before or equal to end time"); - } - } - return true; + private static final Logger log = LogManager.getLogger(CountdownHandler.class); - } + private static LocalDateTime startTime; + private static boolean hasStartTime = false; + private static LocalDateTime lockTime; + private static boolean hasLockTime = false; + private static LocalDateTime endTime; + private static boolean hasEndTime = false; - public static boolean willStart() throws InvalidCountdownStateException { + private static boolean isLoaded = false; - // Returns true if there is a start time but the CTF hasn't started yet + private static boolean validate() throws InvalidCountdownStateException { - validate(); + if (!isLoaded) { + loadCountdowns(); + } - return hasStartTime() && !isRunning(); - } + if (hasStartTime && hasLockTime) { + if (startTime.isAfter(lockTime)) { + throw new InvalidCountdownStateException("Start time must be before or equal to lock time"); + } + } - public static boolean willLock() throws InvalidCountdownStateException { + if (hasStartTime && hasEndTime) { + if (startTime.isAfter(endTime)) { + throw new InvalidCountdownStateException("Start time must be before or equal to end time"); + } + } - // Returns true if CTF has started and there is a lock time that hasn't happened yet + if (hasLockTime && hasEndTime) { + if (lockTime.isAfter(endTime)) { + throw new InvalidCountdownStateException("Lock time must be before or equal to end time"); + } + } - validate(); + return true; + } - return isStarted() && hasLockTime() && isOpen(); - } + public static boolean willStart() throws InvalidCountdownStateException { - public static boolean willEnd() throws InvalidCountdownStateException { + // Returns true if there is a start time but the CTF hasn't started yet - // Return true if CTF it is locked or started, has an end timer that hasn't happened yet + validate(); - validate(); + return hasStartTime() && !isRunning(); + } - return !willLock () && isRunning() && hasEndTime() && !hasEnded(); - } + public static boolean willLock() throws InvalidCountdownStateException { - public static boolean isOpen() throws InvalidCountdownStateException { + // Returns true if CTF has started and there is a lock time that hasn't happened yet - // CTF is open if it has started, isn't locked and hasn't ended + validate(); - validate(); + return isStarted() && hasLockTime() && isOpen(); + } - return isStarted() && !isLocked() && !hasEnded(); - } + public static boolean willEnd() throws InvalidCountdownStateException { - public static boolean isRunning() throws InvalidCountdownStateException { + // Return true if CTF it is locked or started, has an end timer that hasn't happened yet - // CTF is running if it has started, hasn't ended, but ignores lock state + validate(); - validate(); + return !willLock() && isRunning() && hasEndTime() && !hasEnded(); + } - return isStarted() && !hasEnded(); - } + public static boolean isOpen() throws InvalidCountdownStateException { - public static boolean isStarted() { - if (!isLoaded) { - loadCountdowns(); - } + // CTF is open if it has started, isn't locked and hasn't ended - if (hasStartTime) { + validate(); - // Start timer enabled, only return true if timer has passed - return startTime.isBefore(LocalDateTime.now()); - } else { + return isStarted() && !isLocked() && !hasEnded(); + } - // Start timer disabled, always say it's started - return true; - } - } + public static boolean isRunning() throws InvalidCountdownStateException { - public static boolean isLocked() { - if (!isLoaded) { - loadCountdowns(); - } - return hasLockTime && lockTime.isBefore(LocalDateTime.now()); - } + // CTF is running if it has started, hasn't ended, but ignores lock state - public static boolean hasEnded() { - if (!isLoaded) { - loadCountdowns(); - } - return hasEndTime && endTime.isBefore(LocalDateTime.now()); - } + validate(); - public static LocalDateTime getStartTime() { - if (!isLoaded) { - loadCountdowns(); - } - return startTime; - } + return isStarted() && !hasEnded(); + } - public static boolean hasStartTime() { - if (!isLoaded) { - loadCountdowns(); - } - return hasStartTime; - } + public static boolean isStarted() { + if (!isLoaded) { + loadCountdowns(); + } - public static LocalDateTime getLockTime() { - if (!isLoaded) { - loadCountdowns(); - } - return lockTime; - } + if (hasStartTime) { - public static boolean hasLockTime() { - if (!isLoaded) { - loadCountdowns(); - } - return hasLockTime; - } + // Start timer enabled, only return true if timer has passed + return startTime.isBefore(LocalDateTime.now()); + } else { - public static LocalDateTime getEndTime() { - if (!isLoaded) { - loadCountdowns(); - } - return endTime; - } + // Start timer disabled, always say it's started + return true; + } + } - public static boolean hasEndTime() { - if (!isLoaded) { - loadCountdowns(); - } - return hasEndTime; - } + public static boolean isLocked() { + if (!isLoaded) { + loadCountdowns(); + } + return hasLockTime && lockTime.isBefore(LocalDateTime.now()); + } - public static void setStartTime(LocalDateTime theStartTime) { - if (!isLoaded) { - loadCountdowns(); - } + public static boolean hasEnded() { + if (!isLoaded) { + loadCountdowns(); + } + return hasEndTime && endTime.isBefore(LocalDateTime.now()); + } - hasStartTime = true; - startTime = theStartTime; + public static LocalDateTime getStartTime() { + if (!isLoaded) { + loadCountdowns(); + } + return startTime; + } - saveCountdowns(); - } + public static boolean hasStartTime() { + if (!isLoaded) { + loadCountdowns(); + } + return hasStartTime; + } - public static void enableStartTime() { - if (!isLoaded) { - loadCountdowns(); - } + public static LocalDateTime getLockTime() { + if (!isLoaded) { + loadCountdowns(); + } + return lockTime; + } - hasStartTime = true; + public static boolean hasLockTime() { + if (!isLoaded) { + loadCountdowns(); + } + return hasLockTime; + } - saveCountdowns(); - } + public static LocalDateTime getEndTime() { + if (!isLoaded) { + loadCountdowns(); + } + return endTime; + } - public static void disableStartTime() { - if (!isLoaded) { - loadCountdowns(); - } - - hasStartTime = false; - - saveCountdowns(); - } - - public static void setLockTime(LocalDateTime theLockTime) { - if (!isLoaded) { - loadCountdowns(); - } - - hasLockTime = true; - lockTime = theLockTime; - - saveCountdowns(); - } - - public static void enableLockTime() { - if (!isLoaded) { - loadCountdowns(); - } - - hasLockTime = true; - - saveCountdowns(); - } - - public static void disableLockTime() { - if (!isLoaded) { - loadCountdowns(); - } + public static boolean hasEndTime() { + if (!isLoaded) { + loadCountdowns(); + } + return hasEndTime; + } - hasLockTime = false; + public static void setStartTime(LocalDateTime theStartTime) { + if (!isLoaded) { + loadCountdowns(); + } - saveCountdowns(); - } + hasStartTime = true; + startTime = theStartTime; - public static void setEndTime(LocalDateTime theEndTime) { - if (!isLoaded) { - loadCountdowns(); - } + saveCountdowns(); + } - hasEndTime = true; - endTime = theEndTime; + public static void enableStartTime() { + if (!isLoaded) { + loadCountdowns(); + } - saveCountdowns(); - } + hasStartTime = true; - public static void enableEndTime() { - if (!isLoaded) { - loadCountdowns(); - } + saveCountdowns(); + } + + public static void disableStartTime() { + if (!isLoaded) { + loadCountdowns(); + } + + hasStartTime = false; + + saveCountdowns(); + } + + public static void setLockTime(LocalDateTime theLockTime) { + if (!isLoaded) { + loadCountdowns(); + } + + hasLockTime = true; + lockTime = theLockTime; + + saveCountdowns(); + } + + public static void enableLockTime() { + if (!isLoaded) { + loadCountdowns(); + } + + hasLockTime = true; + + saveCountdowns(); + } + + public static void disableLockTime() { + if (!isLoaded) { + loadCountdowns(); + } + + hasLockTime = false; + + saveCountdowns(); + } + + public static void setEndTime(LocalDateTime theEndTime) { + if (!isLoaded) { + loadCountdowns(); + } + + hasEndTime = true; + endTime = theEndTime; - hasEndTime = true; + saveCountdowns(); + } - saveCountdowns(); - } + public static void enableEndTime() { + if (!isLoaded) { + loadCountdowns(); + } - public static void disableEndTime() { - if (!isLoaded) { - loadCountdowns(); - } + hasEndTime = true; - hasEndTime = false; + saveCountdowns(); + } - saveCountdowns(); - } + public static void disableEndTime() { + if (!isLoaded) { + loadCountdowns(); + } - private static void saveCountdowns() { - try { + hasEndTime = false; - if (isLoaded) { + saveCountdowns(); + } - Setter.setLockTime("", startTime); - Setter.setLockTimeStatus("", hasStartTime); - Setter.setLockTime("", lockTime); - Setter.setLockTimeStatus("", hasLockTime); - Setter.setEndTime("", endTime); - Setter.setEndTimeStatus("", hasEndTime); + private static void saveCountdowns() { + try { - } + if (isLoaded) { - } catch (SQLException e) { - log.fatal("Could not save countdown settings in database: " + e.toString()); - throw new RuntimeException(e); - } - } + Setter.setLockTime("", startTime); + Setter.setLockTimeStatus("", hasStartTime); + Setter.setLockTime("", lockTime); + Setter.setLockTimeStatus("", hasLockTime); + Setter.setEndTime("", endTime); + Setter.setEndTimeStatus("", hasEndTime); + } - private static void loadCountdowns() { + } catch (SQLException e) { + log.fatal("Could not save countdown settings in database: " + e.toString()); + throw new RuntimeException(e); + } + } - try { + private static void loadCountdowns() { - startTime = Getter.getStartTime(""); - hasStartTime = Getter.getStartTimeStatus(""); - lockTime = Getter.getLockTime(""); - hasLockTime = Getter.getLockTimeStatus(""); - endTime = Getter.getEndTime(""); - hasEndTime = Getter.getEndTimeStatus(""); + try { - } catch (SQLException e) { - log.fatal("Could not load module plan setting from database: " + e.toString()); - throw new RuntimeException(e); - } + startTime = Getter.getStartTime(""); + hasStartTime = Getter.getStartTimeStatus(""); + lockTime = Getter.getLockTime(""); + hasLockTime = Getter.getLockTimeStatus(""); + endTime = Getter.getEndTime(""); + hasEndTime = Getter.getEndTimeStatus(""); - isLoaded = true; - } + } catch (SQLException e) { + log.fatal("Could not load module plan setting from database: " + e.toString()); + throw new RuntimeException(e); + } + isLoaded = true; + } } diff --git a/src/main/java/utils/FeedbackStatus.java b/src/main/java/utils/FeedbackStatus.java index b081e8c65..224226ec4 100644 --- a/src/main/java/utils/FeedbackStatus.java +++ b/src/main/java/utils/FeedbackStatus.java @@ -1,73 +1,70 @@ package utils; -import java.sql.SQLException; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - import dbProcs.Getter; import dbProcs.Setter; +import java.sql.SQLException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** * This class holds the status of weather feedback is enabled or not * * @author Mark - * */ public class FeedbackStatus { - private static final Logger log = LogManager.getLogger(FeedbackStatus.class); - private static boolean enabled = false; + private static final Logger log = LogManager.getLogger(FeedbackStatus.class); - private static boolean isLoaded = false; + private static boolean enabled = false; - public static boolean isEnabled() { - loadFeedbackStatus(); - return enabled; - } + private static boolean isLoaded = false; - public static boolean isDisabled() { - loadFeedbackStatus(); - return !enabled; - } + public static boolean isEnabled() { + loadFeedbackStatus(); + return enabled; + } - public static void setEnabled() { - if (!isLoaded) { - loadFeedbackStatus(); - } - enabled = true; - saveFeedbackStatus(); + public static boolean isDisabled() { + loadFeedbackStatus(); + return !enabled; + } - } + public static void setEnabled() { + if (!isLoaded) { + loadFeedbackStatus(); + } + enabled = true; + saveFeedbackStatus(); + } - public static void setDisabled() { - if (!isLoaded) { - loadFeedbackStatus(); - } - enabled = false; - saveFeedbackStatus(); - } + public static void setDisabled() { + if (!isLoaded) { + loadFeedbackStatus(); + } + enabled = false; + saveFeedbackStatus(); + } - private static void saveFeedbackStatus() { - try { + private static void saveFeedbackStatus() { + try { - Setter.setFeedbackStatus("", enabled); + Setter.setFeedbackStatus("", enabled); - } catch (SQLException e) { - log.fatal("Could not save feedback setting in database: " + e.toString()); - throw new RuntimeException(e); - } - } + } catch (SQLException e) { + log.fatal("Could not save feedback setting in database: " + e.toString()); + throw new RuntimeException(e); + } + } - private static void loadFeedbackStatus() { - try { + private static void loadFeedbackStatus() { + try { - enabled = Getter.getFeedbackStatus(""); + enabled = Getter.getFeedbackStatus(""); - } catch (SQLException e) { - log.fatal("Could not load feedback setting from database: " + e.toString()); - throw new RuntimeException(e); - } - isLoaded = true; - } + } catch (SQLException e) { + log.fatal("Could not load feedback setting from database: " + e.toString()); + throw new RuntimeException(e); + } + isLoaded = true; + } } diff --git a/src/main/java/utils/FindXSS.java b/src/main/java/utils/FindXSS.java index cd24413a1..a5676f51e 100644 --- a/src/main/java/utils/FindXSS.java +++ b/src/main/java/utils/FindXSS.java @@ -5,378 +5,452 @@ import java.io.InputStream; import java.net.MalformedURLException; import java.net.URL; - +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.jsoup.Jsoup; import org.jsoup.nodes.Document; import org.jsoup.nodes.Element; import org.jsoup.parser.Parser; import org.jsoup.select.Elements; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.w3c.tidy.Tidy; /** - * Class is responsible for finding valid XSS and CSRF attacks in user submissions - *

+ * Class is responsible for finding valid XSS and CSRF attacks in user submissions
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class FindXSS -{ - private static final Logger log = LogManager.getLogger(FindXSS.class); - /** - * Method used to detect valid java script in a user submission. Specifically the presence of a script that will execute an alert command. - * Script tag, URI java script and java script triggers vectors are all including in this detection method. - * @param xssString User XSS submission (After filter if any) - * @return Boolean returned reflecting the presence of valid XSS attacks or not. - */ +public class FindXSS { + + private static final Logger log = LogManager.getLogger(FindXSS.class); + /** + * Method used to detect valid java script in a user submission. Specifically the presence of a + * script that will execute an alert command. Script tag, URI java script and java script triggers + * vectors are all including in this detection method. + * + * @param xssString User XSS submission (After filter if any) + * @return Boolean returned reflecting the presence of valid XSS attacks or not. + */ + public static String[] javascriptTriggers = { + "onabort", + "onbeforecopy", + "onbeforecut", + "onbeforepaste", + "oncopy", + "oncut", + "oninput", + "onkeydown", + "onkeypress", + "onkeyup", + "onpaste", + "onbeforeunload", + "onhaschange", + "onload", + "onoffline", + "ononline", + "onreadystatechange", + "onreadystatechange", + "onstop", + "onunload", + "onreset", + "onsubmit", + "onclick", + "oncontextmenu", + "ondblclick", + "onlosecapture", + "onmouseenter", + "onmousedown", + "onmouseleave", + "onmousemove", + "onmouseout", + "onmouseover", + "onmouseup", + "onmousewheel", + "onscroll", + "onmove", + "onmoveend", + "onmovestart", + "ondrag", + "ondragenter", + "ondragleave", + "ondragover", + "ondragstart", + "ondrop", + "onresize", + "onresizeend", + "onresizestart", + "onactivate", + "onbeforeactivate", + "onbeforedeactivate", + "onbeforeeditfocus", + "onblur", + "ondeactivate", + "onfocus", + "onfocusin", + "onfocusout", + "oncontrolselect", + "onselect", + "onselectionchange", + "onselectstart", + "onafterprint", + "onbeforeprint", + "onhelp", + "onerror", + "onerrorupdate", + "onafterupdate", + "onbeforeupdate", + "oncellchange", + "ondataavailable", + "ondatasetchanged", + "ondatasetcomplete", + "onrowenter", + "onrowexit", + "onrowsdelete", + "onrowsinserted", + "onbounce", + "onfinish", + "onstart", + "onchange", + "onwheel", + "onfilterchange", + "onpropertychange", + "onsearch", + "onmessage", + "formaction", + "textinput", + "onhashchange", + "onpagehide", + "onpageshow", + "onpopstate", + "onstorage", + "oninvalid", + "ondragend", + "oncanplay", + "oncanplaythrough", + "oncuechange", + "ondurationchange", + "onemptied", + "onended", + "onloadeddata", + "onloadedmetadata", + "onloadstart", + "onpause", + "onplay", + "onplaying", + "onprogress", + "onratechange", + "onseeked", + "onseeking", + "onstalled", + "onsuspend", + "ontimeupdate", + "onvolumechange", + "onwaiting", + "onshow", + "ontoggle" + }; - public static String[] javascriptTriggers = { - "onabort", "onbeforecopy", "onbeforecut", "onbeforepaste", "oncopy", "oncut", - "oninput", "onkeydown", "onkeypress", "onkeyup", "onpaste", "onbeforeunload", - "onhaschange", "onload", "onoffline", "ononline", "onreadystatechange", - "onreadystatechange", "onstop", "onunload", "onreset", "onsubmit", "onclick", - "oncontextmenu", "ondblclick", "onlosecapture", "onmouseenter", "onmousedown", - "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", - "onscroll", "onmove", "onmoveend", "onmovestart", "ondrag", "ondragenter", "ondragleave", - "ondragover", "ondragstart", "ondrop", "onresize", "onresizeend", "onresizestart", - "onactivate", "onbeforeactivate", "onbeforedeactivate", "onbeforeeditfocus", "onblur", - "ondeactivate", "onfocus", "onfocusin", "onfocusout", "oncontrolselect", "onselect", - "onselectionchange", "onselectstart", "onafterprint", "onbeforeprint", "onhelp", - "onerror", "onerrorupdate", "onafterupdate", "onbeforeupdate", "oncellchange", - "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "onrowenter", "onrowexit", - "onrowsdelete", "onrowsinserted", "onbounce", "onfinish", "onstart", "onchange", "onwheel", - "onfilterchange", "onpropertychange", "onsearch", "onmessage", "formaction", "textinput", - "onhashchange", "onpagehide", "onpageshow", "onpopstate", "onstorage", "oninvalid", "ondragend", - "oncanplay", "oncanplaythrough", "oncuechange", "ondurationchange", "onemptied", "onended", - "onloadeddata", "onloadedmetadata", "onloadstart", "onpause", "onplay", "onplaying", "onprogress", - "onratechange", "onseeked", "onseeking", "onstalled", "onsuspend", "ontimeupdate", "onvolumechange", - "onwaiting", "onshow", "ontoggle"}; - public static String[] uriAttributes = { - "href", "src", "action" - }; - public static String[] colons = { - ":", ":", ":", ":", ":" - }; + public static String[] uriAttributes = {"href", "src", "action"}; + public static String[] colons = {":", ":", ":", ":", ":"}; - /** - * Method used to validate GET request CSRF attacks embeded in IMG tags. - * @param messageForAdmin - * @param falseId - * @return - */ - public static boolean findCsrf (String messageForAdmin, String falseId) - { - //Find a HTML tag - while(messageForAdmin.contains("< ")) - messageForAdmin = messageForAdmin.replaceAll("< ", "<"); - while(messageForAdmin.contains(" >")) - messageForAdmin = messageForAdmin.replaceAll(" >", ">"); - log.debug("Cleaned to: " + messageForAdmin); - log.debug("Checking for "); - if(messageForAdmin.contains(""); - int tempStart = messageForAdmin.indexOf("", tempStart + 5); - if(tempEnd == -1) - { - log.debug("Invalid Tag"); - } - else - { - log.debug("Searching for SRC attribute"); - String tempMessage = messageForAdmin.substring(tempStart, tempEnd); - log.debug("Working on: " + tempMessage); - if(tempMessage.contains(" src")) - { - log.debug("Finding src after '='"); - int srcStart = tempMessage.indexOf(" src") + 4; - tempMessage = tempMessage.substring(srcStart); - log.debug("After SRC: " + tempMessage); - int srcEqual = tempMessage.indexOf("=") + 1; - log.debug("srcEqual = " + srcEqual); - int counter = 0; - while(tempMessage.substring(srcEqual + counter).startsWith(" ")) - { - //Find end of white space after equals sign, and then evaluate if the url is valid - counter++; - log.debug("counter = " + counter); - } + /** + * Method used to validate GET request CSRF attacks embeded in IMG tags. + * + * @param messageForAdmin + * @param falseId + * @return + */ + public static boolean findCsrf(String messageForAdmin, String falseId) { + // Find a HTML tag + while (messageForAdmin.contains("< ")) { + messageForAdmin = messageForAdmin.replaceAll("< ", "<"); + } + while (messageForAdmin.contains(" >")) { + messageForAdmin = messageForAdmin.replaceAll(" >", ">"); + } + log.debug("Cleaned to: " + messageForAdmin); + log.debug("Checking for "); + if (messageForAdmin.contains(""); + int tempStart = messageForAdmin.indexOf("", tempStart + 5); + if (tempEnd == -1) { + log.debug("Invalid Tag"); + } else { + log.debug("Searching for SRC attribute"); + String tempMessage = messageForAdmin.substring(tempStart, tempEnd); + log.debug("Working on: " + tempMessage); + if (tempMessage.contains(" src")) { + log.debug("Finding src after '='"); + int srcStart = tempMessage.indexOf(" src") + 4; + tempMessage = tempMessage.substring(srcStart); + log.debug("After SRC: " + tempMessage); + int srcEqual = tempMessage.indexOf("=") + 1; + log.debug("srcEqual = " + srcEqual); + int counter = 0; + while (tempMessage.substring(srcEqual + counter).startsWith(" ")) { + // Find end of white space after equals sign, and then evaluate if the url is valid + counter++; + log.debug("counter = " + counter); + } - tempMessage = tempMessage.substring(srcEqual + counter); - log.debug("Working on: " + tempMessage); - String quoteType = null; - if(tempMessage.startsWith("\"")) - { - quoteType = "\""; - } - else if(tempMessage.startsWith("'")) - { - quoteType = "'"; - } - else - { - log.debug("No Quotes found around url"); - int endOfUrl = tempMessage.indexOf(" "); - if(endOfUrl == -1) - endOfUrl = tempMessage.length(); - else - endOfUrl--; - log.debug(tempMessage); - tempMessage = tempMessage.substring(0, endOfUrl); - log.debug(tempMessage); - } - if(quoteType != null) - { - log.debug("Quotes Found: " + quoteType); - tempMessage = tempMessage.substring(1, tempMessage.substring(2).indexOf(quoteType) + 2); - } - log.debug("URL found to be: " + tempMessage); - boolean validUrl = false; - log.debug("Validating URL for Solution"); - try - { - URL csrfUrl = new URL(tempMessage); - log.debug("URL Host: " + csrfUrl.getHost()); - log.debug("URL Port: " + csrfUrl.getPort()); - log.debug("URL Path: " + csrfUrl.getPath()); - log.debug("URL Query: " + csrfUrl.getQuery()); - validUrl = csrfUrl.getPath().toLowerCase().equalsIgnoreCase("/root/grantComplete/csrflesson"); - if(!validUrl) - log.debug("1"); - validUrl = csrfUrl.getQuery().toLowerCase().equalsIgnoreCase(("userId=" + falseId).toLowerCase()) && validUrl; - if(!validUrl) - log.debug("2"); - } - catch(MalformedURLException e) - { - log.error("Invalid URL: " + e.toString()); - } - if(!validUrl) - { - log.debug("Invalid Url: " + tempMessage); - } - else - { - log.debug("Valid URL"); - return true; - } - } - } - } - return false; - } + tempMessage = tempMessage.substring(srcEqual + counter); + log.debug("Working on: " + tempMessage); + String quoteType = null; + if (tempMessage.startsWith("\"")) { + quoteType = "\""; + } else if (tempMessage.startsWith("'")) { + quoteType = "'"; + } else { + log.debug("No Quotes found around url"); + int endOfUrl = tempMessage.indexOf(" "); + if (endOfUrl == -1) { + endOfUrl = tempMessage.length(); + } else { + endOfUrl--; + } + log.debug(tempMessage); + tempMessage = tempMessage.substring(0, endOfUrl); + log.debug(tempMessage); + } + if (quoteType != null) { + log.debug("Quotes Found: " + quoteType); + tempMessage = tempMessage.substring(1, tempMessage.substring(2).indexOf(quoteType) + 2); + } + log.debug("URL found to be: " + tempMessage); + boolean validUrl = false; + log.debug("Validating URL for Solution"); + try { + URL csrfUrl = new URL(tempMessage); + log.debug("URL Host: " + csrfUrl.getHost()); + log.debug("URL Port: " + csrfUrl.getPort()); + log.debug("URL Path: " + csrfUrl.getPath()); + log.debug("URL Query: " + csrfUrl.getQuery()); + validUrl = + csrfUrl.getPath().toLowerCase().equalsIgnoreCase("/root/grantComplete/csrflesson"); + if (!validUrl) { + log.debug("1"); + } + validUrl = + csrfUrl + .getQuery() + .toLowerCase() + .equalsIgnoreCase(("userId=" + falseId).toLowerCase()) + && validUrl; + if (!validUrl) { + log.debug("2"); + } + } catch (MalformedURLException e) { + log.error("Invalid URL: " + e.toString()); + } + if (!validUrl) { + log.debug("Invalid Url: " + tempMessage); + } else { + log.debug("Valid URL"); + return true; + } + } + } + } + return false; + } - /** - * Searches for URL that contains CSRF attack string without user ID expected. Returns true if it is valid based on parameters submitted - * @param theUrl The Entire URL containing the attack - * @param csrfAttackPath The path the CSRF vulnerable function should be in - * @return boolean value depicting if the attack is valid or not - */ - public static boolean findCsrfAttackUrl (String theUrl, String csrfAttackPath) - { - boolean validAttack = false; - try - { - URL theAttack = new URL(theUrl); - log.debug("theAttack Host: " + theAttack.getHost()); - log.debug("theAttack Port: " + theAttack.getPort()); - log.debug("theAttack Path: " + theAttack.getPath()); - log.debug("theAttack Query: " + theAttack.getQuery()); - validAttack = theAttack.getPath().toLowerCase().equalsIgnoreCase(csrfAttackPath); - if(!validAttack) - log.debug("Invalid Solution: Bad Path or Above"); - } - catch(MalformedURLException e) - { - log.debug("Invalid URL Submitted: " + e.toString()); - validAttack = false; - } - catch(Exception e) - { - log.error("FindCSRF Failed: " + e.toString()); - validAttack = false; - } - return validAttack; - } + /** + * Searches for URL that contains CSRF attack string without user ID expected. Returns true if it + * is valid based on parameters submitted + * + * @param theUrl The Entire URL containing the attack + * @param csrfAttackPath The path the CSRF vulnerable function should be in + * @return boolean value depicting if the attack is valid or not + */ + public static boolean findCsrfAttackUrl(String theUrl, String csrfAttackPath) { + boolean validAttack = false; + try { + URL theAttack = new URL(theUrl); + log.debug("theAttack Host: " + theAttack.getHost()); + log.debug("theAttack Port: " + theAttack.getPort()); + log.debug("theAttack Path: " + theAttack.getPath()); + log.debug("theAttack Query: " + theAttack.getQuery()); + validAttack = theAttack.getPath().toLowerCase().equalsIgnoreCase(csrfAttackPath); + if (!validAttack) { + log.debug("Invalid Solution: Bad Path or Above"); + } + } catch (MalformedURLException e) { + log.debug("Invalid URL Submitted: " + e.toString()); + validAttack = false; + } catch (Exception e) { + log.error("FindCSRF Failed: " + e.toString()); + validAttack = false; + } + return validAttack; + } - /** - * Searches for URL that contains CSRF attack string. Returns true if it is valid based on parameters submitted - * @param theUrl The Entire URL containing the attack - * @param csrfAttackPath The path the CSRF vulnerable function should be in - * @param userIdParameterName The user ID parameter name expected - * @param userIdParameterValue The user ID parameter value expected - * @return boolean value depicting if the attack is valid or not - */ - public static boolean findCsrfAttackUrl (String theUrl, String csrfAttackPath, String userIdParameterName, String userIdParameterValue ) - { - boolean validAttack = false; - try - { - URL theAttack = new URL(theUrl); - log.debug("csrfAttackPath: " + csrfAttackPath); - log.debug("theAttack Host: " + theAttack.getHost()); - log.debug("theAttack Port: " + theAttack.getPort()); - log.debug("theAttack Path: " + theAttack.getPath()); - log.debug("theAttack Query: " + theAttack.getQuery()); - boolean validPath = theAttack.getPath().toLowerCase().endsWith(csrfAttackPath.toLowerCase()); - if(!validPath) - log.debug("Invalid Solution: Bad Path submitted. Expected:" + csrfAttackPath.toLowerCase()); - else - { - boolean validQuery = theAttack.getQuery().toLowerCase().equalsIgnoreCase((userIdParameterName + "=" + userIdParameterValue).toLowerCase()); - if(!validQuery) - log.debug("Invalid Solution: Bad Query. Expected: " + (userIdParameterName + "=" + userIdParameterValue).toLowerCase()); - else - { - validAttack = true; - } - } - } - catch(MalformedURLException e) - { - log.debug("Invalid URL Submitted: " + e.toString()); - validAttack = false; - } - catch(Exception e) - { - log.error("FindCSRF Failed: " + e.toString()); - validAttack = false; - } - return validAttack; - } + /** + * Searches for URL that contains CSRF attack string. Returns true if it is valid based on + * parameters submitted + * + * @param theUrl The Entire URL containing the attack + * @param csrfAttackPath The path the CSRF vulnerable function should be in + * @param userIdParameterName The user ID parameter name expected + * @param userIdParameterValue The user ID parameter value expected + * @return boolean value depicting if the attack is valid or not + */ + public static boolean findCsrfAttackUrl( + String theUrl, + String csrfAttackPath, + String userIdParameterName, + String userIdParameterValue) { + boolean validAttack = false; + try { + URL theAttack = new URL(theUrl); + log.debug("csrfAttackPath: " + csrfAttackPath); + log.debug("theAttack Host: " + theAttack.getHost()); + log.debug("theAttack Port: " + theAttack.getPort()); + log.debug("theAttack Path: " + theAttack.getPath()); + log.debug("theAttack Query: " + theAttack.getQuery()); + boolean validPath = theAttack.getPath().toLowerCase().endsWith(csrfAttackPath.toLowerCase()); + if (!validPath) { + log.debug("Invalid Solution: Bad Path submitted. Expected:" + csrfAttackPath.toLowerCase()); + } else { + boolean validQuery = + theAttack + .getQuery() + .toLowerCase() + .equalsIgnoreCase((userIdParameterName + "=" + userIdParameterValue).toLowerCase()); + if (!validQuery) { + log.debug( + "Invalid Solution: Bad Query. Expected: " + + (userIdParameterName + "=" + userIdParameterValue).toLowerCase()); + } else { + validAttack = true; + } + } + } catch (MalformedURLException e) { + log.debug("Invalid URL Submitted: " + e.toString()); + validAttack = false; + } catch (Exception e) { + log.error("FindCSRF Failed: " + e.toString()); + validAttack = false; + } + return validAttack; + } - /** - * Forms XSS Input for XHTML before Searching with Shepherd XSS Detector - * @param xssString Untrusted User Input - * @return Boolean value depicting if XSS was detected - */ - public static boolean search (String xssString) - { - boolean xssDetected = false; - log.debug("String to Search: " + xssString); + /** + * Forms XSS Input for XHTML before Searching with Shepherd XSS Detector + * + * @param xssString Untrusted User Input + * @return Boolean value depicting if XSS was detected + */ + public static boolean search(String xssString) { + boolean xssDetected = false; + log.debug("String to Search: " + xssString); - //Need to tidy submitted string, similar to how a browser would when it interprets it - Tidy tidy = new Tidy(); - tidy.setXHTML(true); - tidy.setQuiet(true); - tidy.setShowWarnings(false); - InputStream inputStream = new ByteArrayInputStream(xssString.getBytes()); - ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - tidy.parseDOM(inputStream, outputStream); - String tidyHtml = outputStream.toString().toLowerCase(); - try - { - outputStream.close(); - inputStream.close(); - } - catch(Exception e) - { - log.error("Could not Cloud Tidy Input/Output Streams: " + e.toString()); - } - // log.debug("String Tidied To: " + tidyHtml); + // Need to tidy submitted string, similar to how a browser would when it interprets it + Tidy tidy = new Tidy(); + tidy.setXHTML(true); + tidy.setQuiet(true); + tidy.setShowWarnings(false); + InputStream inputStream = new ByteArrayInputStream(xssString.getBytes()); + ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); + tidy.parseDOM(inputStream, outputStream); + String tidyHtml = outputStream.toString().toLowerCase(); + try { + outputStream.close(); + inputStream.close(); + } catch (Exception e) { + log.error("Could not Cloud Tidy Input/Output Streams: " + e.toString()); + } + // log.debug("String Tidied To: " + tidyHtml); - //Now to Parse it and narrow down to the Body of the output - Document parsedHtml = Jsoup.parseBodyFragment(tidyHtml); - Element htmlBody = parsedHtml.body(); + // Now to Parse it and narrow down to the Body of the output + Document parsedHtml = Jsoup.parseBodyFragment(tidyHtml); + Element htmlBody = parsedHtml.body(); - //Now We're in Search Territory. Three main Stages - //Stage One: Detect " + "

" - + "" + "" - + "" - + "

 

" + "
"; - } - return toReturn; - } - - /** - * Generates HMAC with servers random encryption key on user name concatenated - * with level's base result key - * - * @param baseKey The stored result key for the module - * @param userSalt Something specific to the user (User name) - * @return User Specific Solution Key - */ - public static String generateUserSolutionKeyOnly(String baseKey, String userSalt) { - log.debug("Generating User Solution..."); - String toReturn = null; - try { - Mac sha512_HMAC = null; - final String HMAC_SHA512 = "HmacSHA512"; - sha512_HMAC = Mac.getInstance(HMAC_SHA512); - byte[] key = getCurrentKey(); - SecretKeySpec keySpec = new SecretKeySpec(key, HMAC_SHA512); - sha512_HMAC.init(keySpec); - byte[] mac_data = sha512_HMAC.doFinal((baseKey + userSalt).getBytes("UTF-16")); - StringBuilder sb = new StringBuilder(); - for (byte b : mac_data) { - sb.append(String.format("%02X", b)); - } - String userSpecificSolution = sb.toString(); - log.debug("Returning: " + userSpecificSolution); - toReturn = userSpecificSolution; - } catch (Exception e) { - log.error("Encrypt Failure: " + e.toString()); - } - return toReturn; - } - - public static byte[] getCurrentKey() { - return serverEncryptionKey; - } - - public static byte[] randomKeyBytes() { - byte byteArray[] = new byte[16]; - - SecureRandom psn1; - try { - psn1 = SecureRandom.getInstance("SHA1PRNG"); - } catch (NoSuchAlgorithmException e) { - log.error("Could not find SHA1PRNG: " + e.toString()); - throw new RuntimeException(e); - } - psn1.setSeed(psn1.nextLong()); - psn1.nextBytes(byteArray); - - return byteArray; - } - - /** - * Creates a psedorandom string - * - * @return Random String - */ - public static String randomString() { - String result = new String(); - - byte byteArray[] = new byte[16]; - - SecureRandom psn1=null; - - try { - psn1 = SecureRandom.getInstance("SHA1PRNG"); - } catch (NoSuchAlgorithmException e) { - log.error("Could not find SHA1PRNG: " + e.toString()); - throw new RuntimeException(e); - } - - psn1.setSeed(psn1.nextLong()); - psn1.nextBytes(byteArray); - BigInteger bigInt = new BigInteger(byteArray); - result = bigInt.toString(); - log.debug("Generated String = " + result); - return result; - } + private static final Logger log = LogManager.getLogger(Hash.class); + private static byte[] serverEncryptionKey = randomKeyBytes(); + + /** + * Generates HMAC with servers random encryption key on user name concatenated with level's base + * result key in a user friendly HTML form + * + * @param baseKey The stored result key for the module + * @param userSalt Something specific to the user (User name) + * @return User Specific Solution in a user friendly HTML form + */ + public static String generateUserSolution(String baseKey, String userSalt) { + log.debug("Generating User Solution..."); + String toReturn = "Key Should be here! Please refresh the home page and try again!"; + String userSpecificSolution = generateUserSolutionKeyOnly(baseKey, userSalt); + if (userSpecificSolution != null) { + toReturn = + "
" + + userSpecificSolution + + "

 

"; + } + return toReturn; + } + + /** + * Generates HMAC with servers random encryption key on user name concatenated with level's base + * result key + * + * @param baseKey The stored result key for the module + * @param userSalt Something specific to the user (User name) + * @return User Specific Solution Key + */ + public static String generateUserSolutionKeyOnly(String baseKey, String userSalt) { + log.debug("Generating User Solution..."); + String toReturn = null; + try { + Mac sha512_HMAC = null; + final String HMAC_SHA512 = "HmacSHA512"; + sha512_HMAC = Mac.getInstance(HMAC_SHA512); + byte[] key = getCurrentKey(); + SecretKeySpec keySpec = new SecretKeySpec(key, HMAC_SHA512); + sha512_HMAC.init(keySpec); + byte[] mac_data = sha512_HMAC.doFinal((baseKey + userSalt).getBytes("UTF-16")); + StringBuilder sb = new StringBuilder(); + for (byte b : mac_data) { + sb.append(String.format("%02X", b)); + } + String userSpecificSolution = sb.toString(); + log.debug("Returning: " + userSpecificSolution); + toReturn = userSpecificSolution; + } catch (Exception e) { + log.error("Encrypt Failure: " + e.toString()); + } + return toReturn; + } + + public static byte[] getCurrentKey() { + return serverEncryptionKey; + } + + public static byte[] randomKeyBytes() { + byte byteArray[] = new byte[16]; + + SecureRandom psn1; + try { + psn1 = SecureRandom.getInstance("SHA1PRNG"); + } catch (NoSuchAlgorithmException e) { + log.error("Could not find SHA1PRNG: " + e.toString()); + throw new RuntimeException(e); + } + psn1.setSeed(psn1.nextLong()); + psn1.nextBytes(byteArray); + + return byteArray; + } + + /** + * Creates a psedorandom string + * + * @return Random String + */ + public static String randomString() { + String result = new String(); + + byte byteArray[] = new byte[16]; + + SecureRandom psn1 = null; + + try { + psn1 = SecureRandom.getInstance("SHA1PRNG"); + } catch (NoSuchAlgorithmException e) { + log.error("Could not find SHA1PRNG: " + e.toString()); + throw new RuntimeException(e); + } + + psn1.setSeed(psn1.nextLong()); + psn1.nextBytes(byteArray); + BigInteger bigInt = new BigInteger(byteArray); + result = bigInt.toString(); + log.debug("Generated String = " + result); + + return result; + } } diff --git a/src/main/java/utils/InstallationException.java b/src/main/java/utils/InstallationException.java index ccd57f09e..53bd67b5c 100644 --- a/src/main/java/utils/InstallationException.java +++ b/src/main/java/utils/InstallationException.java @@ -1,14 +1,11 @@ package utils; public class InstallationException extends Exception { - /** - * - */ - private static final long serialVersionUID = -18715993090016593L; - public InstallationException(Exception e) { - super(e); - } + /** */ + private static final long serialVersionUID = -18715993090016593L; - + public InstallationException(Exception e) { + super(e); + } } diff --git a/src/main/java/utils/InvalidCountdownStateException.java b/src/main/java/utils/InvalidCountdownStateException.java index cefcccffb..382882fc3 100644 --- a/src/main/java/utils/InvalidCountdownStateException.java +++ b/src/main/java/utils/InvalidCountdownStateException.java @@ -1,38 +1,31 @@ package utils; /** - * Locates the database Properties File for Database manipulation methods. This - * file contains the application sign on credentials for the database.
- *
+ * Locates the database Properties File for Database manipulation methods. This file contains the + * application sign on credentials for the database.
+ *
* This file is part of the Security Shepherd Project. - * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
- * - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
- * - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . - * + * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . + * * @author Mark */ - public class InvalidCountdownStateException extends Exception { - /** - * - */ - private static final long serialVersionUID = 3421841348651773178L; - /** - * - */ + /** */ + private static final long serialVersionUID = 3421841348651773178L; - public InvalidCountdownStateException(String errorMessage) { - super(errorMessage); - } + /** */ + public InvalidCountdownStateException(String errorMessage) { + super(errorMessage); + } } diff --git a/src/main/java/utils/LoginMethod.java b/src/main/java/utils/LoginMethod.java index 88555528a..833df8dfb 100644 --- a/src/main/java/utils/LoginMethod.java +++ b/src/main/java/utils/LoginMethod.java @@ -3,84 +3,77 @@ import java.io.IOException; import java.io.InputStream; import java.util.Properties; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * Loads the SSO login configuration, if any.
+ * Loads the SSO login configuration, if any.
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class LoginMethod { - private static boolean isSaml = false; - private static boolean isSet = false; - - private static final Logger log = LogManager.getLogger(LoginMethod.class); - - public static boolean isSaml() { - - if (isSet) { - // Data is cached, so let's fetch it from cache - - return isSaml; + private static boolean isSaml = false; + private static boolean isSet = false; - } else { + private static final Logger log = LogManager.getLogger(LoginMethod.class); - ClassLoader classLoader = LoginMethod.class.getClassLoader(); + public static boolean isSaml() { - String unpackFileName = "sso.properties"; + if (isSet) { + // Data is cached, so let's fetch it from cache - try (InputStream inputStream = classLoader.getResourceAsStream(unpackFileName)) { - if (inputStream != null) { - Properties prop = new Properties(); - prop.load(inputStream); - if (prop != null) { + return isSaml; - // Get id and name from SAML data + } else { - String isSSOEnabled = prop.getProperty("sso.enabled"); + ClassLoader classLoader = LoginMethod.class.getClassLoader(); - isSaml = Boolean.parseBoolean(isSSOEnabled); + String unpackFileName = "sso.properties"; - isSet = true; + try (InputStream inputStream = classLoader.getResourceAsStream(unpackFileName)) { + if (inputStream != null) { + Properties prop = new Properties(); + prop.load(inputStream); + if (prop != null) { - } - } else { - // SSO properties found, we default to sso = false - isSaml = false; - isSet = true; - } - } catch (IOException e) { - String errorMsg = "SAML unpack properties file '" + unpackFileName + "' cannot be loaded"; + // Get id and name from SAML data - log.error(errorMsg); - throw new RuntimeException(errorMsg); + String isSSOEnabled = prop.getProperty("sso.enabled"); - } + isSaml = Boolean.parseBoolean(isSSOEnabled); - return isSaml; + isSet = true; + } + } else { + // SSO properties found, we default to sso = false + isSaml = false; + isSet = true; + } + } catch (IOException e) { + String errorMsg = "SAML unpack properties file '" + unpackFileName + "' cannot be loaded"; - } - } + log.error(errorMsg); + throw new RuntimeException(errorMsg); + } - public static Boolean isLogin() { - return (!isSaml()); - } + return isSaml; + } + } + public static Boolean isLogin() { + return (!isSaml()); + } } diff --git a/src/main/java/utils/ModuleBlock.java b/src/main/java/utils/ModuleBlock.java index ac7a6fe42..aed30c257 100644 --- a/src/main/java/utils/ModuleBlock.java +++ b/src/main/java/utils/ModuleBlock.java @@ -2,51 +2,44 @@ import org.owasp.encoder.Encode; - /** - * This class is just an instance memory structure for module blockers. Including the id of the module block, the message to give users and the current block status. - *

+ * This class is just an instance memory structure for module blockers. Including the id of the + * module block, the message to give users and the current block status.
+ *
* This file is part of the Security Shepherd Project. - * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
- * - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
- * - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan * + *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
+ * + *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
+ * + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . + * + * @author Mark Denihan */ -public class ModuleBlock -{ - public static String blockerId = ""; - private static String blockerMessage = ""; - public static boolean blockerEnabled = false; - - /** - * Quick reset method - */ - public static void reset () - { - blockerId = new String(); - blockerMessage = new String(); - blockerEnabled = false; - } - - public static String getBlockerMessage () - { - - return Encode.forHtml(blockerMessage); - } - - public static void setMessage(String theMessage) - { - blockerMessage = theMessage; - } +public class ModuleBlock { + + public static String blockerId = ""; + private static String blockerMessage = ""; + public static boolean blockerEnabled = false; + + /** Quick reset method */ + public static void reset() { + blockerId = new String(); + blockerMessage = new String(); + blockerEnabled = false; + } + + public static String getBlockerMessage() { + + return Encode.forHtml(blockerMessage); + } + + public static void setMessage(String theMessage) { + blockerMessage = theMessage; + } } diff --git a/src/main/java/utils/ModulePlan.java b/src/main/java/utils/ModulePlan.java index a0ca9e08b..056f79ef6 100644 --- a/src/main/java/utils/ModulePlan.java +++ b/src/main/java/utils/ModulePlan.java @@ -1,165 +1,159 @@ package utils; -import java.sql.SQLException; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - import dbProcs.Getter; import dbProcs.Setter; +import java.sql.SQLException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * This class Determines how the users are presented with the modules. By - * default this method sets the floor plan to CTF mode
- *
+ * This class Determines how the users are presented with the modules. By default this method sets + * the floor plan to CTF mode
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class ModulePlan { - private static final Logger log = LogManager.getLogger(ModulePlan.class); - - private static boolean openFloor = false; - private static boolean incrementalFloor = true; - private static boolean tournamentFloor = false; - - private static boolean isLoaded = false; - - public static boolean isIncrementalFloor() { - if (!isLoaded) { - loadModuleLayout(); - } - return incrementalFloor; - } - - public static boolean isOpenFloor() { - if (!isLoaded) { - loadModuleLayout(); - } - return openFloor; - } - - public static boolean isTournamentFloor() { - if (!isLoaded) { - loadModuleLayout(); - } - ; - return tournamentFloor; - } - - public static void setIncrementalFloor() { - if (!isLoaded) { - loadModuleLayout(); - } - openFloor = false; - incrementalFloor = true; - tournamentFloor = false; - saveModuleLayout(); - } - - public static void setOpenFloor() { - if (!isLoaded) { - loadModuleLayout(); - } - openFloor = true; - incrementalFloor = false; - tournamentFloor = false; - saveModuleLayout(); - - } - - public static void setTournamentFloor() { - if (!isLoaded) { - loadModuleLayout(); - } - openFloor = false; - incrementalFloor = false; - tournamentFloor = true; - saveModuleLayout(); - - } - - public static String currentMode() { - String result = new String(); - if (!isLoaded) { - loadModuleLayout(); - } - if (openFloor) - result = "Open Floor"; - else if (incrementalFloor) - result = "CTF"; - else - result = "Tournament"; - return result; - } - - private static void saveModuleLayout() { - try { - if (openFloor) { - Setter.setModuleLayout("", "open"); - } else if (incrementalFloor) { - Setter.setModuleLayout("", "ctf"); - } else if (tournamentFloor) { - Setter.setModuleLayout("", "tournament"); - } else { - String message = "No module layouts enabled!"; - log.fatal(message); - throw new RuntimeException(message); - } - - } catch (SQLException e) { - log.fatal("Could not save module plan setting in database: " + e.toString()); - throw new RuntimeException(e); - } - } - - private static void loadModuleLayout() { - String theModuleLayout = ""; - - try { - - theModuleLayout = Getter.getModuleLayout(""); - - } catch (SQLException e) { - log.fatal("Could not load module plan setting from database: " + e.toString()); - throw new RuntimeException(e); - } - - if (theModuleLayout.equals("open")) { - openFloor = true; - incrementalFloor = false; - tournamentFloor = true; - } else if (theModuleLayout.equals("ctf")) { - openFloor = false; - incrementalFloor = true; - tournamentFloor = false; - - } else if (theModuleLayout.equals("tournament")) { - openFloor = false; - incrementalFloor = false; - tournamentFloor = true; - - } else { - String message = "Invalid module layout loaded from database: " + theModuleLayout; - log.fatal(message); - throw new RuntimeException(message); - } - - isLoaded = true; - } + private static final Logger log = LogManager.getLogger(ModulePlan.class); + + private static boolean openFloor = false; + private static boolean incrementalFloor = true; + private static boolean tournamentFloor = false; + + private static boolean isLoaded = false; + + public static boolean isIncrementalFloor() { + if (!isLoaded) { + loadModuleLayout(); + } + return incrementalFloor; + } + + public static boolean isOpenFloor() { + if (!isLoaded) { + loadModuleLayout(); + } + return openFloor; + } + + public static boolean isTournamentFloor() { + if (!isLoaded) { + loadModuleLayout(); + } + ; + return tournamentFloor; + } + + public static void setIncrementalFloor() { + if (!isLoaded) { + loadModuleLayout(); + } + openFloor = false; + incrementalFloor = true; + tournamentFloor = false; + saveModuleLayout(); + } + + public static void setOpenFloor() { + if (!isLoaded) { + loadModuleLayout(); + } + openFloor = true; + incrementalFloor = false; + tournamentFloor = false; + saveModuleLayout(); + } + + public static void setTournamentFloor() { + if (!isLoaded) { + loadModuleLayout(); + } + openFloor = false; + incrementalFloor = false; + tournamentFloor = true; + saveModuleLayout(); + } + + public static String currentMode() { + String result = new String(); + if (!isLoaded) { + loadModuleLayout(); + } + if (openFloor) { + result = "Open Floor"; + } else if (incrementalFloor) { + result = "CTF"; + } else { + result = "Tournament"; + } + return result; + } + + private static void saveModuleLayout() { + try { + if (openFloor) { + Setter.setModuleLayout("", "open"); + } else if (incrementalFloor) { + Setter.setModuleLayout("", "ctf"); + } else if (tournamentFloor) { + Setter.setModuleLayout("", "tournament"); + } else { + String message = "No module layouts enabled!"; + log.fatal(message); + throw new RuntimeException(message); + } + + } catch (SQLException e) { + log.fatal("Could not save module plan setting in database: " + e.toString()); + throw new RuntimeException(e); + } + } + + private static void loadModuleLayout() { + String theModuleLayout = ""; + + try { + + theModuleLayout = Getter.getModuleLayout(""); + + } catch (SQLException e) { + log.fatal("Could not load module plan setting from database: " + e.toString()); + throw new RuntimeException(e); + } + + if (theModuleLayout.equals("open")) { + openFloor = true; + incrementalFloor = false; + tournamentFloor = true; + } else if (theModuleLayout.equals("ctf")) { + openFloor = false; + incrementalFloor = true; + tournamentFloor = false; + + } else if (theModuleLayout.equals("tournament")) { + openFloor = false; + incrementalFloor = false; + tournamentFloor = true; + + } else { + String message = "Invalid module layout loaded from database: " + theModuleLayout; + log.fatal(message); + throw new RuntimeException(message); + } + + isLoaded = true; + } } diff --git a/src/main/java/utils/OpenRegistration.java b/src/main/java/utils/OpenRegistration.java index da96c44b2..60343a293 100644 --- a/src/main/java/utils/OpenRegistration.java +++ b/src/main/java/utils/OpenRegistration.java @@ -1,102 +1,95 @@ package utils; -import java.sql.SQLException; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - import dbProcs.Getter; import dbProcs.Setter; +import java.sql.SQLException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * This class Determines how the registration functionality is available
- *
+ * This class Determines how the registration functionality is available
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class OpenRegistration { - private static final Logger log = LogManager.getLogger(OpenRegistration.class); - - private static boolean enabled = false; - - private static boolean isLoaded = false; - - public static boolean isEnabled() { - if (!isLoaded) { - loadRegistrationStatus(); - } - return enabled; - } - - public static boolean isDisabled() { - if (!isLoaded) { - loadRegistrationStatus(); - } - return !enabled; - } - - public static void enable() { - if (!isLoaded) { - loadRegistrationStatus(); - } - enabled = true; - saveRegistrationStatus(); - - } - - public static void disable() { - if (!isLoaded) { - loadRegistrationStatus(); - } - enabled = false; - saveRegistrationStatus(); - - } - - public static void toggle() { - if (!isLoaded) { - loadRegistrationStatus(); - } - enabled = !enabled; - saveRegistrationStatus(); - - } - - private static void saveRegistrationStatus() { - try { - - Setter.setRegistrationStatus("", enabled); - - } catch (SQLException e) { - log.fatal("Could not save registration status in database: " + e.toString()); - throw new RuntimeException(e); - } - } - - private static void loadRegistrationStatus() { - try { - - enabled = Getter.getRegistrationStatus(""); - - } catch (SQLException e) { - log.fatal("Could not load registration status from database: " + e.toString()); - throw new RuntimeException(e); - } - isLoaded = true; - } + + private static final Logger log = LogManager.getLogger(OpenRegistration.class); + + private static boolean enabled = false; + + private static boolean isLoaded = false; + + public static boolean isEnabled() { + if (!isLoaded) { + loadRegistrationStatus(); + } + return enabled; + } + + public static boolean isDisabled() { + if (!isLoaded) { + loadRegistrationStatus(); + } + return !enabled; + } + + public static void enable() { + if (!isLoaded) { + loadRegistrationStatus(); + } + enabled = true; + saveRegistrationStatus(); + } + + public static void disable() { + if (!isLoaded) { + loadRegistrationStatus(); + } + enabled = false; + saveRegistrationStatus(); + } + + public static void toggle() { + if (!isLoaded) { + loadRegistrationStatus(); + } + enabled = !enabled; + saveRegistrationStatus(); + } + + private static void saveRegistrationStatus() { + try { + + Setter.setRegistrationStatus("", enabled); + + } catch (SQLException e) { + log.fatal("Could not save registration status in database: " + e.toString()); + throw new RuntimeException(e); + } + } + + private static void loadRegistrationStatus() { + try { + + enabled = Getter.getRegistrationStatus(""); + + } catch (SQLException e) { + log.fatal("Could not load registration status from database: " + e.toString()); + throw new RuntimeException(e); + } + isLoaded = true; + } } diff --git a/src/main/java/utils/ScoreboardStatus.java b/src/main/java/utils/ScoreboardStatus.java index 95c98db20..5d965af9e 100644 --- a/src/main/java/utils/ScoreboardStatus.java +++ b/src/main/java/utils/ScoreboardStatus.java @@ -1,300 +1,280 @@ package utils; -import java.sql.SQLException; - -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - import dbProcs.Getter; import dbProcs.Setter; +import java.sql.SQLException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** * Scoreboard management class * * @author Mark Denihan - * */ public class ScoreboardStatus { - private static final Logger log = LogManager.getLogger(ScoreboardStatus.class); - - private static boolean scoreboardEnabled = true; - private static String scoreboardClass = new String(); - private static boolean adminOnlyScoreboard = false; - private static boolean classSpecificScoreboard = false; - private static boolean publicScoreboard = false; - - private static boolean isLoaded = false; - - /** - * Returns if user is authorised to see scoreboard currenly. - * - * @param userRole Must be player or admin - * @return - */ - public static boolean canSeeScoreboard(String userRole) { - if (!isLoaded) { - loadScoreboardStatus(); - } - boolean authorised = true; - if (adminOnlyScoreboard) { - if (userRole == null) { - return false; - } - authorised = userRole.equalsIgnoreCase("admin"); - } else if (publicScoreboard) { - // Scoreboard is public, always allow scoreboard to be shown, even to - // unauthorized users - return true; - } - return authorised && scoreboardEnabled; - } - - /** - * Used to tell if the current scoreboard config is set to Class Specific - * - * @return Boolean Value - */ - public static boolean getClassSpecificScoreboard() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - return classSpecificScoreboard; - } - - public static String getScoreboardClass() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - return scoreboardClass; - } - - /** - * Is the scoreboard configured to be displayed? - * - * @return - */ - public static boolean isScoreboardEnabled() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - return scoreboardEnabled; - } - - /** - * Method to know if user is running a class specific scoreboard or not - * - * @return True if class specific scoreboard is enabled. Otherwise False - */ - public static boolean isClassSpecificScoreboard() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - return classSpecificScoreboard; - } - - /** - * Method to know if scoreboard is public - * - * @return True if scoreboard is public. Otherwise False - */ - public static boolean isPublicScoreboard() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - - return publicScoreboard; - } - - /** - * Disables scoreboard functions - */ - public static void disableScoreboard() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - scoreboardEnabled = false; - adminOnlyScoreboard = false; - scoreboardClass = new String(); - classSpecificScoreboard = false; - publicScoreboard = false; - saveScoreboardStatus(); - } - - /** - * Sets the scoreboard to be admin only - */ - public static void setScoreboardAdminOnly() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - scoreboardEnabled = true; - adminOnlyScoreboard = true; - publicScoreboard = false; - saveScoreboardStatus(); - - } - - /** - * Enables public Scoreboard based on scores from specific class - * - * @param theClass Class to base the Scoreboard on - */ - public static void setScoreboardClass(String theClass) { - if (!isLoaded) { - loadScoreboardStatus(); - } - - scoreboardClass = theClass; - scoreboardEnabled = true; - adminOnlyScoreboard = false; - classSpecificScoreboard = false; - publicScoreboard = false; - saveScoreboardStatus(); - - } - - /** - * Sets the scoreboard to show users the score from their class only - */ - public static void setScoreboardClassSpecific() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - scoreboardEnabled = true; - scoreboardClass = new String(); - adminOnlyScoreboard = false; - classSpecificScoreboard = true; - publicScoreboard = false; - saveScoreboardStatus(); - - } - - /** - * Sets scoreboard to list all players regardless of class - */ - public static void setScoreboardOpen() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - scoreboardEnabled = true; - scoreboardClass = new String(); - adminOnlyScoreboard = false; - classSpecificScoreboard = false; - publicScoreboard = false; - saveScoreboardStatus(); - - } - - /** - * Sets scoreboard to be public, even to unregistered users - */ - public static void setScoreboardPublic() { - if (!isLoaded) { - loadScoreboardStatus(); - } - - scoreboardEnabled = true; - scoreboardClass = new String(); - adminOnlyScoreboard = false; - classSpecificScoreboard = false; - publicScoreboard = true; - saveScoreboardStatus(); - - } - - private static void saveScoreboardStatus() { - - String statusToSave = ""; - - if (scoreboardEnabled) { - if (adminOnlyScoreboard) { - statusToSave = "adminOnly"; - } else { - if (classSpecificScoreboard) { - statusToSave = "classSpecific"; - } else { - if (publicScoreboard) { - statusToSave = "public"; - } else { - statusToSave = "open"; - } - } - } - } else { - statusToSave = "closed"; - } - - try { - - Setter.setScoreboardStatus("", statusToSave); - Setter.setScoreboardClass("", scoreboardClass); - - } catch (SQLException e) { - String message = "Could not save scoreboard status to database: " + e.toString(); - log.fatal(message); - throw new RuntimeException(message); - } - } - - private static void loadScoreboardStatus() { - - String loadedStatus = ""; - - try { - - loadedStatus = Getter.getScoreboardStatus(""); - scoreboardClass = Getter.getScoreboardClass(""); - - } catch (SQLException e) { - - String message = "Could not load scoreboard status setting from database " + e.toString(); - log.fatal(message); - throw new RuntimeException(message); - } - - if (loadedStatus.equals("closed")) { - scoreboardEnabled = false; - adminOnlyScoreboard = false; - classSpecificScoreboard = false; - scoreboardClass = ""; - publicScoreboard = false; - } else if (loadedStatus.equals("open")) { - scoreboardEnabled = true; - adminOnlyScoreboard = false; - classSpecificScoreboard = false; - publicScoreboard = false; - } else if (loadedStatus.equals("adminOnly")) { - scoreboardEnabled = true; - adminOnlyScoreboard = true; - classSpecificScoreboard = false; - publicScoreboard = false; - } else if (loadedStatus.equals("classSpecific")) { - scoreboardEnabled = true; - adminOnlyScoreboard = false; - classSpecificScoreboard = true; - publicScoreboard = false; - } else if (loadedStatus.equals("public")) { - scoreboardEnabled = true; - adminOnlyScoreboard = false; - classSpecificScoreboard = false; - publicScoreboard = true; - } else { - String message = "Invalid scoreboard status loaded from database: " + loadedStatus; - log.fatal(message); - throw new RuntimeException(message); - } - - isLoaded = true; - } - + private static final Logger log = LogManager.getLogger(ScoreboardStatus.class); + + private static boolean scoreboardEnabled = true; + private static String scoreboardClass = new String(); + private static boolean adminOnlyScoreboard = false; + private static boolean classSpecificScoreboard = false; + private static boolean publicScoreboard = false; + + private static boolean isLoaded = false; + + /** + * Returns if user is authorised to see scoreboard currenly. + * + * @param userRole Must be player or admin + * @return + */ + public static boolean canSeeScoreboard(String userRole) { + if (!isLoaded) { + loadScoreboardStatus(); + } + boolean authorised = true; + if (adminOnlyScoreboard) { + if (userRole == null) { + return false; + } + authorised = userRole.equalsIgnoreCase("admin"); + } else if (publicScoreboard) { + // Scoreboard is public, always allow scoreboard to be shown, even to + // unauthorized users + return true; + } + return authorised && scoreboardEnabled; + } + + /** + * Used to tell if the current scoreboard config is set to Class Specific + * + * @return Boolean Value + */ + public static boolean getClassSpecificScoreboard() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + return classSpecificScoreboard; + } + + public static String getScoreboardClass() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + return scoreboardClass; + } + + /** + * Is the scoreboard configured to be displayed? + * + * @return + */ + public static boolean isScoreboardEnabled() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + return scoreboardEnabled; + } + + /** + * Method to know if user is running a class specific scoreboard or not + * + * @return True if class specific scoreboard is enabled. Otherwise False + */ + public static boolean isClassSpecificScoreboard() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + return classSpecificScoreboard; + } + + /** + * Method to know if scoreboard is public + * + * @return True if scoreboard is public. Otherwise False + */ + public static boolean isPublicScoreboard() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + return publicScoreboard; + } + + /** Disables scoreboard functions */ + public static void disableScoreboard() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + scoreboardEnabled = false; + adminOnlyScoreboard = false; + scoreboardClass = new String(); + classSpecificScoreboard = false; + publicScoreboard = false; + saveScoreboardStatus(); + } + + /** Sets the scoreboard to be admin only */ + public static void setScoreboardAdminOnly() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + scoreboardEnabled = true; + adminOnlyScoreboard = true; + publicScoreboard = false; + saveScoreboardStatus(); + } + + /** + * Enables public Scoreboard based on scores from specific class + * + * @param theClass Class to base the Scoreboard on + */ + public static void setScoreboardClass(String theClass) { + if (!isLoaded) { + loadScoreboardStatus(); + } + + scoreboardClass = theClass; + scoreboardEnabled = true; + adminOnlyScoreboard = false; + classSpecificScoreboard = false; + publicScoreboard = false; + saveScoreboardStatus(); + } + + /** Sets the scoreboard to show users the score from their class only */ + public static void setScoreboardClassSpecific() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + scoreboardEnabled = true; + scoreboardClass = new String(); + adminOnlyScoreboard = false; + classSpecificScoreboard = true; + publicScoreboard = false; + saveScoreboardStatus(); + } + + /** Sets scoreboard to list all players regardless of class */ + public static void setScoreboardOpen() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + scoreboardEnabled = true; + scoreboardClass = new String(); + adminOnlyScoreboard = false; + classSpecificScoreboard = false; + publicScoreboard = false; + saveScoreboardStatus(); + } + + /** Sets scoreboard to be public, even to unregistered users */ + public static void setScoreboardPublic() { + if (!isLoaded) { + loadScoreboardStatus(); + } + + scoreboardEnabled = true; + scoreboardClass = new String(); + adminOnlyScoreboard = false; + classSpecificScoreboard = false; + publicScoreboard = true; + saveScoreboardStatus(); + } + + private static void saveScoreboardStatus() { + + String statusToSave = ""; + + if (scoreboardEnabled) { + if (adminOnlyScoreboard) { + statusToSave = "adminOnly"; + } else { + if (classSpecificScoreboard) { + statusToSave = "classSpecific"; + } else { + if (publicScoreboard) { + statusToSave = "public"; + } else { + statusToSave = "open"; + } + } + } + } else { + statusToSave = "closed"; + } + + try { + + Setter.setScoreboardStatus("", statusToSave); + Setter.setScoreboardClass("", scoreboardClass); + + } catch (SQLException e) { + String message = "Could not save scoreboard status to database: " + e.toString(); + log.fatal(message); + throw new RuntimeException(message); + } + } + + private static void loadScoreboardStatus() { + + String loadedStatus = ""; + + try { + + loadedStatus = Getter.getScoreboardStatus(""); + scoreboardClass = Getter.getScoreboardClass(""); + + } catch (SQLException e) { + + String message = "Could not load scoreboard status setting from database " + e.toString(); + log.fatal(message); + throw new RuntimeException(message); + } + + if (loadedStatus.equals("closed")) { + scoreboardEnabled = false; + adminOnlyScoreboard = false; + classSpecificScoreboard = false; + scoreboardClass = ""; + publicScoreboard = false; + } else if (loadedStatus.equals("open")) { + scoreboardEnabled = true; + adminOnlyScoreboard = false; + classSpecificScoreboard = false; + publicScoreboard = false; + } else if (loadedStatus.equals("adminOnly")) { + scoreboardEnabled = true; + adminOnlyScoreboard = true; + classSpecificScoreboard = false; + publicScoreboard = false; + } else if (loadedStatus.equals("classSpecific")) { + scoreboardEnabled = true; + adminOnlyScoreboard = false; + classSpecificScoreboard = true; + publicScoreboard = false; + } else if (loadedStatus.equals("public")) { + scoreboardEnabled = true; + adminOnlyScoreboard = false; + classSpecificScoreboard = false; + publicScoreboard = true; + } else { + String message = "Invalid scoreboard status loaded from database: " + loadedStatus; + log.fatal(message); + throw new RuntimeException(message); + } + + isLoaded = true; + } } diff --git a/src/main/java/utils/ShepherdLogManager.java b/src/main/java/utils/ShepherdLogManager.java index 614d9b30f..092c5149a 100644 --- a/src/main/java/utils/ShepherdLogManager.java +++ b/src/main/java/utils/ShepherdLogManager.java @@ -1,67 +1,74 @@ package utils; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.ThreadContext; -public class ShepherdLogManager -{ - private static final Logger log = LogManager.getLogger(ShepherdLogManager.class); +public class ShepherdLogManager { + + private static final Logger log = LogManager.getLogger(ShepherdLogManager.class); - public static void setRequestIp (String theIp) - { - ThreadContext.put("RemoteAddress", theIp); - } + public static void setRequestIp(String theIp) { + ThreadContext.put("RemoteAddress", theIp); + } - public static void logEvent(String theIp, String theMessage) - { - setRequestIp(theIp); - log.debug(theMessage); - } + public static void logEvent(String theIp, String theMessage) { + setRequestIp(theIp); + log.debug(theMessage); + } - public static void setRequestIp (String theIp, String theForwardedIp) - { - if (theForwardedIp != null && !theForwardedIp.isEmpty()) //If string is not null and not empty set normal message - ThreadContext.put("RemoteAddress", theIp + " from " + theForwardedIp); - else //No Forward Header detected so Log that - ThreadContext.put("RemoteAddress", theIp + " from ?.?.?.?"); - } + public static void setRequestIp(String theIp, String theForwardedIp) { + if (theForwardedIp != null + && !theForwardedIp.isEmpty()) // If string is not null and not empty set normal message + { + ThreadContext.put("RemoteAddress", theIp + " from " + theForwardedIp); + } else // No Forward Header detected so Log that + { + ThreadContext.put("RemoteAddress", theIp + " from ?.?.?.?"); + } + } - public static void logEvent(String theIp, String theForwardedIp, String theMessage) - { - setRequestIp(theIp, theForwardedIp); - log.debug(theMessage); - } + public static void logEvent(String theIp, String theForwardedIp, String theMessage) { + setRequestIp(theIp, theForwardedIp); + log.debug(theMessage); + } - /** - * Logs Event with username at beginning of log - * @param theIp - * @param theForwardedIp - * @param theMessage - * @param theUser - */ - public static void logEvent(String theIp, String theForwardedIp, String theMessage, Object theUser) - { - String userName = new String(); - if(theUser != null) - userName = theUser.toString(); - if (userName.isEmpty()) - userName = new String("UnknownUser"); - setRequestIp(theIp, theForwardedIp, userName); - log.debug(theMessage); - } + /** + * Logs Event with username at beginning of log + * + * @param theIp + * @param theForwardedIp + * @param theMessage + * @param theUser + */ + public static void logEvent( + String theIp, String theForwardedIp, String theMessage, Object theUser) { + String userName = new String(); + if (theUser != null) { + userName = theUser.toString(); + } + if (userName.isEmpty()) { + userName = new String("UnknownUser"); + } + setRequestIp(theIp, theForwardedIp, userName); + log.debug(theMessage); + } - /** - * Sets IP of request and preceeds it with the username of the logged in user - * @param theIp - * @param theForwardedIp - */ - public static void setRequestIp (String theIp, String theForwardedIp, String userName) - { + /** + * Sets IP of request and preceeds it with the username of the logged in user + * + * @param theIp + * @param theForwardedIp + */ + public static void setRequestIp(String theIp, String theForwardedIp, String userName) { - if (theForwardedIp != null && !theForwardedIp.isEmpty()) //If string is not null and not empty set normal message - ThreadContext.put("RemoteAddress", userName + " at " + theIp + " from " + theForwardedIp); - else //No Forward Header detected so Log that - ThreadContext.put("RemoteAddress", userName + " at " + theIp + " from ?.?.?.?"); - } + if (theForwardedIp != null + && !theForwardedIp.isEmpty()) // If string is not null and not empty set normal message + { + ThreadContext.put("RemoteAddress", userName + " at " + theIp + " from " + theForwardedIp); + } else // No Forward Header detected so Log that + { + ThreadContext.put("RemoteAddress", userName + " at " + theIp + " from ?.?.?.?"); + } + } } diff --git a/src/main/java/utils/SqlFilter.java b/src/main/java/utils/SqlFilter.java index a6690054d..ab083caaa 100644 --- a/src/main/java/utils/SqlFilter.java +++ b/src/main/java/utils/SqlFilter.java @@ -1,66 +1,76 @@ package utils; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * Filters used to make SQL injection more difficult to perform - *

+ * Filters used to make SQL injection more difficult to perform
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class SqlFilter -{ - private static final Logger log = LogManager.getLogger(SqlFilter.class); +public class SqlFilter { + + private static final Logger log = LogManager.getLogger(SqlFilter.class); - public static String levelFour (String input) - { - input = input.toLowerCase(); - while(input.contains("'")) - { - log.debug("Scrubbing ' from input"); - input = input.replaceAll("'", ""); - } - return input; - } + public static String levelFour(String input) { + input = input.toLowerCase(); + while (input.contains("'")) { + log.debug("Scrubbing ' from input"); + input = input.replaceAll("'", ""); + } + return input; + } - public static String levelOne (String input) - { - log.debug("Filtering input at SQL levelOne"); - return input.replaceFirst("'", ""); - } + public static String levelOne(String input) { + log.debug("Filtering input at SQL levelOne"); + return input.replaceFirst("'", ""); + } - public static String levelThree (String input) - { - log.debug("Filtering input at SQL levelThree"); - input = input.toLowerCase(); - input = input.replaceAll("|", "").replaceAll("&", "").replaceAll("!", "").replaceAll("-", "").replaceAll(";", ""); - while(input.contains("or") || input.contains("true") || input.contains("false") || input.contains("and") || input.contains("is")) - input = input.replaceAll("or", "").replaceAll("true", "").replaceAll("and", "").replaceAll("false", "").replaceAll("is", ""); - return input; - } + public static String levelThree(String input) { + log.debug("Filtering input at SQL levelThree"); + input = input.toLowerCase(); + input = + input + .replaceAll("|", "") + .replaceAll("&", "") + .replaceAll("!", "") + .replaceAll("-", "") + .replaceAll(";", ""); + while (input.contains("or") + || input.contains("true") + || input.contains("false") + || input.contains("and") + || input.contains("is")) { + input = + input + .replaceAll("or", "") + .replaceAll("true", "") + .replaceAll("and", "") + .replaceAll("false", "") + .replaceAll("is", ""); + } + return input; + } - public static String levelTwo (String input) - { - log.debug("Filtering input at SQL levelTwo"); - input = input.replaceAll("OR", "").replaceAll("or", ""); - input = input.replaceAll("OR", "").replaceAll("or", ""); - input = input.replaceAll("|", "").replaceAll("&", ""); - input = input.replaceAll("true", "").replaceAll("TRUE", ""); - return input; - } + public static String levelTwo(String input) { + log.debug("Filtering input at SQL levelTwo"); + input = input.replaceAll("OR", "").replaceAll("or", ""); + input = input.replaceAll("OR", "").replaceAll("or", ""); + input = input.replaceAll("|", "").replaceAll("&", ""); + input = input.replaceAll("true", "").replaceAll("TRUE", ""); + return input; + } } diff --git a/src/main/java/utils/UserKicker.java b/src/main/java/utils/UserKicker.java index 53ddb1c5a..2fad2d845 100644 --- a/src/main/java/utils/UserKicker.java +++ b/src/main/java/utils/UserKicker.java @@ -2,62 +2,59 @@ import java.util.ArrayList; import java.util.List; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** * Used to help application kick users that have been suspended - * @author Mark Denihan * + * @author Mark Denihan */ -public class UserKicker -{ - private static final Logger log = LogManager.getLogger(UserKicker.class); - private static List kickTheseUsers = new ArrayList(); +public class UserKicker { + + private static final Logger log = LogManager.getLogger(UserKicker.class); + private static List kickTheseUsers = new ArrayList(); - /** - * Add's a specific user to the kick list - * @param userName The user name to kick - */ - public static void addUserToKickList(String userName) - { - log.debug("Adding " + userName + " to kick list"); - kickTheseUsers.add(userName); - } + /** + * Add's a specific user to the kick list + * + * @param userName The user name to kick + */ + public static void addUserToKickList(String userName) { + log.debug("Adding " + userName + " to kick list"); + kickTheseUsers.add(userName); + } - /** - * Tells you if a user is on the kick list - * @param userName User to search the list for - * @return True if the user should be kicked - */ - public static boolean shouldKickUser(String userName) - { - if (!kickTheseUsers.isEmpty()) - { - log.debug("Kick list Is Not Empty! Checking..."); - boolean kickUser = kickTheseUsers.contains(userName); - if (kickUser) - log.debug(userName + " is in kick list"); - return kickUser; - } - else - { - //log.debug("Empty Kick List! Skiping..."); - return false; - } - } + /** + * Tells you if a user is on the kick list + * + * @param userName User to search the list for + * @return True if the user should be kicked + */ + public static boolean shouldKickUser(String userName) { + if (!kickTheseUsers.isEmpty()) { + log.debug("Kick list Is Not Empty! Checking..."); + boolean kickUser = kickTheseUsers.contains(userName); + if (kickUser) { + log.debug(userName + " is in kick list"); + } + return kickUser; + } else { + // log.debug("Empty Kick List! Skiping..."); + return false; + } + } - /** - * Removes a user from the kick list. Should be used after user has been kicked - * @param userName Username of the user to remove from kick list - */ - public static void removeFromKicklist(String userName) - { - if(shouldKickUser(userName)) //If User is in list - { - log.debug("Removing " + userName + " from kick list"); - kickTheseUsers.remove(userName); - } - } + /** + * Removes a user from the kick list. Should be used after user has been kicked + * + * @param userName Username of the user to remove from kick list + */ + public static void removeFromKicklist(String userName) { + if (shouldKickUser(userName)) // If User is in list + { + log.debug("Removing " + userName + " from kick list"); + kickTheseUsers.remove(userName); + } + } } diff --git a/src/main/java/utils/Validate.java b/src/main/java/utils/Validate.java index 286ac6eca..10966c01a 100644 --- a/src/main/java/utils/Validate.java +++ b/src/main/java/utils/Validate.java @@ -1,512 +1,516 @@ package utils; import java.math.BigInteger; - import javax.mail.internet.AddressException; import javax.mail.internet.InternetAddress; import javax.servlet.http.Cookie; import javax.servlet.http.HttpSession; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * Class is used to validate various inputs
- *
+ * Class is used to validate various inputs
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it - * and/or modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, either version 3 of the License, - * or (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be - * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - * Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License along with - * the Security Shepherd project. If not, see . + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * * @author Mark Denihan - * */ public class Validate { - private static final Logger log = LogManager.getLogger(Validate.class); - - /** - * Finds JSession token from user's cookies[], validates and returns. - * - * @param userCookies Cookies from users browser - * @return JSession Id - */ - public static Cookie getSessionId(Cookie[] userCookies) { - int i = 0; - Cookie theSessionId = null; - for (i = 0; i < userCookies.length; i++) { - if (userCookies[i].getName().compareTo("JSESSIONID") == 0) { - theSessionId = userCookies[i]; - break; // End Loop, because we found the theSessionId - } - } - return theSessionId; - } - - /** - * Finds CSRF token from user's cookies[], validates. - * - * @param userCookies All of the user's cookies from their browser - * @return csrfCookie - */ - public static Cookie getToken(Cookie[] userCookies) { - int i = 0; - Cookie theToken = null; - for (i = 0; i < userCookies.length; i++) { - if (userCookies[i].getName().compareTo("token") == 0) { - theToken = userCookies[i]; - break; // End Loop, because we found the token - } - } - if (theToken != null) { - // log.debug("Found Cookie " + theToken.getName() + " with value " + - // theToken.getValue()); - // The Token is currently designed to be a random Big Integer. If the Big - // Integer Case does not work, the token has been modified. Potentially in a - // malicious manner - try { - BigInteger theTokenCasted = new BigInteger(theToken.getValue()); - BigInteger tenGrand = new BigInteger("10000"); - BigInteger tenGrandNeg = new BigInteger("-10000"); - if (!(theTokenCasted.compareTo(tenGrand) > 0 || theTokenCasted.compareTo(tenGrandNeg) < 0)) { - log.error("CSRF Cookie Token was modified in some manor!"); - theToken = null; - } - } catch (Exception e) { - log.error("CSRF Cookie Token was modified in some manor: " + e.toString()); - theToken = null; - } - } - return theToken; - } - - /** - * Validates class year when creating classes. Class year should be YY/YY, e.g. - * 11/12. So the first year must be less than the second. - * - * @param classYear Class Year in YY/YY format, e.g. 11/12. - * @return Boolean value stating weather or not these supplied attributes make a - * valid class year - */ - public static boolean isValidClassYear(String classYear) { - boolean result = false; - result = classYear.length() == 4; - if (result) { - try { - result = Integer.parseInt(classYear) > 2010; - } catch (NumberFormatException e) { - log.error("Could not parse classYear " + classYear); - result = false; - throw new RuntimeException(e); - } - } - return result; - } - - /** - * Email validation - * - * @param email - * @return Boolean reflect email validity - */ - public static boolean isValidEmailAddress(String email) { - boolean result = true; - try { - log.debug("Validating email"); - InternetAddress emailAddr = new InternetAddress(email); - log.debug("Did we crash"); - emailAddr.validate(); - log.debug("Didn't crash"); - } catch (AddressException ex) { - result = false; - } - return result; - } - - /** - * Invalid password detecter - * - * @param passWord - * @return - */ - public static boolean isValidPassword(String passWord) { - boolean result = false; - result = passWord.length() > 7 && passWord.length() <= 512; - if (!result) { - log.debug("Invalid Password detected"); - } - return result; - } - - /** - * Used to validate user creation requests - * - * @param userName User Name - * @param passWord User Password - * @return Boolean value stating weather or not these supplied attributes make a - * valid user - */ - public static boolean isValidUser(String userName, String passWord) { - int userLength = userName.length(); - int passLength = passWord.length(); - - boolean userOK = userLength > 2 && userLength <= 32; - boolean passOK = passLength > 7 && passLength <= 512; - - boolean result = userOK && passOK; - - if (!result) { - log.debug("Invalid Data detected in Validate.isValidUser()"); - } - return result; - } - - /** - * Used to validate user creation requests - * - * @param userName User Name - * @param passWord User Password - * @param userAddress User address - * @return Boolean value stating weather or not these supplied attributes make a - * valid user - */ - public static boolean isValidUser(String userName, String passWord, String userAddress) { - boolean result = false; - result = userName.length() > 2 && passWord.length() >= 8 && userName.length() <= 32 && passWord.length() <= 512 - && userAddress.length() <= 128; - if (!result) { - log.debug("Invalid Data detected in Validate.isValidUser()"); - } - return result; - } - - /** - * Quick method to prevent data and javascript URLs - * - * @param theUrl - * @return - */ - public static String makeValidUrl(String theUrl) { - theUrl = theUrl.toLowerCase(); - if (!theUrl.startsWith("http")) { - theUrl = "http" + theUrl; - log.debug("Transformed to: " + theUrl); - } - return theUrl; - } - - /** - * Session is checked for credentials and ensures that they have not been - * modified and that they are valid for an administrator - * - * @param ses HttpSession from users browser - * @return Boolean value that reflects the validity of the admins session - */ - public static boolean validateAdminSession(HttpSession ses) { - boolean result = false; - String userName = new String(); - if (ses == null) { - log.debug("No Session Found"); - } else { - if (ses.getAttribute("logout") != null) { - log.debug("Logout Attribute Found: Invalidating session..."); - ses.invalidate(); // make servlet engine forget the session - } else { - // log.debug("Active Session Found"); - if (ses.getAttribute("userRole") != null && ses.getAttribute("userName") != null) { - try { - userName = (String) ses.getAttribute("userName"); - // log.debug("Session holder is " + userName); - String role = (String) ses.getAttribute("userRole"); - result = (role.compareTo("admin") == 0); - if (!result) - log.fatal("User " + userName + " Attempting Admin functions! (CSRF Tokens Not Checked)"); - } catch (Exception e) { - log.fatal("Tampered Parameter Detected!!! Could not parameters"); - } - } else { - log.debug("Session has no credentials"); - } - } - } - return result; - } - - /** - * Session is checked for credentials and ensures that they have not been - * modified and that they are valid for an administrator. This function also - * validates CSRF tokens - * - * @param ses HttpSession from users browser - * @return Boolean value that reflects the validity of the admins session - */ - public static boolean validateAdminSession(HttpSession ses, Cookie cookieToken, Object requestToken) { - boolean result = false; - String userName = new String(); - if (ses == null) { - log.debug("No Session Found"); - } else { - if (ses.getAttribute("logout") != null) { - log.debug("Logout Attribute Found: Invalidating session..."); - ses.invalidate(); // make servlet engine forget the session - } else { - // log.debug("Active Session Found"); - if (ses.getAttribute("userRole") != null && ses.getAttribute("userName") != null) { - try { - userName = (String) ses.getAttribute("userName"); - // log.debug("Session holder is " + userName); - String role = (String) ses.getAttribute("userRole"); - result = (role.compareTo("admin") == 0); - if (!result) { - // Check CSRF Tokens of User to ensure they are not being CSRF'd into causing - // Unauthorised Access Alert - boolean validCsrfTokens = validateTokens(cookieToken, requestToken); - if (validCsrfTokens) - log.fatal("User account " + userName - + " Attempting Admin functions! (With Valid CSRF Tokens)"); - else - log.error( - "User account " + userName + " accessing admin function with bad CSRF Tokens"); - } - - } catch (Exception e) { - log.fatal("Tampered Parameter Detected!!! Could not parameters"); - } - } else { - log.debug("Session has no credentials"); - } - } - } - return result; - } - - /** - * Takes a String submitted to be used to encrypt and makes it the correct - * length for an encryption key - * - * @param userSalt String to be validated - * @return A Valid Encryption Key based on the input - */ - public static String validateEncryptionKey(String userSalt) { - String newKey = new String(); - int keySize = userSalt.length(); - if (keySize == 16) { - // log.debug("Key Already Valid"); - newKey = userSalt; - } else { - if (keySize > 16) { - // log.debug("Key too Long..."); - newKey = userSalt.substring(0, 16); - } else // Shorter than 16 - { - // log.debug("Key too Short..."); - newKey = userSalt; - int howManyTimes = (16 / keySize) - 1; - // log.debug("Repeating String " + howManyTimes + " times"); - for (int i = 0; i < howManyTimes; i++) - newKey += userSalt; - keySize = newKey.length(); - int toAdd = 16 - keySize; - // log.debug("Adding " + toAdd + " more characters"); - newKey = newKey.concat(userSalt.substring(0, toAdd)); - } - } - log.debug("Encryption key is '" + newKey + "'"); - return newKey; - } - - /** - * Function that will check if a valid language is set. if not, returns en - * (English) - * - * @param ses Session Language Parameter - * @return en by default, or the valid setting found in the submitted lang - */ - public static String validateLanguage(HttpSession ses) { - String result = "en_GB"; - String lang = new String(); - - try - { - lang = ses.getAttribute("lang").toString(); - } - catch(NullPointerException e) - { - lang = ""; - } - // log.debug("lang submitted: " + lang); - if (lang != null) { - if (lang.matches(".[a-z]{2}-[A-Z]{2}$")) - result = lang; - } - // log.debug("lang set to: " + result); - - return result; - } - - /** - * Validates objects received through a function request. Also ensures max - * length is not too high. - * - * @param input Object to validate - * @param maxLength Maximum length of object - * @return Validated String value or empty string value - */ - public static String validateParameter(Object input, int maxLength) { - String result = new String(); - - if (input == null) { - result = new String(); - } else { - result = (String) input; - if (result.length() > maxLength) { - log.debug("Parameter Too Long: " + result.length() + " characters"); - log.debug("Parmaeter Was: " + result); - result = new String(); - } - } - - return result; - } - - /** - * Session is checked for credentials and ensures that they have not been - * modified and that they are valid - * - * @param ses HttpSession from users browser - * @return Boolean value that reflects the validity of the users session - */ - public static boolean validateSession(HttpSession ses) { - boolean result = false; - if (ses == null) { - log.debug("No Session Found"); - } else { - if (ses.getAttribute("logout") != null) { - log.debug("Logout Attribute Found: Invalidating session..."); - ses.invalidate(); // make servlet engine forget the session - } else { - // log.debug("Active Session Found"); - if (ses.getAttribute("userRole") != null) { - try { - // log.debug("Session holder is "+ses.getAttribute("userName").toString()); - String role = (String) ses.getAttribute("userRole"); - result = (role.compareTo("player") == 0 || role.compareTo("admin") == 0); - if (!result) - log.fatal("User Role Parameter Tampered. Role = " + role); - else { - String userName = ses.getAttribute("userName").toString(); - // Has the user been suspended? Should they be kicked? - if (UserKicker.shouldKickUser(userName)) { - log.debug(userName - + " has been Suspended. Invalidating Session and Reporting Invalid Session"); - ses.invalidate(); // Killing Session - result = false; // User will not access function they were attempting to call - UserKicker.removeFromKicklist(userName); // Removing from kick list, as they are now - // authenticated, the DB Layer Suspension - // will prevent them from signing in - } - } - } catch (Exception e) { - log.fatal("Tampered Parameter Detected!!! Could not Decrypt stamp"); - } - } else { - log.debug("Session has no credentials"); - } - } - } - return result; - } - - /** - * This method compares the two submitted tokens after ensuring they are not - * null and not empty. - * - * @param cookieToken CSRF cookie Token - * @param requestToken CSRF request Token - * @return A boolean value stating weather or not the tokens are valid - */ - public static boolean validateTokens(Cookie cookieToken, Object requestToken) { - boolean result = false; - boolean cookieNull = (cookieToken == null); - boolean requestNull = (requestToken == null); - if (!cookieNull && !requestNull) { - - String theRequest = (String) requestToken; - String theCookie = cookieToken.getValue(); - boolean cookieEmpty = theCookie.isEmpty(); - boolean requestEmpty = theRequest.isEmpty(); - - if (!cookieEmpty && !requestEmpty) - result = theRequest.compareTo(theCookie) == 0; - else if (cookieEmpty) - log.error("Cookie Token Empty"); - else if (requestEmpty) - log.error("Request Token Empty"); - - if (!result) - log.error("CSRF Tokens did not match"); - - } else { - if (cookieNull) - log.error("Cookie Token was Null"); - else if (requestNull) - log.error("Request Token was Null"); - } - return result; - } - - /** - * Validates file name attributes to defend against path traversal - * - * @param fileName File name to validate - * @return Boolean value reflecting if valid or not - */ - /* - * public static String validateFileName(String fileName) { - * ShepherdLogManager.logEvent(request.getRemoteAddr(), - * request.getHeader("X-Forwarded-For"), "fileName: " + fileName); fileName = - * fileName.replaceAll(" ", "").replaceAll("\\.", "").replaceAll("/", - * "").replaceAll("\\\\", "").replaceAll("\n", ""); - * ShepherdLogManager.logEvent(request.getRemoteAddr(), - * request.getHeader("X-Forwarded-For"), "fileName: " + fileName); return - * fileName; } - */ - - public static boolean validHostUrl(String hostUrl) { - // TODO - Pull other validation steps into this - boolean result; - result = hostUrl.endsWith("/"); - if (!result) - log.error("URL Doesn't end with a forward slash. Very likely wrong"); - return result; - } - - /** - * Validates that a port number supplied is a valid port number - * - * @param portNum String to validate - * @return Boolean value reflecting if valid or not - */ - public static boolean isValidPortNumber(String portNum) { - try { - Integer validPort = Integer.valueOf(portNum); - if (validPort < 1 || validPort > 65535) { - log.fatal("Value: " + portNum + "is not a valid port number"); - return false; - } - } catch (NumberFormatException e) { - log.fatal("Value: " + portNum + "is not a valid port number"); - return false; - } - return true; - } + + private static final Logger log = LogManager.getLogger(Validate.class); + + /** + * Finds JSession token from user's cookies[], validates and returns. + * + * @param userCookies Cookies from users browser + * @return JSession Id + */ + public static Cookie getSessionId(Cookie[] userCookies) { + int i = 0; + Cookie theSessionId = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("JSESSIONID") == 0) { + theSessionId = userCookies[i]; + break; // End Loop, because we found the theSessionId + } + } + return theSessionId; + } + + /** + * Finds CSRF token from user's cookies[], validates. + * + * @param userCookies All of the user's cookies from their browser + * @return csrfCookie + */ + public static Cookie getToken(Cookie[] userCookies) { + int i = 0; + Cookie theToken = null; + for (i = 0; i < userCookies.length; i++) { + if (userCookies[i].getName().compareTo("token") == 0) { + theToken = userCookies[i]; + break; // End Loop, because we found the token + } + } + if (theToken != null) { + // log.debug("Found Cookie " + theToken.getName() + " with value " + + // theToken.getValue()); + // The Token is currently designed to be a random Big Integer. If the Big + // Integer Case does not work, the token has been modified. Potentially in a + // malicious manner + try { + BigInteger theTokenCasted = new BigInteger(theToken.getValue()); + BigInteger tenGrand = new BigInteger("10000"); + BigInteger tenGrandNeg = new BigInteger("-10000"); + if (!(theTokenCasted.compareTo(tenGrand) > 0 + || theTokenCasted.compareTo(tenGrandNeg) < 0)) { + log.error("CSRF Cookie Token was modified in some manor!"); + theToken = null; + } + } catch (Exception e) { + log.error("CSRF Cookie Token was modified in some manor: " + e.toString()); + theToken = null; + } + } + return theToken; + } + + /** + * Validates class year when creating classes. Class year should be YY/YY, e.g. 11/12. So the + * first year must be less than the second. + * + * @param classYear Class Year in YY/YY format, e.g. 11/12. + * @return Boolean value stating weather or not these supplied attributes make a valid class year + */ + public static boolean isValidClassYear(String classYear) { + boolean result = false; + result = classYear.length() == 4; + if (result) { + try { + result = Integer.parseInt(classYear) > 2010; + } catch (NumberFormatException e) { + log.error("Could not parse classYear " + classYear); + result = false; + throw new RuntimeException(e); + } + } + return result; + } + + /** + * Email validation + * + * @param email + * @return Boolean reflect email validity + */ + public static boolean isValidEmailAddress(String email) { + boolean result = true; + try { + log.debug("Validating email"); + InternetAddress emailAddr = new InternetAddress(email); + log.debug("Did we crash"); + emailAddr.validate(); + log.debug("Didn't crash"); + } catch (AddressException ex) { + result = false; + } + return result; + } + + /** + * Invalid password detecter + * + * @param passWord + * @return + */ + public static boolean isValidPassword(String passWord) { + boolean result = false; + result = passWord.length() > 7 && passWord.length() <= 512; + if (!result) { + log.debug("Invalid Password detected"); + } + return result; + } + + /** + * Used to validate user creation requests + * + * @param userName User Name + * @param passWord User Password + * @return Boolean value stating weather or not these supplied attributes make a valid user + */ + public static boolean isValidUser(String userName, String passWord) { + int userLength = userName.length(); + int passLength = passWord.length(); + + boolean userOK = userLength > 2 && userLength <= 32; + boolean passOK = passLength > 7 && passLength <= 512; + + boolean result = userOK && passOK; + + if (!result) { + log.debug("Invalid Data detected in Validate.isValidUser()"); + } + return result; + } + + /** + * Used to validate user creation requests + * + * @param userName User Name + * @param passWord User Password + * @param userAddress User address + * @return Boolean value stating weather or not these supplied attributes make a valid user + */ + public static boolean isValidUser(String userName, String passWord, String userAddress) { + boolean result = false; + result = + userName.length() > 2 + && passWord.length() >= 8 + && userName.length() <= 32 + && passWord.length() <= 512 + && userAddress.length() <= 128; + if (!result) { + log.debug("Invalid Data detected in Validate.isValidUser()"); + } + return result; + } + + /** + * Quick method to prevent data and javascript URLs + * + * @param theUrl + * @return + */ + public static String makeValidUrl(String theUrl) { + theUrl = theUrl.toLowerCase(); + if (!theUrl.startsWith("http")) { + theUrl = "http" + theUrl; + log.debug("Transformed to: " + theUrl); + } + return theUrl; + } + + /** + * Session is checked for credentials and ensures that they have not been modified and that they + * are valid for an administrator + * + * @param ses HttpSession from users browser + * @return Boolean value that reflects the validity of the admins session + */ + public static boolean validateAdminSession(HttpSession ses) { + boolean result = false; + String userName = new String(); + if (ses == null) { + log.debug("No Session Found"); + } else { + if (ses.getAttribute("logout") != null) { + log.debug("Logout Attribute Found: Invalidating session..."); + ses.invalidate(); // make servlet engine forget the session + } else { + // log.debug("Active Session Found"); + if (ses.getAttribute("userRole") != null && ses.getAttribute("userName") != null) { + try { + userName = (String) ses.getAttribute("userName"); + // log.debug("Session holder is " + userName); + String role = (String) ses.getAttribute("userRole"); + result = (role.compareTo("admin") == 0); + if (!result) { + log.fatal( + "User " + userName + " Attempting Admin functions! (CSRF Tokens Not Checked)"); + } + } catch (Exception e) { + log.fatal("Tampered Parameter Detected!!! Could not parameters"); + } + } else { + log.debug("Session has no credentials"); + } + } + } + return result; + } + + /** + * Session is checked for credentials and ensures that they have not been modified and that they + * are valid for an administrator. This function also validates CSRF tokens + * + * @param ses HttpSession from users browser + * @return Boolean value that reflects the validity of the admins session + */ + public static boolean validateAdminSession( + HttpSession ses, Cookie cookieToken, Object requestToken) { + boolean result = false; + String userName = new String(); + if (ses == null) { + log.debug("No Session Found"); + } else { + if (ses.getAttribute("logout") != null) { + log.debug("Logout Attribute Found: Invalidating session..."); + ses.invalidate(); // make servlet engine forget the session + } else { + // log.debug("Active Session Found"); + if (ses.getAttribute("userRole") != null && ses.getAttribute("userName") != null) { + try { + userName = (String) ses.getAttribute("userName"); + // log.debug("Session holder is " + userName); + String role = (String) ses.getAttribute("userRole"); + result = (role.compareTo("admin") == 0); + if (!result) { + // Check CSRF Tokens of User to ensure they are not being CSRF'd into causing + // Unauthorised Access Alert + boolean validCsrfTokens = validateTokens(cookieToken, requestToken); + if (validCsrfTokens) { + log.fatal( + "User account " + + userName + + " Attempting Admin functions! (With Valid CSRF Tokens)"); + } else { + log.error( + "User account " + userName + " accessing admin function with bad CSRF Tokens"); + } + } + + } catch (Exception e) { + log.fatal("Tampered Parameter Detected!!! Could not parameters"); + } + } else { + log.debug("Session has no credentials"); + } + } + } + return result; + } + + /** + * Takes a String submitted to be used to encrypt and makes it the correct length for an + * encryption key + * + * @param userSalt String to be validated + * @return A Valid Encryption Key based on the input + */ + public static String validateEncryptionKey(String userSalt) { + String newKey = new String(); + int keySize = userSalt.length(); + if (keySize == 16) { + // log.debug("Key Already Valid"); + newKey = userSalt; + } else { + if (keySize > 16) { + // log.debug("Key too Long..."); + newKey = userSalt.substring(0, 16); + } else // Shorter than 16 + { + // log.debug("Key too Short..."); + newKey = userSalt; + int howManyTimes = (16 / keySize) - 1; + // log.debug("Repeating String " + howManyTimes + " times"); + for (int i = 0; i < howManyTimes; i++) { + newKey += userSalt; + } + keySize = newKey.length(); + int toAdd = 16 - keySize; + // log.debug("Adding " + toAdd + " more characters"); + newKey = newKey.concat(userSalt.substring(0, toAdd)); + } + } + log.debug("Encryption key is '" + newKey + "'"); + return newKey; + } + + /** + * Function that will check if a valid language is set. if not, returns en (English) + * + * @param ses Session Language Parameter + * @return en by default, or the valid setting found in the submitted lang + */ + public static String validateLanguage(HttpSession ses) { + String result = "en_GB"; + String lang = new String(); + + try { + lang = ses.getAttribute("lang").toString(); + } catch (NullPointerException e) { + lang = ""; + } + // log.debug("lang submitted: " + lang); + if (lang != null) { + if (lang.matches(".[a-z]{2}-[A-Z]{2}$")) { + result = lang; + } + } + // log.debug("lang set to: " + result); + + return result; + } + + /** + * Validates objects received through a function request. Also ensures max length is not too high. + * + * @param input Object to validate + * @param maxLength Maximum length of object + * @return Validated String value or empty string value + */ + public static String validateParameter(Object input, int maxLength) { + String result = new String(); + + if (input == null) { + result = new String(); + } else { + result = (String) input; + if (result.length() > maxLength) { + log.debug("Parameter Too Long: " + result.length() + " characters"); + log.debug("Parmaeter Was: " + result); + result = new String(); + } + } + + return result; + } + + /** + * Session is checked for credentials and ensures that they have not been modified and that they + * are valid + * + * @param ses HttpSession from users browser + * @return Boolean value that reflects the validity of the users session + */ + public static boolean validateSession(HttpSession ses) { + boolean result = false; + if (ses == null) { + log.debug("No Session Found"); + } else { + if (ses.getAttribute("logout") != null) { + log.debug("Logout Attribute Found: Invalidating session..."); + ses.invalidate(); // make servlet engine forget the session + } else { + // log.debug("Active Session Found"); + if (ses.getAttribute("userRole") != null) { + try { + // log.debug("Session holder is "+ses.getAttribute("userName").toString()); + String role = (String) ses.getAttribute("userRole"); + result = (role.compareTo("player") == 0 || role.compareTo("admin") == 0); + if (!result) { + log.fatal("User Role Parameter Tampered. Role = " + role); + } else { + String userName = ses.getAttribute("userName").toString(); + // Has the user been suspended? Should they be kicked? + if (UserKicker.shouldKickUser(userName)) { + log.debug( + userName + + " has been Suspended. Invalidating Session and Reporting Invalid" + + " Session"); + ses.invalidate(); // Killing Session + result = false; // User will not access function they were attempting to call + UserKicker.removeFromKicklist(userName); // Removing from kick list, as they are now + // authenticated, the DB Layer Suspension + // will prevent them from signing in + } + } + } catch (Exception e) { + log.fatal("Tampered Parameter Detected!!! Could not Decrypt stamp"); + } + } else { + log.debug("Session has no credentials"); + } + } + } + return result; + } + + /** + * This method compares the two submitted tokens after ensuring they are not null and not empty. + * + * @param cookieToken CSRF cookie Token + * @param requestToken CSRF request Token + * @return A boolean value stating weather or not the tokens are valid + */ + public static boolean validateTokens(Cookie cookieToken, Object requestToken) { + boolean result = false; + boolean cookieNull = (cookieToken == null); + boolean requestNull = (requestToken == null); + if (!cookieNull && !requestNull) { + + String theRequest = (String) requestToken; + String theCookie = cookieToken.getValue(); + boolean cookieEmpty = theCookie.isEmpty(); + boolean requestEmpty = theRequest.isEmpty(); + + if (!cookieEmpty && !requestEmpty) { + result = theRequest.compareTo(theCookie) == 0; + } else if (cookieEmpty) { + log.error("Cookie Token Empty"); + } else if (requestEmpty) { + log.error("Request Token Empty"); + } + + if (!result) { + log.error("CSRF Tokens did not match"); + } + + } else { + if (cookieNull) { + log.error("Cookie Token was Null"); + } else if (requestNull) { + log.error("Request Token was Null"); + } + } + return result; + } + + /** + * Validates file name attributes to defend against path traversal + * + * @param fileName File name to validate + * @return Boolean value reflecting if valid or not + */ + /* + * public static String validateFileName(String fileName) { + * ShepherdLogManager.logEvent(request.getRemoteAddr(), + * request.getHeader("X-Forwarded-For"), "fileName: " + fileName); fileName = + * fileName.replaceAll(" ", "").replaceAll("\\.", "").replaceAll("/", + * "").replaceAll("\\\\", "").replaceAll("\n", ""); + * ShepherdLogManager.logEvent(request.getRemoteAddr(), + * request.getHeader("X-Forwarded-For"), "fileName: " + fileName); return + * fileName; } + */ + public static boolean validHostUrl(String hostUrl) { + // TODO - Pull other validation steps into this + boolean result; + result = hostUrl.endsWith("/"); + if (!result) { + log.error("URL Doesn't end with a forward slash. Very likely wrong"); + } + return result; + } + + /** + * Validates that a port number supplied is a valid port number + * + * @param portNum String to validate + * @return Boolean value reflecting if valid or not + */ + public static boolean isValidPortNumber(String portNum) { + try { + Integer validPort = Integer.valueOf(portNum); + if (validPort < 1 || validPort > 65535) { + log.fatal("Value: " + portNum + "is not a valid port number"); + return false; + } + } catch (NumberFormatException e) { + log.fatal("Value: " + portNum + "is not a valid port number"); + return false; + } + return true; + } } diff --git a/src/main/java/utils/XmlDocumentBuilder.java b/src/main/java/utils/XmlDocumentBuilder.java index b60767d64..6ab78a5e0 100644 --- a/src/main/java/utils/XmlDocumentBuilder.java +++ b/src/main/java/utils/XmlDocumentBuilder.java @@ -1,93 +1,93 @@ package utils; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; // catching unsupported features +import javax.xml.parsers.ParserConfigurationException; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; /** - * Class is used to configure and create a Document Builder for processing XML - *

+ * Class is used to configure and create a Document Builder for processing XML
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author ismisepaul + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author ismisepaul */ public class XmlDocumentBuilder { - private static final Logger log = LogManager.getLogger(XmlDocumentBuilder.class); - - public static DocumentBuilder xmlDocBuilder(Boolean disallow_doctype_decl, Boolean external_general_entities, - Boolean external_parameter_entities, Boolean load_external_dtd, - Boolean xIncludeAware, Boolean expandEntityReferences) { - - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - String FEATURE = null; - DocumentBuilder db = null; - - try { - // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all - // XML entity attacks are prevented - // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl - //safe=true - FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; - dbf.setFeature(FEATURE, disallow_doctype_decl); - - // If you can't completely disable DTDs, then at least do the following: - // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities - // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities - // JDK7+ - http://xml.org/sax/features/external-general-entities - // safe=false - FEATURE = "http://xml.org/sax/features/external-general-entities"; - dbf.setFeature(FEATURE, external_general_entities); - - // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities - // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities - // JDK7+ - http://xml.org/sax/features/external-parameter-entities - // safe=false - FEATURE = "http://xml.org/sax/features/external-parameter-entities"; - dbf.setFeature(FEATURE, external_parameter_entities); - - // Disable external DTDs as well - // safe=false - FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; - dbf.setFeature(FEATURE, load_external_dtd); - - // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" - // safe=false (for both) - dbf.setXIncludeAware(xIncludeAware); - dbf.setExpandEntityReferences(expandEntityReferences); - - // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then - // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks - // (http://cwe.mitre.org/data/definitions/918.html) and denial - // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." - db = dbf.newDocumentBuilder(); - - } catch (ParserConfigurationException e) - - { - // This should catch a failed setFeature feature - log.warn("ParserConfigurationException was thrown. The feature '" + FEATURE - + "' is probably not supported by your XML processor."); - } - - return db; + private static final Logger log = LogManager.getLogger(XmlDocumentBuilder.class); + + public static DocumentBuilder xmlDocBuilder( + Boolean disallow_doctype_decl, + Boolean external_general_entities, + Boolean external_parameter_entities, + Boolean load_external_dtd, + Boolean xIncludeAware, + Boolean expandEntityReferences) { + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + String FEATURE = null; + DocumentBuilder db = null; + + try { + // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all + // XML entity attacks are prevented + // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl + // safe=true + FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; + dbf.setFeature(FEATURE, disallow_doctype_decl); + + // If you can't completely disable DTDs, then at least do the following: + // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities + // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities + // JDK7+ - http://xml.org/sax/features/external-general-entities + // safe=false + FEATURE = "http://xml.org/sax/features/external-general-entities"; + dbf.setFeature(FEATURE, external_general_entities); + + // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities + // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities + // JDK7+ - http://xml.org/sax/features/external-parameter-entities + // safe=false + FEATURE = "http://xml.org/sax/features/external-parameter-entities"; + dbf.setFeature(FEATURE, external_parameter_entities); + + // Disable external DTDs as well + // safe=false + FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + dbf.setFeature(FEATURE, load_external_dtd); + + // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" + // safe=false (for both) + dbf.setXIncludeAware(xIncludeAware); + dbf.setExpandEntityReferences(expandEntityReferences); + + // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, + // then + // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks + // (http://cwe.mitre.org/data/definitions/918.html) and denial + // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." + db = dbf.newDocumentBuilder(); + + } catch (ParserConfigurationException e) { + // This should catch a failed setFeature feature + log.warn( + "ParserConfigurationException was thrown. The feature '" + + FEATURE + + "' is probably not supported by your XML processor."); } + return db; + } } - diff --git a/src/main/java/utils/XssFilter.java b/src/main/java/utils/XssFilter.java index 698adb5c5..7487835cd 100644 --- a/src/main/java/utils/XssFilter.java +++ b/src/main/java/utils/XssFilter.java @@ -2,193 +2,194 @@ import java.net.MalformedURLException; import java.net.URL; - -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.owasp.encoder.Encode; - /** - * Provides a number of filters that are used in different XSS challenges. - *

+ * Provides a number of filters that are used in different XSS challenges.
+ *
* This file is part of the Security Shepherd Project. * - * The Security Shepherd project is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version.
+ *

The Security Shepherd project is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software Foundation, either + * version 3 of the License, or (at your option) any later version.
* - * The Security Shepherd project is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details.
+ *

The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details.
* - * You should have received a copy of the GNU General Public License - * along with the Security Shepherd project. If not, see . - * @author Mark Denihan + *

You should have received a copy of the GNU General Public License along with the Security + * Shepherd project. If not, see . * + * @author Mark Denihan */ -public class XssFilter -{ - private static final Logger log = LogManager.getLogger(XssFilter.class); - /** - * A method to badly validate a URL - * @param input URL to validate - * @return A poorly validated URL (XSS RISK) - */ - public static String anotherBadUrlValidate (String input) - { - String howToMakeAUrlUrl = new String("https://www.google.com/search?q=What+does+a+HTTP+link+look+like"); - input = input.toLowerCase(); - if (input.startsWith("http")) - { - try - { - URL theUrl = new URL(input.replaceAll("#", "#").replaceFirst("<", "<").replaceFirst(">", ">").replaceFirst("\"", """)); - input = theUrl.toString(); - } - catch (MalformedURLException e) - { - log.debug("Could not Cast URL from input: " + e.toString()); - input = howToMakeAUrlUrl; - } - } - else - { - log.debug("Was not a HTTP URL"); - input = howToMakeAUrlUrl; - } - return input; - } +public class XssFilter { + + private static final Logger log = LogManager.getLogger(XssFilter.class); + + /** + * A method to badly validate a URL + * + * @param input URL to validate + * @return A poorly validated URL (XSS RISK) + */ + public static String anotherBadUrlValidate(String input) { + String howToMakeAUrlUrl = + new String("https://www.google.com/search?q=What+does+a+HTTP+link+look+like"); + input = input.toLowerCase(); + if (input.startsWith("http")) { + try { + URL theUrl = + new URL( + input + .replaceAll("#", "#") + .replaceFirst("<", "<") + .replaceFirst(">", ">") + .replaceFirst("\"", """)); + input = theUrl.toString(); + } catch (MalformedURLException e) { + log.debug("Could not Cast URL from input: " + e.toString()); + input = howToMakeAUrlUrl; + } + } else { + log.debug("Was not a HTTP URL"); + input = howToMakeAUrlUrl; + } + return input; + } - /** - * White lists for specific URL types but doesn't sanitise it well - * @param input - * @return - */ - public static String badUrlValidate (String input) - { - String howToMakeAUrlUrl = new String("https://www.google.com/search?q=What+does+a+HTTP+link+look+like"); - input = input.toLowerCase(); - if (input.startsWith("http")) - { - try - { - URL theUrl = new URL(input.replaceAll("#", "#").replaceAll("<", "<").replaceAll(">", ">").replaceFirst("\"", """)); - input = theUrl.toString(); - } - catch (MalformedURLException e) - { - log.debug("Could not Cast URL from input: " + e.toString()); - input = howToMakeAUrlUrl; - } - } - else - { - log.debug("Was not a HTTP URL"); - input = howToMakeAUrlUrl; - } - return input; - } + /** + * White lists for specific URL types but doesn't sanitise it well + * + * @param input + * @return + */ + public static String badUrlValidate(String input) { + String howToMakeAUrlUrl = + new String("https://www.google.com/search?q=What+does+a+HTTP+link+look+like"); + input = input.toLowerCase(); + if (input.startsWith("http")) { + try { + URL theUrl = + new URL( + input + .replaceAll("#", "#") + .replaceAll("<", "<") + .replaceAll(">", ">") + .replaceFirst("\"", """)); + input = theUrl.toString(); + } catch (MalformedURLException e) { + log.debug("Could not Cast URL from input: " + e.toString()); + input = howToMakeAUrlUrl; + } + } else { + log.debug("Was not a HTTP URL"); + input = howToMakeAUrlUrl; + } + return input; + } - /** - * Encodes for HTML, but doesn't escape ampersands - * @param input - * @return - */ - public static String encodeForHtml (String input) - { - log.debug("Filtering input at XSS white list"); + /** + * Encodes for HTML, but doesn't escape ampersands + * + * @param input + * @return + */ + public static String encodeForHtml(String input) { + log.debug("Filtering input at XSS white list"); - input = Encode.forHtml(input); - //Decode quotes to open a security hole in Encoder - input = input.replaceFirst(""", "\""); - //Encode lower-case "on" and upper-case "on" to complicate the required attack vectors to pass - return input.replaceAll("on", "on").replaceAll("ON", "ON"); - } + input = Encode.forHtml(input); + // Decode quotes to open a security hole in Encoder + input = input.replaceFirst(""", "\""); + // Encode lower-case "on" and upper-case "on" to complicate the required attack vectors to pass + return input.replaceAll("on", "on").replaceAll("ON", "ON"); + } - /** - * Filters for specific javascript events recursively in a specific order. Can be bypassed by embedding a trigger late in the list in a trigger early in the list - * @param input String to be filtered for XSS attacks - * @return XSS Blacklist filtered HTML - */ - public static String levelFour (String input) - { - String[] javascriptTriggers = FindXSS.javascriptTriggers; - log.debug("Filtering input at XSS levelFour"); - input = input.toLowerCase(); - while(input.contains("script")) - { - System.out.println("input = " + input); - input = input.replaceAll("script", "scr.pt"); - } - for(int i = 0; i < javascriptTriggers.length; i++) - { - while(input.contains(javascriptTriggers[i])) - { - int len = javascriptTriggers[i].length(); - String replacement = javascriptTriggers[i].substring(0, (len / 2) - 1) + "." + javascriptTriggers[i].substring((len /2) + 1, len); - input = input.replaceAll(javascriptTriggers[i], replacement); - } - } - return screwHtmlEncodings(input); - } + /** + * Filters for specific javascript events recursively in a specific order. Can be bypassed by + * embedding a trigger late in the list in a trigger early in the list + * + * @param input String to be filtered for XSS attacks + * @return XSS Blacklist filtered HTML + */ + public static String levelFour(String input) { + String[] javascriptTriggers = FindXSS.javascriptTriggers; + log.debug("Filtering input at XSS levelFour"); + input = input.toLowerCase(); + while (input.contains("script")) { + System.out.println("input = " + input); + input = input.replaceAll("script", "scr.pt"); + } + for (int i = 0; i < javascriptTriggers.length; i++) { + while (input.contains(javascriptTriggers[i])) { + int len = javascriptTriggers[i].length(); + String replacement = + javascriptTriggers[i].substring(0, (len / 2) - 1) + + "." + + javascriptTriggers[i].substring((len / 2) + 1, len); + input = input.replaceAll(javascriptTriggers[i], replacement); + } + } + return screwHtmlEncodings(input); + } - /** - * Filters the word "script" specifically - * @param input Input to be filtered for XSS - * @return XSS Blacklist filtered HTML - */ - public static String levelOne (String input) - { - log.debug("Filtering input at XSS levelOne"); - return input.toLowerCase().replaceAll("script", "scr.pt").replaceAll("SCRIPT", "SCR.PT"); - } + /** + * Filters the word "script" specifically + * + * @param input Input to be filtered for XSS + * @return XSS Blacklist filtered HTML + */ + public static String levelOne(String input) { + log.debug("Filtering input at XSS levelOne"); + return input.toLowerCase().replaceAll("script", "scr.pt").replaceAll("SCRIPT", "SCR.PT"); + } - /** - * Filters for javascript triggers twice before stopping and breaks HTML encodings - * @param input - * @return - */ - public static String levelThree (String input) - { - log.debug("Filtering input at XSS levelThree"); - input = input.toLowerCase(); - input = input.replaceAll("script", "scr.pt"); - for(int h = 0; h < FindXSS.javascriptTriggers.length; h++) - { - for(int i = 0; i <= 1; i++) - input = input.replaceAll(FindXSS.javascriptTriggers[h], ""); - } - return screwHtmlEncodings(input); - } + /** + * Filters for javascript triggers twice before stopping and breaks HTML encodings + * + * @param input + * @return + */ + public static String levelThree(String input) { + log.debug("Filtering input at XSS levelThree"); + input = input.toLowerCase(); + input = input.replaceAll("script", "scr.pt"); + for (int h = 0; h < FindXSS.javascriptTriggers.length; h++) { + for (int i = 0; i <= 1; i++) { + input = input.replaceAll(FindXSS.javascriptTriggers[h], ""); + } + } + return screwHtmlEncodings(input); + } - /** - * Filters specific javascript event triggers - * @param input String to be filtered for XSS attacks - * @return XSS Blacklist filtered HTML - */ - public static String levelTwo (String input) - { - input = input.toLowerCase(); - log.debug("Filtering input at XSS levelTwo"); - input = input.replaceAll("script", "scr.pt"); - input = input.replaceAll("onclick", "o.ick"); - input = input.replaceAll("onmouseover", "o.ver"); - input = input.replaceAll("onload", "o.oad"); - input = input.replaceAll("onerror", "o.err"); - input = input.replaceAll("ondblclick", "o.dbl"); - return screwHtmlEncodings(input); - } + /** + * Filters specific javascript event triggers + * + * @param input String to be filtered for XSS attacks + * @return XSS Blacklist filtered HTML + */ + public static String levelTwo(String input) { + input = input.toLowerCase(); + log.debug("Filtering input at XSS levelTwo"); + input = input.replaceAll("script", "scr.pt"); + input = input.replaceAll("onclick", "o.ick"); + input = input.replaceAll("onmouseover", "o.ver"); + input = input.replaceAll("onload", "o.oad"); + input = input.replaceAll("onerror", "o.err"); + input = input.replaceAll("ondblclick", "o.dbl"); + return screwHtmlEncodings(input); + } - /** - * Use this to cripple HTML encoded attacks. This is can be used to limit the vectors of attack for success - * @param input The string you want to remove HTML encoding from - * @return A string without HTML encoding - */ - private static String screwHtmlEncodings(String input) - { - input = input.replaceAll("&", "!").replaceAll(":", "!"); - return input; - } + /** + * Use this to cripple HTML encoded attacks. This is can be used to limit the vectors of attack + * for success + * + * @param input The string you want to remove HTML encoding from + * @return A string without HTML encoding + */ + private static String screwHtmlEncodings(String input) { + input = input.replaceAll("&", "!").replaceAll(":", "!"); + return input; + } } diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml index 633968980..46c8ef658 100644 --- a/src/main/webapp/WEB-INF/web.xml +++ b/src/main/webapp/WEB-INF/web.xml @@ -1,9 +1,5 @@ - + Security Shepherd @@ -64,40 +60,40 @@ - /ssologin - servlets.SSOLogin - - - /ssologin - /saml/dologin - - - - /ssometadata - servlets.SSOMetadata - - - /ssometadata - /saml/metadata.xml - - - - /acs - servlets.ACS - - - /acs - /saml/acs - - - - /sls - servlets.SLS - - - /sls - /saml/sls - + /ssologin + servlets.SSOLogin + + + /ssologin + /saml/dologin + + + + /ssometadata + servlets.SSOMetadata + + + /ssometadata + /saml/metadata.xml + + + + /acs + servlets.ACS + + + /acs + /saml/acs + + + + /sls + servlets.SLS + + + /sls + /saml/sls + /mobileLogin diff --git a/src/main/webapp/admin/config/aboutShepherd.jsp b/src/main/webapp/admin/config/aboutShepherd.jsp index c3b1c0f3b..ad4e6fb82 100644 --- a/src/main/webapp/admin/config/aboutShepherd.jsp +++ b/src/main/webapp/admin/config/aboutShepherd.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.util.Locale, java.util.ResourceBundle, java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.util.Locale, java.util.ResourceBundle, java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: aboutShepherd.jsp *************************"); @@ -50,21 +52,28 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtml(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -

The OWASP Security Shepherd Project

-

- You are currently using Security Shepherd Version 3.2 -

- The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status. - For More information, please visit the OWASP Security Shepherd Wiki Page. -

- Please report any bugs or any feature requests on the OWASP Security Shepherd Git Repository. -

- <%= Analytics.sponsorshipMessage(new Locale(Validate.validateLanguage(request.getSession()))) %> -
-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +

The OWASP Security Shepherd Project

+

+ You are currently using Security Shepherd Version 3.2
+
The OWASP Security Shepherd project is a web and mobile + application security training platform. Security Shepherd has been + designed to foster and improve security awareness among a varied + skill-set demographic. The aim of this project is to take AppSec + novices or experienced engineers and sharpen their penetration testing + skill set to security expert status. For More information, please visit + the OWASP Security + Shepherd Wiki Page.
+
Please report any bugs or any feature requests on the OWASP Security + Shepherd Git Repository. +

+<%= Analytics.sponsorshipMessage(new Locale(Validate.validateLanguage(request.getSession()))) %> +
+
+ +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/config/configCheats.jsp b/src/main/webapp/admin/config/configCheats.jsp index 9ad49712d..dbb1d8a27 100644 --- a/src/main/webapp/admin/config/configCheats.jsp +++ b/src/main/webapp/admin/config/configCheats.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: configCheats.jsp *************************"); @@ -50,35 +52,44 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtml(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -

Configure Cheat Sheets

-

The Security Shepherd Application is capable of presenting users with "Cheat Sheets" that will instruct the reader on how to complete a specific module. These cheats are disabled by default, but can be enabled for administrators or all players. Once enabled, as you open Security Shepherd modules, a cheat button will appear in the left hand menu. Click this button to reveal the cheat sheet for the currently open module.

- - -
style="display: none;"<% } %>> -

Enable Cheat Sheets

-

Enable cheat sheets for administrators or all users.

- -
Enable Cheat Sheets for Administrators
- - -
Enable Cheat Sheets for All Users
- -
-
- - -
style="display: none;"<% } %>> -

Disable Cheat Sheets

-

Are you sure that you want to disable cheat sheets for all users?

- -
Disable Cheat Sheets
- -
-
- - - - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/config/configFeedback.jsp b/src/main/webapp/admin/config/configFeedback.jsp index df8f6d311..a4bfe009a 100644 --- a/src/main/webapp/admin/config/configFeedback.jsp +++ b/src/main/webapp/admin/config/configFeedback.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: configFeedback.jsp *************************"); @@ -50,33 +52,45 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtml(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -

Configure Feedback

-

You can configure Shepherd to force users to submit a feedback form before the module is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students. - If you would like to submit the collected feedback to the Security Shepherd Project Development Team, please follow the steps found here.

- - -
style="display: none;"<% } %>> -

Enable Feedback

-

Enable feedback to force users to submit feedback on each module before they can complete them

- -
Enable Feedback
- -
-
- - -
style="display: none;"<% } %>> -

Disable Feedback

-

Disable feedback to allow users to complete modules without having to submit a feedback form

- -
Disable Feedback
- -
-
- - - - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/config/setCoreDatabase.jsp b/src/main/webapp/admin/config/setCoreDatabase.jsp index 75247ba4c..28922df3e 100644 --- a/src/main/webapp/admin/config/setCoreDatabase.jsp +++ b/src/main/webapp/admin/config/setCoreDatabase.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: setCoreDatabase.jsp *************************"); @@ -50,29 +52,39 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtml(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -

Core Database Server Info

-

- If you are using a non-standard database configuration for Security Shepherd, you will need to specify the following information for your core database. -

- -
-
- -
+

Core Database Server Info

+

If you are using a non-standard database configuration for + Security Shepherd, you will need to specify the following information + for your core database.

+ +
+
+ +
- - - - + + + + + + + + + + + + + + +

Database URL:

Username:

Password:

- -

Database URL:

Username:

Password:

- + -
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/config/updateRegistration.jsp b/src/main/webapp/admin/config/updateRegistration.jsp index c2a729bf4..158f0d944 100644 --- a/src/main/webapp/admin/config/updateRegistration.jsp +++ b/src/main/webapp/admin/config/updateRegistration.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: updateRegistration.jsp *************************"); @@ -50,36 +52,49 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtmlAttribute(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> - -
-

<% if (OpenRegistration.isEnabled()) { %>Close<% } else { %>Open<% } %>
Registration

-
-
-
- -
style="display: none;"<% } %>> -

This function will close the registration functionality. This will prevent users from visiting registration pages and will block requests made to Registration Servlets.

- - -
- -
-
-
style="display: none;"<% } %>> -

This function will open the registration functionality. Users will have to refresh the login page to see the link pointing to the Shepherd registration page.

- - -
- -
-
+ +
+

+
+ <% if (OpenRegistration.isEnabled()) { %>Close<% } else { %>Open<% } %> +
+ Registration +

+
+ +
+ +
+ style="display: none;" <% } %>> +

This function will close the registration functionality. + This will prevent users from visiting registration pages and will + block requests made to Registration Servlets.

+ + + + +
+
+
+ style="display: none;" <% } %>> +

This function will open the registration functionality. + Users will have to refresh the login page to see the link pointing + to the Shepherd registration page.

+ + + + +
-
- - -
- - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> -
+ <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %>
- <% +
+<% } else { diff --git a/src/main/webapp/admin/moduleManagement/changeLevelLayout.jsp b/src/main/webapp/admin/moduleManagement/changeLevelLayout.jsp index 090171703..e26be00c8 100644 --- a/src/main/webapp/admin/moduleManagement/changeLevelLayout.jsp +++ b/src/main/webapp/admin/moduleManagement/changeLevelLayout.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: changeLevelLayout.jsp *************************"); @@ -49,55 +51,73 @@ if (request.getSession() != null) //Session If String csrfToken = Encode.forHtmlAttribute(tokenCookie.getValue()); %> -
-

Current Mode:
<%= ModulePlan.currentMode() %>

-
-

- You can change the layout in which modules are presented to players. Use the following functions to change the current Shepherd Mode. -

- - - - -
style="display: none;"<% } %>> -

Enable CTF Mode

-

- When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. - The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario. -

- -
Enable CTF Mode
- -
- -
- - -
style="display: none;"<% } %>> -

Enable Open Floor Mode

-

- When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. -

- -
Enable Open Floor Mode
- -
- -
- - -
style="display: none;"<% } %>> -

Enable Tournament Mode

-

- When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. -

- -
Enable Tournament Mode
- -
- -
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> -
-
- <% + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> +
+
+<% } //Valid Session If else { diff --git a/src/main/webapp/admin/moduleManagement/classProgress.jsp b/src/main/webapp/admin/moduleManagement/classProgress.jsp index 868a632fa..bd332af87 100644 --- a/src/main/webapp/admin/moduleManagement/classProgress.jsp +++ b/src/main/webapp/admin/moduleManagement/classProgress.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: classProgress.jsp *************************"); @@ -61,20 +63,19 @@ catch(SQLException e) showClasses = false; } %> -
-

Get Progress

-
+
+

Get Progress

+
+
+
+

Select the class you would like to see the progress of

- -

Select the class you would like to see the progress of

-
- - - -
- + + + - - -
-
-
- -
-
- -
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - - + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> + - <% + +<% } else { diff --git a/src/main/webapp/admin/moduleManagement/feedback.jsp b/src/main/webapp/admin/moduleManagement/feedback.jsp index 18e7d2c8d..9a70bf70a 100644 --- a/src/main/webapp/admin/moduleManagement/feedback.jsp +++ b/src/main/webapp/admin/moduleManagement/feedback.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: feedback.jsp *************************"); @@ -50,30 +52,34 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtmlAttribute(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -
-

Get Module Feedback

-
+
+

Get Module Feedback

+
+
+
+

Select the module you would like to see the feedback from

- -

Select the module you would like to see the feedback from

-
- - - - - - -
- -
-
- -
-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> -
-
+ <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> +
- <% +
+<% } else { diff --git a/src/main/webapp/admin/moduleManagement/moduleBlock.jsp b/src/main/webapp/admin/moduleManagement/moduleBlock.jsp index 5ddc42e27..e8c73d4bc 100644 --- a/src/main/webapp/admin/moduleManagement/moduleBlock.jsp +++ b/src/main/webapp/admin/moduleManagement/moduleBlock.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: stopHere.jsp *************************"); @@ -50,51 +52,56 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtmlAttribute(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -
-

Set a Module Blocker

-
- -
-

Selecting a module blocker will not allow users to take that specific module. In a CTF environment this will stop them from progress past this point until you disable it or enable it to a further down the line module.

- - Select the module you would like to see the feedback from and the message informing them when the blocker will be lifted.

- -
- - - - - - - - - -
The Module To Block: - -
Blocked Message to Give: -
- -
-
- <% if(ModuleBlock.blockerEnabled){ %> -
-

Remove Module Block

-

- Do you wish to remove the current module blocker? You can do this by clicking the following button; -

- -
Remove Module Block
- -
- <% } %> -
- - -
- - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> -
-
+ <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> +
- <% +
+<% } else { diff --git a/src/main/webapp/admin/moduleManagement/openCloseByCategory.jsp b/src/main/webapp/admin/moduleManagement/openCloseByCategory.jsp index c6512fcb1..bce0448b7 100644 --- a/src/main/webapp/admin/moduleManagement/openCloseByCategory.jsp +++ b/src/main/webapp/admin/moduleManagement/openCloseByCategory.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: openCloseByCategory.jsp *************************"); @@ -50,32 +52,34 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtmlAttribute(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -
-

Open and Close Levels

-
-
-

Use this form to open and close levels by entire categories. Levels that are closed will not appear in any level listings.

- -
-
- - - -
- <%= Getter.getOpenCloseCategoryMenu(ApplicationRoot) %> -
- - - -
-
+
+

Open and Close Levels

+
+ +

Use this form to open and close levels by entire categories. + Levels that are closed will not appear in any level listings.

+ +
+
+ + + + + + + + +
<%= Getter.getOpenCloseCategoryMenu(ApplicationRoot) %> +
- -
- - -
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> -
+ <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %>
- <% +
+<% } else { diff --git a/src/main/webapp/admin/moduleManagement/setStatus.jsp b/src/main/webapp/admin/moduleManagement/setStatus.jsp index bc267b338..f0600c4ac 100644 --- a/src/main/webapp/admin/moduleManagement/setStatus.jsp +++ b/src/main/webapp/admin/moduleManagement/setStatus.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: setStatus.jsp *************************"); @@ -50,30 +52,33 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) String csrfToken = Encode.forHtmlAttribute(tokenCookie.getValue()); String ApplicationRoot = getServletContext().getRealPath(""); %> -
-

Open and Close Levels

-
+
+

Open and Close Levels

+
+
+
+

Use this form to open and close levels by name. Levels that + are closed will not appear in any level listings.

- -

Use this form to open and close levels by name. Levels that are closed will not appear in any level listings.

-
- -
-
- - <%= Getter.getModuleStatusMenu(ApplicationRoot) %> -
-
-
-
-
- -
-
+ +
+
+ + <%= Getter.getModuleStatusMenu(ApplicationRoot) %> +
+
+
+ +
+
+ +
- - - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/addPlayers.jsp b/src/main/webapp/admin/userManagement/addPlayers.jsp index 350f74fcf..d4036144f 100644 --- a/src/main/webapp/admin/userManagement/addPlayers.jsp +++ b/src/main/webapp/admin/userManagement/addPlayers.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: addPlayers.jsp *************************"); @@ -65,21 +67,23 @@ catch(SQLException e) showClasses = false; } %> -
-

Add Players

-
-
-

Please select the class you would like to add a player to and input the player information for the player you wish to create.

- - - - - + + + + + + + + + + + + + + + + + + + + + + + + +
-

Class* :

- 		- + + + + - - - - - - - -
+

+ Class* : +

+ 		-

Username* :

Password* :

Confirm Password* :

Email Address:

Confirm Address:

- -
- - -
- - -
+

+ Username* : +

+ Password* : +

+ Confirm Password* : +

Email Address:

Confirm Address:

+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/assignPlayers.jsp b/src/main/webapp/admin/userManagement/assignPlayers.jsp index 59f739430..467a65df0 100644 --- a/src/main/webapp/admin/userManagement/assignPlayers.jsp +++ b/src/main/webapp/admin/userManagement/assignPlayers.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: assignPlayers.jsp *************************"); @@ -65,21 +68,21 @@ if(Validate.validateAdminSession(ses, tokenCookie, tokenParmeter)) showClasses = false; } %> -
-

Assign Players

-
-
-

Please select the users you would like to assign and the class that you would like to assign them to.

- - - - - + + + + +
-

Class:

- 		- + + + + - - - - - - - + + + + + + + - - -
+

Class:

+ 		-
-

Select the players that you want to assign here

-
-
- -
-
-
- Assign To: - -
+

Select the players that you want to assign here

+
+
+ +
+
+
Assign To: -
- -
- - -
- - -
+
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/changeUserPassword.jsp b/src/main/webapp/admin/userManagement/changeUserPassword.jsp index 72ae076e8..831be9a31 100644 --- a/src/main/webapp/admin/userManagement/changeUserPassword.jsp +++ b/src/main/webapp/admin/userManagement/changeUserPassword.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: changeUserPassword.jsp *************************"); @@ -66,18 +68,20 @@ catch(SQLException e) showClasses = false; } %> -
-

Change Player Password

-
-
-

You can use this function to update a users password. This password will be temporary, and they will be forced to change it upon sign in.

-
- - - - + + + + + + + + +
-

Pick the class of the player you wish to modify

-
+
+

Change Player Password

+
+ +

You can use this function to update a users password. This + password will be temporary, and they will be forced to change it + upon sign in.

+
+ + + + + + + - - - - - - -
+

Pick the class of the player you wish to modify

+
+
+
+

Select the player that you want to assign here

+
+
+
-
-

Select the player that you want to assign here

-
-
- -
-
-
-
New Password:
- -
- -
-
- - -
+
+
+
New Password:
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/createNewAdmin.jsp b/src/main/webapp/admin/userManagement/createNewAdmin.jsp index c4b73087e..64c97306a 100644 --- a/src/main/webapp/admin/userManagement/createNewAdmin.jsp +++ b/src/main/webapp/admin/userManagement/createNewAdmin.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: createNewAdmin.jsp *************************"); @@ -74,30 +76,55 @@ if(ses.getAttribute("errorMessage") != null) } } %> -
-

Create New Admin

-
-
-

Please input what data you want the new administrator to have. Please note that the password will be temporary.

- - - - - - - - -

Username* :

Password* :

Confirm Password* :

Email Address:

Confirm Address:

- -
-
-
-
- - -
+
+

Create New Admin

+
+
+

Please input what data you want the new administrator to have. + Please note that the password will be temporary.

+ + + + + + + + + + + + + + + + + + + + + + + + + +

+ Username* : +

+ Password* : +

+ Confirm Password* : +

Email Address:

Confirm Address:

+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/createNewClass.jsp b/src/main/webapp/admin/userManagement/createNewClass.jsp index 7751e2fd7..50a97d573 100644 --- a/src/main/webapp/admin/userManagement/createNewClass.jsp +++ b/src/main/webapp/admin/userManagement/createNewClass.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*, java.util.Calendar, java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*, java.util.Calendar, java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: createNewClass.jsp *************************"); @@ -53,27 +55,36 @@ String userRole = Encode.forHtml(ses.getAttribute("userRole").toString()); String userId = Encode.forHtml(ses.getAttribute("userStamp").toString()); String ApplicationRoot = getServletContext().getRealPath(""); %> -
-

Create New Class

-
-
-

Please input the data you would like the new class to have. The class year format should be YYYY, such as 2010.

- - - - - -

Class Name:

Class Year:

- -
-
-
-
- - -
+
+

Create New Class

+
+
+

Please input the data you would like the new class to have. + The class year format should be YYYY, such as 2010.

+ + + + + + + + + + + + + +

Class Name:

Class Year:

+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/deletePlayers.jsp b/src/main/webapp/admin/userManagement/deletePlayers.jsp index 268a524e5..eaf5c17e9 100644 --- a/src/main/webapp/admin/userManagement/deletePlayers.jsp +++ b/src/main/webapp/admin/userManagement/deletePlayers.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: addPlayers.jsp *************************"); @@ -65,18 +67,18 @@ catch(SQLException e) showClasses = false; } %> -
-

Delete Player

-
-
-

Use this function to delete players

- -
- - - + + + + +
-

Pick the class of the player you wish to delete

-
+
+

Delete Player

+
+ +

Use this function to delete players

+ +
+ + + + + + - - - - - -
+

Pick the class of the player you wish to delete

+
+
+
+

Select the player that you want to delete

+
+
+
-
-

Select the player that you want to delete

-
-
- -
-
-
-
- -
-
- -
-
- - -
+

+
+
+
- - -<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> <% } else diff --git a/src/main/webapp/admin/userManagement/downgradeAdmins.jsp b/src/main/webapp/admin/userManagement/downgradeAdmins.jsp index 1cf0e82b7..6f56a2e6b 100644 --- a/src/main/webapp/admin/userManagement/downgradeAdmins.jsp +++ b/src/main/webapp/admin/userManagement/downgradeAdmins.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.DowngradeAdmin" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.DowngradeAdmin" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: downgradeAdmins.jsp *************************"); @@ -65,22 +67,22 @@ catch(SQLException e) showAdmins = false; } %> -
-

Downgrade Admin

-
-
-

Please select the admin that you would like to downgrade to player

-
- - - - - + + + + +
-

Admins:

- 		- + + + + - - -
+

Admins:

+ 		-
- -
- - -
- - -
+
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/givePoints.jsp b/src/main/webapp/admin/userManagement/givePoints.jsp index 95ec5efe4..6a8ec259f 100644 --- a/src/main/webapp/admin/userManagement/givePoints.jsp +++ b/src/main/webapp/admin/userManagement/givePoints.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: givePoints.jsp *************************"); @@ -66,18 +68,22 @@ catch(SQLException e) showClasses = false; } %> -
-

Reward / Deduct Points

-
-
-

Use this function to reward or punish your players. Use the following form with a positive or negitive number to modify the amount of points a player has. For the best results, ensure your users can see the Shepherd Scoreboard. If you push a player into negative points they will not appear on the scoreboard.

- -
- - - + + + + + + + + +
-

Pick the class of the player you wish to modify

-
+
+

Reward / Deduct Points

+
+ +

Use this function to reward or punish your players. Use the + following form with a positive or negitive number to modify the + amount of points a player has. For the best results, ensure your + users can see the Shepherd Scoreboard. If you push a player into + negative points they will not appear on the scoreboard.

+ +
+ + + + + + - - - - - - -
+

Pick the class of the player you wish to modify

+
+
+
+

Select the player that you want to give/take points from

+
+
+
-
-

Select the player that you want to give/take points from

-
-
- -
-
-
-
Number of Points:
- -
-
-
- - -
- -
+

+
Number of Points:
+
+
+ + +
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/setDefaultClassForRegistration.jsp b/src/main/webapp/admin/userManagement/setDefaultClassForRegistration.jsp index 80b540375..a9baef050 100644 --- a/src/main/webapp/admin/userManagement/setDefaultClassForRegistration.jsp +++ b/src/main/webapp/admin/userManagement/setDefaultClassForRegistration.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: setDefaultClassForRegistration.jsp *************************"); @@ -65,21 +67,22 @@ catch(SQLException e) showClasses = false; } %> -
-

Set Default Registration Class

-
-
-

Any user that registers with this instance of Security Shepherd will be automatically assigned to the class group you choose in this form.

- - - - - + + + + +
-

Class:

- 		- + + + + - - -
+

Class:

+ 		-
- -
- - -
- - -
+
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/suspendUser.jsp b/src/main/webapp/admin/userManagement/suspendUser.jsp index 0f5fc4ea8..c4a99de66 100644 --- a/src/main/webapp/admin/userManagement/suspendUser.jsp +++ b/src/main/webapp/admin/userManagement/suspendUser.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: suspendUser.jsp *************************"); @@ -66,22 +68,21 @@ catch(SQLException e) showClasses = false; } %> -
-

Suspend Player

-
-
-

Please select the player that you would like to suspend;

-
- - - - - + + + + + + + + + + + +
-

Class:

- 		- + + + + - - - - - - -
+

Class:

+ 		-
-

Select the player that you want to assign here

-
-
- -
-
-
Number of Minutes:
- -
- - -
- - -
+
+

Select the player that you want to assign here

+
+
+ +
+
+
Number of Minutes:
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/unSuspendUser.jsp b/src/main/webapp/admin/userManagement/unSuspendUser.jsp index bd65f184d..2f9dfae37 100644 --- a/src/main/webapp/admin/userManagement/unSuspendUser.jsp +++ b/src/main/webapp/admin/userManagement/unSuspendUser.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: unSuspendUser.jsp *************************"); @@ -66,21 +68,20 @@ catch(SQLException e) showClasses = false; } %> -
-

Cancel Player Suspension

-
-
-

Please select the player that you would like unsuspend;

- - - - - + + + + + + + +
-

Class:

- 		- + + + + - - - - - -
+

Class:

+ 		-
-

Select the player that you want to assign here

-
-
- -
-
-
- -
- - -
- - -
+
+

Select the player that you want to assign here

+
+
+ +
+
+
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/admin/userManagement/upgradePlayers.jsp b/src/main/webapp/admin/userManagement/upgradePlayers.jsp index 8365b19e6..4dbd8c0ee 100644 --- a/src/main/webapp/admin/userManagement/upgradePlayers.jsp +++ b/src/main/webapp/admin/userManagement/upgradePlayers.jsp @@ -1,4 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" errorPage="" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*, servlets.admin.userManagement.GetPlayersByClass" + errorPage=""%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: upgradePlayer.jsp *************************"); @@ -66,22 +68,22 @@ catch(SQLException e) showClasses = false; } %> -
-

Upgrade Players

-
-
-

Please select the player that you would like to upgrade to an administrator

-
- - - - - + + + + + + + +
-

Class:

- 		- + + + + - - - - - -
+

Class:

+ 		-
-

Select the players that you want to assign here

-
-
- -
-
-
- -
- - -
- - -
+
+

Select the players that you want to assign here

+
+
+ +
+
+
+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% +<% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> +<% } %> +<% } else { diff --git a/src/main/webapp/blockedMessage.jsp b/src/main/webapp/blockedMessage.jsp index 0abf46004..31fa8e0c9 100644 --- a/src/main/webapp/blockedMessage.jsp +++ b/src/main/webapp/blockedMessage.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="dbProcs.Getter, utils.*" errorPage="" %> -<%@ include file="translation.jsp" %> +<%@ page contentType="text/html; charset=iso-8859-1" language="java" + import="dbProcs.Getter, utils.*" errorPage=""%> +<%@ include file="translation.jsp"%> <% ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: scoreboard.jsp *************************"); @@ -43,25 +44,31 @@ %> - - <fmt:message key="blockedMessage.text.heading.levelBlocked" /> - + +<fmt:message + key="blockedMessage.text.heading.levelBlocked" /> + -
-

-

- -

- <%= ModuleBlock.getBlockerMessage() %> -

-
- <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - +
+

+ +

+

+ +
+
+ <%= ModuleBlock.getBlockerMessage() %> +

+
+ <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> + - <% +<% } else { diff --git a/src/main/webapp/challenges/06f81ca93f26236112f8e31f32939bd496ffe8c9f7b564bce32bd5e3a8c2f751.jsp b/src/main/webapp/challenges/06f81ca93f26236112f8e31f32939bd496ffe8c9f7b564bce32bd5e3a8c2f751.jsp index 3c7c720cc..f029b3204 100644 --- a/src/main/webapp/challenges/06f81ca93f26236112f8e31f32939bd496ffe8c9f7b564bce32bd5e3a8c2f751.jsp +++ b/src/main/webapp/challenges/06f81ca93f26236112f8e31f32939bd496ffe8c9f7b564bce32bd5e3a8c2f751.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Cross Site Scripting Challenge 4 @@ -57,39 +60,49 @@ String translatedLevelName = bundle.getString("challenge.challengeName"); - - Security Shepherd - <%= Encode.forHtml(translatedLevelName) %> - - + +Security Shepherd - <%= Encode.forHtml(translatedLevelName) %> + + - - - - -
-

<%= Encode.forHtml(translatedLevelName) %>

-

- <%= bundle.getString("challenge.description") %> -

- - - - -
- <%= bundle.getString("challenge.form.instruction") %> -
- -
-
"/>
- -
-
- -
-

-
- + + + +
+

<%= Encode.forHtml(translatedLevelName) %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %>
+
+ " /> +
+ +
+
+ +
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/072a9e4fc888562563adf8a89fa55050e3e1cfbbbe1d597b0537513ac8665295.jsp b/src/main/webapp/challenges/072a9e4fc888562563adf8a89fa55050e3e1cfbbbe1d597b0537513ac8665295.jsp index 9c99036fc..6a3ed5c78 100644 --- a/src/main/webapp/challenges/072a9e4fc888562563adf8a89fa55050e3e1cfbbbe1d597b0537513ac8665295.jsp +++ b/src/main/webapp/challenges/072a9e4fc888562563adf8a89fa55050e3e1cfbbbe1d597b0537513ac8665295.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*, org.owasp.encoder.Encode" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*, org.owasp.encoder.Encode" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,29 +57,32 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - + - -
-

<%= i18nLevelName %>

-

-
- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " ReverseEngineer1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + +
+

<%= i18nLevelName %>

+

+
+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " ReverseEngineer1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/11ccaf2f3b2aa4f88265b9cacb5e0ed26b11af978523e34528cf0bb9d32de851.jsp b/src/main/webapp/challenges/11ccaf2f3b2aa4f88265b9cacb5e0ed26b11af978523e34528cf0bb9d32de851.jsp index 360acd248..a045b29bf 100644 --- a/src/main/webapp/challenges/11ccaf2f3b2aa4f88265b9cacb5e0ed26b11af978523e34528cf0bb9d32de851.jsp +++ b/src/main/webapp/challenges/11ccaf2f3b2aa4f88265b9cacb5e0ed26b11af978523e34528cf0bb9d32de851.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,32 +56,35 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - + - -
-

<%= levelName %>

-

-
- - <%= paragraph1 %> - -
-
- - <%= mobile.getString("mobileBlurb.vmLink.1") + " InsecureData4.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + +
+

<%= levelName %>

+

+
+ + <%= paragraph1 %> + +

+ + <%= mobile.getString("mobileBlurb.vmLink.1") + " InsecureData4.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c.jsp b/src/main/webapp/challenges/1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c.jsp index 12931e4ba..15614cd91 100644 --- a/src/main/webapp/challenges/1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c.jsp +++ b/src/main/webapp/challenges/1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00c.jsp @@ -1,5 +1,8 @@ <%@page import="servlets.module.challenge.DirectObjectBankLogin"%> -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*, servlets.module.challenge.DirectObjectBankLogin" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="utils.*, servlets.module.challenge.DirectObjectBankLogin" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -62,62 +65,87 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - - - - -
-

<%= levelName %>

-

- <%= bundle.getString("challenge.whatToDo") %> -
-
-

<%= bundle.getString("insecureBank.title") %>

-

<%= bundle.getString("insecureBank.message") %>

-
style="display: none;" <% } %>> -

<%= bundle.getString("insecureBank.signInNow") %>

-

<%= bundle.getString("insecureBank.signInNow.message") %>

-
-
- - - - -
<%= bundle.getString("loginForm.holder") %>
<%= bundle.getString("loginForm.password") %>
">
-
-
- -
-
-
-

<%= bundle.getString("register.makeAccount") %>

-

<%= bundle.getString("register.makeAccount.message") %>

-
-
- - - - -
<%= bundle.getString("loginForm.holder") %>
<%= bundle.getString("loginForm.password") %>
">
-
-
- -
-
-
style="display: none;"<% } %>> - <% if(bankSessionDetected){ %> - <%= DirectObjectBankLogin.bankForm(currentBankAccountNumber, getServletContext().getRealPath(""), ses) %> - <% } %> -
-

+ + + + +
+

<%= levelName %>

+

+ <%= bundle.getString("challenge.whatToDo") %> +

+

<%= bundle.getString("insecureBank.title") %>

+

<%= bundle.getString("insecureBank.message") %>

+
+ style="display: none;" <% } %>> +

<%= bundle.getString("insecureBank.signInNow") %>

+

<%= bundle.getString("insecureBank.signInNow.message") %>

+
+
+ + + + + + + + + + + + +
<%= bundle.getString("loginForm.holder") %>
<%= bundle.getString("loginForm.password") %>
">
+
+
+ +
+

+

<%= bundle.getString("register.makeAccount") %>

+

<%= bundle.getString("register.makeAccount.message") %>

+
+
+ + + + + + + + + + + + +
<%= bundle.getString("loginForm.holder") %>
<%= bundle.getString("loginForm.password") %>
">
+
+
+ +
+
+
+ style="display: none;" <% } %>> + <% if(bankSessionDetected){ %> + <%= DirectObjectBankLogin.bankForm(currentBankAccountNumber, getServletContext().getRealPath(""), ses) %> + <% } %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/1feccf2205b4c5ddf743630b46aece3784d61adc56498f7603ccd7cb8ae92629.jsp b/src/main/webapp/challenges/1feccf2205b4c5ddf743630b46aece3784d61adc56498f7603ccd7cb8ae92629.jsp index a686ab207..41f737e64 100644 --- a/src/main/webapp/challenges/1feccf2205b4c5ddf743630b46aece3784d61adc56498f7603ccd7cb8ae92629.jsp +++ b/src/main/webapp/challenges/1feccf2205b4c5ddf743630b46aece3784d61adc56498f7603ccd7cb8ae92629.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -53,50 +54,58 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-
-

<%= bundle.getString("challenge.superSecurePayments") %>

-
- - - - - -
- <%= bundle.getString("challenge.form.instruction") %> -
- <%= bundle.getString("challenge.form.userName") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
- -
-
- -
-

-
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+

<%= bundle.getString("challenge.superSecurePayments") %>

+
+ + + + + + + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %> +
<%= bundle.getString("challenge.form.userName") %>
<%= bundle.getString("challenge.form.password") %>
+
+ +
+ +
+
+ +
+

+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80.jsp b/src/main/webapp/challenges/269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80.jsp index 61d751c37..c6c8889b3 100644 --- a/src/main/webapp/challenges/269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80.jsp +++ b/src/main/webapp/challenges/269d55bc0e0ff635dcaeec8533085e5eae5d25e8646dcd4b05009353c9cf9c80.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Broken Authentication and Session Management Challenge 7 @@ -55,74 +56,92 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

-
- - - - -
- <%= bundle.getString("challenge.form.userName") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
"/>
-
-
- <%= bundle.getString("challenge.form.forgotPassword") %> + + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+ +

+ + + + + + + + + + + + +
<%= bundle.getString("challenge.form.userName") %>
<%= bundle.getString("challenge.form.password") %>
+
+ " /> +
+
+
+ <%= bundle.getString("challenge.form.forgotPassword") %> + + +
+ - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa.jsp b/src/main/webapp/challenges/278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa.jsp index 15d39669c..e5e49491e 100644 --- a/src/main/webapp/challenges/278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa.jsp +++ b/src/main/webapp/challenges/278fa30ee727b74b9a2522a5ca3bf993087de5a0ac72adff216002abf79146fa.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% @@ -56,40 +57,50 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-
-

- -
+ + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + -
- "/>
+ " /> + - -
- - -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/2da053b4afb1530a500120a49a14d422ea56705a7e3fc405a77bc269948ccae1.jsp b/src/main/webapp/challenges/2da053b4afb1530a500120a49a14d422ea56705a7e3fc405a77bc269948ccae1.jsp index 13186b20a..d605e4058 100644 --- a/src/main/webapp/challenges/2da053b4afb1530a500120a49a14d422ea56705a7e3fc405a77bc269948ccae1.jsp +++ b/src/main/webapp/challenges/2da053b4afb1530a500120a49a14d422ea56705a7e3fc405a77bc269948ccae1.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -58,42 +59,52 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= levelBlurb %> -

- - - + +
- <%= bundle.getString("insecureCryptoStorage.3.ciphertextToDecrypt") %> - - -
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= levelBlurb %> + + + + + + + + -
<%= bundle.getString("insecureCryptoStorage.3.ciphertextToDecrypt") %> +
- "/>
+ " /> + -
- - -

-

<%= bundle.getString("insecureCryptoStorage.3.ciphertextExample") %>

-

<%= bundle.getString("insecureCryptoStorage.3.tryDecryptThis") %> IAAAAEkQBhEVBwpDHAFJGhYHSBYEGgocAw==

-
+
+ + +
+

<%= bundle.getString("insecureCryptoStorage.3.ciphertextExample") %>

+

<%= bundle.getString("insecureCryptoStorage.3.tryDecryptThis") %> + IAAAAEkQBhEVBwpDHAFJGhYHSBYEGgocAw==

- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/2e0981dcb8278a57dcfaae3b8da0c78d5a70c2d38ea9d8b3e14db3aea01afcbb.jsp b/src/main/webapp/challenges/2e0981dcb8278a57dcfaae3b8da0c78d5a70c2d38ea9d8b3e14db3aea01afcbb.jsp index 005fbef7d..0073efece 100644 --- a/src/main/webapp/challenges/2e0981dcb8278a57dcfaae3b8da0c78d5a70c2d38ea9d8b3e14db3aea01afcbb.jsp +++ b/src/main/webapp/challenges/2e0981dcb8278a57dcfaae3b8da0c78d5a70c2d38ea9d8b3e14db3aea01afcbb.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -63,61 +66,72 @@ String i18nLevelName = bundle.getString("title.csrfJson"); - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengejson/plusplus -
- <%= bundle.getString("challenge.inJson") %> {"userId":"<%= bundle.getString("challenge.userIdExample") %>"} -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%=bundle.getString("challenge.yourIdIs") %> <%= userId %> <%= bundle.getString("challenge.yourIdIs.1") %> -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + + + + +

+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengejson/plusplus
+ <%= bundle.getString("challenge.inJson") %> + {"userId":"<%= bundle.getString("challenge.userIdExample") %>"} +

+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> + <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> + <%=bundle.getString("challenge.yourIdIs") %> <%= userId %> + <%= bundle.getString("challenge.yourIdIs.1") %> +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569.jsp b/src/main/webapp/challenges/2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569.jsp index 5d1937f4e..c23d7efb7 100644 --- a/src/main/webapp/challenges/2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569.jsp +++ b/src/main/webapp/challenges/2fff41105149e507c75b5a54e558470469d7024929cf78d570cd16c03bee3569.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -61,61 +64,74 @@ if (request.getSession() != null) - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengesix/plusplus -
- <%= bundle.getString("challenge.withTheseParameters") %> userId = <%= bundle.getString("challenge.userIdExample") %> & csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%=bundle.getString("challenge.yourIdIs") %> <%= userId %> <%= bundle.getString("challenge.yourIdIs.1") %> -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + + + + +

+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengesix/plusplus
+ <%= bundle.getString("challenge.withTheseParameters") %> + userId = <%= bundle.getString("challenge.userIdExample") %> & + csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> +

+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> + <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> + <%=bundle.getString("challenge.yourIdIs") %> + <%= userId %> + <%= bundle.getString("challenge.yourIdIs.1") %> +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/362f84cf26bf96aeae358d5d0bbee31e9291aaa5367594c29b3af542a7572c01.jsp b/src/main/webapp/challenges/362f84cf26bf96aeae358d5d0bbee31e9291aaa5367594c29b3af542a7572c01.jsp index 52c1f4112..306cd002d 100644 --- a/src/main/webapp/challenges/362f84cf26bf96aeae358d5d0bbee31e9291aaa5367594c29b3af542a7572c01.jsp +++ b/src/main/webapp/challenges/362f84cf26bf96aeae358d5d0bbee31e9291aaa5367594c29b3af542a7572c01.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,29 +57,32 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - - - - -
-

<%= levelName %>

-

-
- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " InsecureData1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + + + +
+

<%= levelName %>

+

+
+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " InsecureData1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -92,4 +96,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99.jsp b/src/main/webapp/challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99.jsp index 9f27d5514..e76c8b7a3 100644 --- a/src/main/webapp/challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99.jsp +++ b/src/main/webapp/challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,40 +57,49 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-
- <%= bundle.getString("challenge.form.instruction") %> -
-
-

- -
+ + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+ <%= bundle.getString("challenge.form.instruction") %> + +

+ + + + -
- "/>
+ " /> + - -
- - -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/517622a535ff89f7d90674862740b48f53aad7b41390fe46c6f324fee748d136.jsp b/src/main/webapp/challenges/517622a535ff89f7d90674862740b48f53aad7b41390fe46c6f324fee748d136.jsp index 32e7a5dd8..86d9958ad 100644 --- a/src/main/webapp/challenges/517622a535ff89f7d90674862740b48f53aad7b41390fe46c6f324fee748d136.jsp +++ b/src/main/webapp/challenges/517622a535ff89f7d90674862740b48f53aad7b41390fe46c6f324fee748d136.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage=""%> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -58,21 +59,24 @@ if (request.getSession() != null) %> - - Security Shepherd - <%=LevelName%> - - + +Security Shepherd - <%=LevelName%> + + - - - - + + + +

<%=LevelName%>

<%= paragraph1 %> -

+

<%=mobile.getString("mobileBlurb.vmLink.1") + " UDataLeakage1.apk " + mobile.getString("mobileBlurb.vmLink.2") %>

diff --git a/src/main/webapp/challenges/5bc811f9e744a71393a277c51bfd8fbb5469a60209b44fa3485c18794df4d5b1.jsp b/src/main/webapp/challenges/5bc811f9e744a71393a277c51bfd8fbb5469a60209b44fa3485c18794df4d5b1.jsp index cb0c6b5b5..b24834ca7 100644 --- a/src/main/webapp/challenges/5bc811f9e744a71393a277c51bfd8fbb5469a60209b44fa3485c18794df4d5b1.jsp +++ b/src/main/webapp/challenges/5bc811f9e744a71393a277c51bfd8fbb5469a60209b44fa3485c18794df4d5b1.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage=""%> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -58,26 +59,29 @@ if (request.getSession() != null) %> - - Security Shepherd - <%=LevelName%> - - + +Security Shepherd - <%=LevelName%> + + - - - - + + + +

<%=LevelName%>

<%= paragraph1 %> -
-
+

<%= mobile.getString("mobileBlurb.vmLink.1") + " ReverseEngineer2.apk " + mobile.getString("mobileBlurb.vmLink.2") %>

- <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -91,4 +95,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49.jsp b/src/main/webapp/challenges/70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49.jsp index 0c0931ecc..8ba7ed405 100644 --- a/src/main/webapp/challenges/70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49.jsp +++ b/src/main/webapp/challenges/70b96195472adf3bf347cbc37c34489287969d5ba504ac2439915184d6e5dc49.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Cross Site Request Forgery Challenge 5 @@ -63,61 +66,74 @@ if (request.getSession() != null) - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengefive/plusplus -
- <%= bundle.getString("challenge.withTheseParameters") %> userId = <%= bundle.getString("challenge.userIdExample") %> & csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%=bundle.getString("challenge.yourIdIs") %> <%= userId %> <%= bundle.getString("challenge.yourIdIs.1") %> -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + + + + +

+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengefive/plusplus
+ <%= bundle.getString("challenge.withTheseParameters") %> + userId = <%= bundle.getString("challenge.userIdExample") %> & + csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> +

+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> + <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> + <%=bundle.getString("challenge.yourIdIs") %> + <%= userId %> + <%= bundle.getString("challenge.yourIdIs.1") %> +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/714d8601c303bbef8b5cabab60b1060ac41f0d96f53b6ea54705bb1ea4316334.jsp b/src/main/webapp/challenges/714d8601c303bbef8b5cabab60b1060ac41f0d96f53b6ea54705bb1ea4316334.jsp index 0081c5000..a691ea80b 100644 --- a/src/main/webapp/challenges/714d8601c303bbef8b5cabab60b1060ac41f0d96f53b6ea54705bb1ea4316334.jsp +++ b/src/main/webapp/challenges/714d8601c303bbef8b5cabab60b1060ac41f0d96f53b6ea54705bb1ea4316334.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** * Broken Authentication and Session Management Challenge eight @@ -53,34 +54,43 @@ String i18nLevelName = bundle.getString("challenge.challengeName"); %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> <%= bundle.getString("challenge.description.2") %> -
-

- -
-
"/>
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> + <%= bundle.getString("challenge.description.2") %> +
+ + + + -
+
+ " /> +
-
- - -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1.jsp b/src/main/webapp/challenges/7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1.jsp index 5f5377485..c2272894f 100644 --- a/src/main/webapp/challenges/7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1.jsp +++ b/src/main/webapp/challenges/7aed58f3a00087d56c844ed9474c671f8999680556c127a19ee79fa5d7a132e1.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Broken Authentication and Session Management Challenge Five @@ -54,66 +55,77 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

-
- - - - -
- <%= bundle.getString("challenge.form.userName") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
"/>
-
-
- "/> -
- -
- -

+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+

+
+ + + + + + + + + + + + +
<%= bundle.getString("challenge.form.userName") %>
<%= bundle.getString("challenge.form.password") %>
+
+ " /> +
+
+
+ " /> +
+ +
+ - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3.jsp b/src/main/webapp/challenges/7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3.jsp index 9fe33b993..50e148b76 100644 --- a/src/main/webapp/challenges/7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3.jsp +++ b/src/main/webapp/challenges/7d79ea2b2a82543d480a63e55ebb8fef3209c5d648b54d1276813cd072815df3.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Cross Site Request Forgery Challenge 7 @@ -69,62 +72,76 @@ if (request.getSession() != null) - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - + - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengeseven/plusplus -
- <%= bundle.getString("challenge.withTheseParameters") %> userId = <%= bundle.getString("challenge.userIdExample") %> & csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%=bundle.getString("challenge.yourIdIs") %> <%= userId %> <%= bundle.getString("challenge.yourIdIs.1") %> - <%= bundle.getString("challenge.getCsrfTokenHere.1") %> <%= bundle.getString("challenge.getCsrfTokenHere.2") %> -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + +

+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengeseven/plusplus
+ <%= bundle.getString("challenge.withTheseParameters") %> + userId = <%= bundle.getString("challenge.userIdExample") %> & + csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> +

+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> + <%= bundle.getString("challenge.userIdExample") %><%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> + <%=bundle.getString("challenge.yourIdIs") %> + <%= userId %> + <%= bundle.getString("challenge.yourIdIs.1") %> + <%= bundle.getString("challenge.getCsrfTokenHere.1") %> + <%= bundle.getString("challenge.getCsrfTokenHere.2") %> +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7.jsp b/src/main/webapp/challenges/7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7.jsp index 440a59bba..36f07f2fa 100644 --- a/src/main/webapp/challenges/7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7.jsp +++ b/src/main/webapp/challenges/7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -52,50 +53,64 @@ %> - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- -
- - - - -
- <%= bundle.getString("challenge.form.pleaseEnter") %><%= bundle.getString("challenge.form.customerName") %> <%= bundle.getString("challenge.form.userLookUp") %> -
- -
-
"/>
- - -
-
- -
-

+ + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/83dee43e50f65876d9c24a9355200f7c10569dc94e51349f7b857fb68b4e6bdf.jsp b/src/main/webapp/challenges/83dee43e50f65876d9c24a9355200f7c10569dc94e51349f7b857fb68b4e6bdf.jsp index 5dacf1846..33798c975 100644 --- a/src/main/webapp/challenges/83dee43e50f65876d9c24a9355200f7c10569dc94e51349f7b857fb68b4e6bdf.jsp +++ b/src/main/webapp/challenges/83dee43e50f65876d9c24a9355200f7c10569dc94e51349f7b857fb68b4e6bdf.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage=""%> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -54,22 +55,24 @@ if (request.getSession() != null) %> - - Security Shepherd - <%=translatedLevelName%> - - + +Security Shepherd - <%=translatedLevelName%> + + - - - - + + + +

<%=translatedLevelName%>

<%= bundle.getString("challenge1.para1") %> -
-
+

<%= mobile.getString("mobileBlurb.vmLink.1") + " UDataLeakage2.apk " + mobile.getString("mobileBlurb.vmLink.2") %>

diff --git a/src/main/webapp/challenges/84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5.jsp b/src/main/webapp/challenges/84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5.jsp index 3aa24df36..04adf766d 100644 --- a/src/main/webapp/challenges/84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5.jsp +++ b/src/main/webapp/challenges/84118752e6cd78fecc3563ba2873d944aacb7b72f28693a23f9949ac310648b5.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Cross Site Request Forgery Challenge 4 @@ -67,61 +70,76 @@ if (request.getSession() != null) - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengefour/plusplus -
- <%= bundle.getString("challenge.withTheseParameters") %> userId = <%= bundle.getString("challenge.userIdExample") %> & csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%=bundle.getString("challenge.yourIdIs") %> <%= userId %> <%=bundle.getString("challenge.yourCsrfTokenIs") %> <%= csrfChal4Token %><%= bundle.getString("challenge.yourIdIs.1") %> -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + + + + +

+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengefour/plusplus
+ <%= bundle.getString("challenge.withTheseParameters") %> + userId = <%= bundle.getString("challenge.userIdExample") %> & + csrfToken = <%= bundle.getString("challenge.yourCsrfTokenCamelCase") %> +

+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> + <%= bundle.getString("challenge.userIdExample") %> + <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> + <%=bundle.getString("challenge.yourIdIs") %> + <%= userId %> + <%=bundle.getString("challenge.yourCsrfTokenIs") %> + <%= csrfChal4Token %><%= bundle.getString("challenge.yourIdIs.1") %> +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/85ceae7ec397c8f4448be51c33a634194bf5da440282227c15954bbdfb54f0c7.jsp b/src/main/webapp/challenges/85ceae7ec397c8f4448be51c33a634194bf5da440282227c15954bbdfb54f0c7.jsp index 081df9d54..015cddbef 100644 --- a/src/main/webapp/challenges/85ceae7ec397c8f4448be51c33a634194bf5da440282227c15954bbdfb54f0c7.jsp +++ b/src/main/webapp/challenges/85ceae7ec397c8f4448be51c33a634194bf5da440282227c15954bbdfb54f0c7.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -57,28 +58,31 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - + - -
-

<%= LevelName %>

-

- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " UDataLeakage3.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + +
+

<%= LevelName %>

+

+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " UDataLeakage3.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/8855c8bb9df4446a546414562eda550520e29f7a82400a317c579eb3a5a0a8ef.jsp b/src/main/webapp/challenges/8855c8bb9df4446a546414562eda550520e29f7a82400a317c579eb3a5a0a8ef.jsp index 9157e5c1d..cdcfb0530 100644 --- a/src/main/webapp/challenges/8855c8bb9df4446a546414562eda550520e29f7a82400a317c579eb3a5a0a8ef.jsp +++ b/src/main/webapp/challenges/8855c8bb9df4446a546414562eda550520e29f7a82400a317c579eb3a5a0a8ef.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -57,29 +58,32 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - - - - -
-

<%= LevelName %>

-

- <%= paragraph1 %> - -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " CSInjection1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + + + +
+

<%= LevelName %>

+

+ <%= paragraph1 %> + +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " CSInjection1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -93,4 +97,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/8c2dd7e9818e5c6a9f8562feefa002dc0e455f0e92c8a46ab0cf519b1547eced.jsp b/src/main/webapp/challenges/8c2dd7e9818e5c6a9f8562feefa002dc0e455f0e92c8a46ab0cf519b1547eced.jsp index 899b86058..dd569c68a 100644 --- a/src/main/webapp/challenges/8c2dd7e9818e5c6a9f8562feefa002dc0e455f0e92c8a46ab0cf519b1547eced.jsp +++ b/src/main/webapp/challenges/8c2dd7e9818e5c6a9f8562feefa002dc0e455f0e92c8a46ab0cf519b1547eced.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,47 +56,56 @@ - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> - -

- - - - - -
- <%= bundle.getString("challenge.form.pleaseEnterCredentials") %> -
- <%= bundle.getString("challenge.form.email") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
"/>
- -
-
- -
-

-
- + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + + + + + + +
<%= bundle.getString("challenge.form.pleaseEnterCredentials") %> +
<%= bundle.getString("challenge.form.email") %>
<%= bundle.getString("challenge.form.password") %>
+
+ " /> +
+ +
+
+ +
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/8c3c35c30cdbbb73b7be3a4f8587aa9d88044dc43e248984a252c6e861f673d4.jsp b/src/main/webapp/challenges/8c3c35c30cdbbb73b7be3a4f8587aa9d88044dc43e248984a252c6e861f673d4.jsp index 304cdfa22..6586be24e 100644 --- a/src/main/webapp/challenges/8c3c35c30cdbbb73b7be3a4f8587aa9d88044dc43e248984a252c6e861f673d4.jsp +++ b/src/main/webapp/challenges/8c3c35c30cdbbb73b7be3a4f8587aa9d88044dc43e248984a252c6e861f673d4.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -53,49 +54,62 @@ - - Security Shepherd - <%= i18nLevelName %> - + +Security Shepherd - <%= i18nLevelName %> + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- -
- - - - -
- <%= bundle.getString("challenge.form.pleaseEnter") %> -
- -
-
"/>
- - -
-
- -
-

+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -154,4 +169,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/8edf0a8ed891e6fef1b650935a6c46b03379a0eebab36afcd1d9076f65d4ce62.jsp b/src/main/webapp/challenges/8edf0a8ed891e6fef1b650935a6c46b03379a0eebab36afcd1d9076f65d4ce62.jsp index 1b11cbc89..c83e45093 100644 --- a/src/main/webapp/challenges/8edf0a8ed891e6fef1b650935a6c46b03379a0eebab36afcd1d9076f65d4ce62.jsp +++ b/src/main/webapp/challenges/8edf0a8ed891e6fef1b650935a6c46b03379a0eebab36afcd1d9076f65d4ce62.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -53,75 +54,92 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - + +Security Shepherd - <%= i18nLevelName %> + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-
-

<%= bundle.getString("challenge.description.h3") %>

- <%= bundle.getString("challenge.description.p1") %> - <%= bundle.getString("challenge.description.p2") %> -
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
<%= bundle.getString("challenge.form.picture") %><%= bundle.getString("challenge.form.cost") %><%= bundle.getString("challenge.form.quantity") %>
<%= bundle.getString("challenge.form.45") %> -
<%= bundle.getString("challenge.form.15") %> -
<%= bundle.getString("challenge.form.3000") %> -
<%= bundle.getString("challenge.form.30") %> -
- <%= bundle.getString("challenge.form.pleaseSelect") %> - - - + +
<%= bundle.getString("challenge.form.couponCode") %>:
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+

<%= bundle.getString("challenge.description.h3") %>

+ <%= bundle.getString("challenge.description.p1") %> + <%= bundle.getString("challenge.description.p2") %> +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
<%= bundle.getString("challenge.form.picture") %><%= bundle.getString("challenge.form.cost") %><%= bundle.getString("challenge.form.quantity") %>
<%= bundle.getString("challenge.form.45") %> +
<%= bundle.getString("challenge.form.15") %> +
<%= bundle.getString("challenge.form.3000") %> +
<%= bundle.getString("challenge.form.30") %> +
+ <%= bundle.getString("challenge.form.pleaseSelect") %> + + + + + + + -
<%= bundle.getString("challenge.form.couponCode") %>:
- "/>
- -
- + " /> +
+ +
+ -
-

-
- - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/9e5ed059b23632c8801d95621fa52071b2eb211d8c044dde6d2f4b89874a7bc4.jsp b/src/main/webapp/challenges/9e5ed059b23632c8801d95621fa52071b2eb211d8c044dde6d2f4b89874a7bc4.jsp index 6cbd7b157..3985901ac 100644 --- a/src/main/webapp/challenges/9e5ed059b23632c8801d95621fa52071b2eb211d8c044dde6d2f4b89874a7bc4.jsp +++ b/src/main/webapp/challenges/9e5ed059b23632c8801d95621fa52071b2eb211d8c044dde6d2f4b89874a7bc4.jsp @@ -1,5 +1,9 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*, servlets.module.challenge.BrokenCryptoHomeMade" errorPage="" %> -<%@ page import="java.util.Locale,java.util.ResourceBundle,java.util.ArrayList,java.util.List,org.owasp.encoder.Encode"%> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="utils.*, servlets.module.challenge.BrokenCryptoHomeMade" + errorPage=""%> +<%@ page + import="java.util.Locale,java.util.ResourceBundle,java.util.ArrayList,java.util.List,org.owasp.encoder.Encode"%> <% /** @@ -56,54 +60,63 @@ if (request.getSession() != null) %> - - Security Shepherd - <%=levelName%> - - + +Security Shepherd - <%=levelName%> + +
- - - - + + + +

<%=levelName%>

-

+

<%=bundle.getString("challenge.whatToDo")%> -
-
-

<%=bundle.getString("badCrypto.title")%>

- - - <% +

+

<%=bundle.getString("badCrypto.title")%>

+
Challenge NameBase KeyYour User Specific Solution
+ + + + + + <% for(int i = 0; i < BrokenCryptoHomeMade.challenges.size(); i++) { %> - - - - <% if(!BrokenCryptoHomeMade.challenges.get(i).get(0).equalsIgnoreCase("This Challenge")) { %> - - <% } else { %> - - <% } %> - - <% + + + + <% if(!BrokenCryptoHomeMade.challenges.get(i).get(0).equalsIgnoreCase("This Challenge")) { %> + + <% } else { %> + + <% } %> + + <% } %> -
Challenge NameBase KeyYour User Specific Solution
<%= BrokenCryptoHomeMade.challenges.get(i).get(0) %><%= BrokenCryptoHomeMade.challenges.get(i).get(1) %><%= BrokenCryptoHomeMade.generateUserSolution(BrokenCryptoHomeMade.challenges.get(i).get(1), ses.getAttribute("userName").toString()) %> -
- - -
-
<%= BrokenCryptoHomeMade.challenges.get(i).get(0) %><%= BrokenCryptoHomeMade.challenges.get(i).get(1) %><%= BrokenCryptoHomeMade.generateUserSolution(BrokenCryptoHomeMade.challenges.get(i).get(1), ses.getAttribute("userName").toString()) %> +
+ + +
+
-
- -
-

+
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/ac8f3f6224b1ea3fb8a0f017aadd0d84013ea2c80e232c980e54dd753700123e.jsp b/src/main/webapp/challenges/ac8f3f6224b1ea3fb8a0f017aadd0d84013ea2c80e232c980e54dd753700123e.jsp index b80d161ae..c5f8a86fb 100644 --- a/src/main/webapp/challenges/ac8f3f6224b1ea3fb8a0f017aadd0d84013ea2c80e232c980e54dd753700123e.jsp +++ b/src/main/webapp/challenges/ac8f3f6224b1ea3fb8a0f017aadd0d84013ea2c80e232c980e54dd753700123e.jsp @@ -1,5 +1,5 @@ <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" - import="utils.*, org.owasp.encoder.Encode" errorPage="" %> + import="utils.*, org.owasp.encoder.Encode" errorPage="" %> <%@ page import="java.util.Locale, java.util.ResourceBundle" %> <%@ page import="org.apache.logging.log4j.LogManager" %> <%@ page import="dbProcs.FileInputProperties" %> @@ -60,48 +60,57 @@ %> - - Security Shepherd - <%=i18nLevelName%> - - + +Security Shepherd - <%=i18nLevelName%> + + - - - - -
-

<%= i18nLevelName %> -

-

-

-
-
-
- <%= bundle.getString("challenge.description") + + + + +
+

<%= i18nLevelName %> +

+

+

+
+
+
+ <%= bundle.getString("challenge.description") + "" + System.getProperty("user.dir") + "/" + FileInputProperties.readPropFileClassLoader("/fileSystemKeys.properties", "xxe.challenge.1.file") + "" %> -
-
-
- - - - -
- <%= bundle.getString("paragraph.info.emailAdd") %> -
- -
-
"/>
- -
-
+

+
+ + + + + + + + + + +
<%= bundle.getString("paragraph.info.emailAdd") %>
+
+ " /> +
+ +
+
-
-

-
- -<% if (Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if (Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/ad2628bcc79bf10dd54ee62de148ab44b7bd028009a908ce3f1b4d019886d0e.jsp b/src/main/webapp/challenges/ad2628bcc79bf10dd54ee62de148ab44b7bd028009a908ce3f1b4d019886d0e.jsp index b9dcd6f62..2df3d2e10 100644 --- a/src/main/webapp/challenges/ad2628bcc79bf10dd54ee62de148ab44b7bd028009a908ce3f1b4d019886d0e.jsp +++ b/src/main/webapp/challenges/ad2628bcc79bf10dd54ee62de148ab44b7bd028009a908ce3f1b4d019886d0e.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Cross Site Scripting Challenge 3 @@ -54,40 +57,53 @@ - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- - - - -
- <%= bundle.getString("challenge.form.instruction") %> -
- -
-
"/>
- - -
-
- -
-

-
- + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %>
+
+
+ " /> +
+ + +
+
+ +
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece.jsp b/src/main/webapp/challenges/b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece.jsp index 296f32892..aec687e41 100644 --- a/src/main/webapp/challenges/b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece.jsp +++ b/src/main/webapp/challenges/b5e1020e3742cf2c0880d4098146c4dde25ebd8ceab51807bad88ff47c316ece.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Broken Authentication and Session Management Challenge Six @@ -55,74 +56,92 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

-
- - - - -
- <%= bundle.getString("challenge.form.userName") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
"/>
-
-
- <%= bundle.getString("challenge.form.forgotPassword") %> + + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+ +

+ + + + + + + + + + + + +
<%= bundle.getString("challenge.form.userName") %>
<%= bundle.getString("challenge.form.password") %>
+
+ " /> +
+
+
+ <%= bundle.getString("challenge.form.forgotPassword") %> + + +
+ - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6.jsp b/src/main/webapp/challenges/b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6.jsp index a5150afd4..1e08db7a7 100644 --- a/src/main/webapp/challenges/b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6.jsp +++ b/src/main/webapp/challenges/b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // SQL Injection Challenge Three @@ -55,44 +56,53 @@ if (request.getSession() != null) - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

+ + + + +
+

<%= i18nLevelName %> -

-

- <%= bundle.getString("challenge.description") %> - -

- - - - -
- <%= bundle.getString("challenge.form.pleaseEnter") %> -
- -
-
"/>
- -
-
- - - -
-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/b927fc4d8c9f70a78f8b6fc46a0cc18533a88b2363054a1f391fe855954d12f9.jsp b/src/main/webapp/challenges/b927fc4d8c9f70a78f8b6fc46a0cc18533a88b2363054a1f391fe855954d12f9.jsp index 6908485e8..92507c3e5 100644 --- a/src/main/webapp/challenges/b927fc4d8c9f70a78f8b6fc46a0cc18533a88b2363054a1f391fe855954d12f9.jsp +++ b/src/main/webapp/challenges/b927fc4d8c9f70a78f8b6fc46a0cc18533a88b2363054a1f391fe855954d12f9.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -54,74 +55,94 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("insecureCryptoStorage.4.whatToDo") %> -
-
-

<%= bundle.getString("insecureCryptoStorage.4.shop") %>

-

<%= bundle.getString("insecureCryptoStorage.4.shop.message.1") %> PleaseTakeAFruit <%= bundle.getString("insecureCryptoStorage.4.shop.message.2") %> FruitForFree <%= bundle.getString("insecureCryptoStorage.4.shop.message.3") %>

-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
<%= bundle.getString("insecureCryptoStorage.4.shop.picture") %><%= bundle.getString("insecureCryptoStorage.4.shop.cost") %><%= bundle.getString("insecureCryptoStorage.4.shop.quantity") %>
$45 -
$15 -
$3000 -
$30 -
-

<%= bundle.getString("insecureCryptoStorage.4.shop.howToShop") %>

- - -
<%= bundle.getString("insecureCryptoStorage.4.shop.couponCode") %>
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("insecureCryptoStorage.4.whatToDo") %> +

+

<%= bundle.getString("insecureCryptoStorage.4.shop") %>

+

<%= bundle.getString("insecureCryptoStorage.4.shop.message.1") %> + PleaseTakeAFruit + <%= bundle.getString("insecureCryptoStorage.4.shop.message.2") %> + FruitForFree + <%= bundle.getString("insecureCryptoStorage.4.shop.message.3") %>

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
<%= bundle.getString("insecureCryptoStorage.4.shop.picture") %><%= bundle.getString("insecureCryptoStorage.4.shop.cost") %><%= bundle.getString("insecureCryptoStorage.4.shop.quantity") %>
$45 +
$15 +
$3000 +
$30 +
+

<%= bundle.getString("insecureCryptoStorage.4.shop.howToShop") %>

+ + + + + + + -
<%= bundle.getString("insecureCryptoStorage.4.shop.couponCode") %>
- "/>
+ " /> + -
- - -
-

-
- - - + - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> - <% + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> + <% /* Clean Code Version of obfusticated couponCheck.js diff --git a/src/main/webapp/challenges/c4285bbc6734a10897d672c1ed3dd9417e0530a4e0186c27699f54637c7fb5d4.jsp b/src/main/webapp/challenges/c4285bbc6734a10897d672c1ed3dd9417e0530a4e0186c27699f54637c7fb5d4.jsp index 55ea52591..b4aa0273d 100644 --- a/src/main/webapp/challenges/c4285bbc6734a10897d672c1ed3dd9417e0530a4e0186c27699f54637c7fb5d4.jsp +++ b/src/main/webapp/challenges/c4285bbc6734a10897d672c1ed3dd9417e0530a4e0186c27699f54637c7fb5d4.jsp @@ -1,5 +1,8 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="servlets.module.challenge.SecurityMisconfigStealTokens, java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="servlets.module.challenge.SecurityMisconfigStealTokens, java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** * Security Misconfiguration Cookie Challenge @@ -78,41 +81,47 @@ String i18nLevelName = bundle.getString("securityMisconfig.stealTokens.challenge - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("securityMisconfig.stealTokens.description") %> -
-
- <%= bundle.getString(" title="<%= bundle.getString("securityMisconfig.stealTokens.whyThisImageIsHere") %>" src="<%= Encode.forHtmlAttribute(challengeUrl) %>"> -
-
- <%= bundle.getString("securityMisconfig.stealTokens.haveSomebodyOnYourNetwork") %> -
-
- <%= bundle.getString("securityMisconfig.stealTokens.stealTokenThenDoThis") %> -

- -
-
"/>
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("securityMisconfig.stealTokens.description") %> +

<%= bundle.getString(" + title="<%= bundle.getString("securityMisconfig.stealTokens.whyThisImageIsHere") %>" + src="<%= Encode.forHtmlAttribute(challengeUrl) %>">

+ <%= bundle.getString("securityMisconfig.stealTokens.haveSomebodyOnYourNetwork") %> +

+ <%= bundle.getString("securityMisconfig.stealTokens.stealTokenThenDoThis") %> + + + + -
+
+ " /> +
-
- -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/cfe68711def42bb0b201467b859322dd2750f633246842280dc68c858d208425.jsp b/src/main/webapp/challenges/cfe68711def42bb0b201467b859322dd2750f633246842280dc68c858d208425.jsp index 854f5400c..b39a1a231 100644 --- a/src/main/webapp/challenges/cfe68711def42bb0b201467b859322dd2750f633246842280dc68c858d208425.jsp +++ b/src/main/webapp/challenges/cfe68711def42bb0b201467b859322dd2750f633246842280dc68c858d208425.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,26 +57,28 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - - - - -
-

<%= LevelName %>

-

- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " CSInjection2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - - <% /* IF you need a form - Present it like this */ %> - <% + + + + +

+

<%= LevelName %>

+

+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " CSInjection2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + + <% /* IF you need a form - Present it like this */ %> + <% /*

@@ -93,10 +96,10 @@ if (request.getSession() != null)

*/ %> -

-
- <% /*If you need to call the Server Do it like this */ %> - <% +

+
+ <% /*If you need to call the Server Do it like this */ %> + <% /* */ %> - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -146,4 +150,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2.jsp b/src/main/webapp/challenges/d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2.jsp index 1ecd02c63..e04e79587 100644 --- a/src/main/webapp/challenges/d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2.jsp +++ b/src/main/webapp/challenges/d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -59,42 +60,55 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-
-

<%= bundle.getString("challenge.description.h3") %>

-

<%= bundle.getString("challenge.description.p") %>

-
- - - -
<%= bundle.getString("challenge.form.pinNumber") %>
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+

<%= bundle.getString("challenge.description.h3") %>

+

<%= bundle.getString("challenge.description.p") %>

+ + + + + + + + -
<%= bundle.getString("challenge.form.pinNumber") %>
- "/>
- - -
- - -
- -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -138,4 +153,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/d2f8519f8264f9479f56165465590b499ceca941ab848805c00f5bf0a40c9717.jsp b/src/main/webapp/challenges/d2f8519f8264f9479f56165465590b499ceca941ab848805c00f5bf0a40c9717.jsp index ec9b8dfdd..908079e5d 100644 --- a/src/main/webapp/challenges/d2f8519f8264f9479f56165465590b499ceca941ab848805c00f5bf0a40c9717.jsp +++ b/src/main/webapp/challenges/d2f8519f8264f9479f56165465590b499ceca941ab848805c00f5bf0a40c9717.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -58,28 +59,31 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= LevelName %> - - + +Security Shepherd - <%= LevelName %> + + - - - - -
-

<%= LevelName %>

-

- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " BrokenCrypto1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + + + +
+

<%= LevelName %>

+

+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " BrokenCrypto1.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/d330dea1acf21886b685184ee222ea8e0a60589c3940afd6ebf433469e997caf.jsp b/src/main/webapp/challenges/d330dea1acf21886b685184ee222ea8e0a60589c3940afd6ebf433469e997caf.jsp index ced8e0da7..565890496 100644 --- a/src/main/webapp/challenges/d330dea1acf21886b685184ee222ea8e0a60589c3940afd6ebf433469e997caf.jsp +++ b/src/main/webapp/challenges/d330dea1acf21886b685184ee222ea8e0a60589c3940afd6ebf433469e997caf.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,39 +58,49 @@ if (request.getSession() != null) - - Security Shepherd - <%= Encode.forHtml(translatedLevelName) %> - + +Security Shepherd - <%= Encode.forHtml(translatedLevelName) %> + - - - - -
-

<%= Encode.forHtml(translatedLevelName) %>

-

- <%= bundle.getString("challenge.description") %> -

- - - - -
- <%= bundle.getString("challenge.form.instruction") %> -
- -
-
"/>
- -
-
+ + + + +
+

<%= Encode.forHtml(translatedLevelName) %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %>
+
+ " /> +
+ +
+
-
-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/d63c2fb5da9b81ca26237f1308afe54491d1bacf9fffa0b21a072b03c5bafe66.jsp b/src/main/webapp/challenges/d63c2fb5da9b81ca26237f1308afe54491d1bacf9fffa0b21a072b03c5bafe66.jsp index caf9c0a87..1ec1f6343 100644 --- a/src/main/webapp/challenges/d63c2fb5da9b81ca26237f1308afe54491d1bacf9fffa0b21a072b03c5bafe66.jsp +++ b/src/main/webapp/challenges/d63c2fb5da9b81ca26237f1308afe54491d1bacf9fffa0b21a072b03c5bafe66.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% @@ -55,50 +56,59 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - + - -
-

<%= i18nLevelName %>

-

- <%= levelBlurb %> -
- -
-

- - - - - -
- <%= bundle.getString("challenge.para2") %> -
-
-
- -
+ +
+

<%= i18nLevelName %>

+

+ <%= levelBlurb %> +

+ + + + + + + + + + + + + + + + -
<%= bundle.getString("challenge.para2") %>
+
-
+ + -
- - -

- - -

-
- - - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/d72ca2694422af2e6b3c5d90e4c11e7b4575a7bc12ee6d0a384ac2469449e8fa.jsp b/src/main/webapp/challenges/d72ca2694422af2e6b3c5d90e4c11e7b4575a7bc12ee6d0a384ac2469449e8fa.jsp index b41900faf..c19f7d983 100644 --- a/src/main/webapp/challenges/d72ca2694422af2e6b3c5d90e4c11e7b4575a7bc12ee6d0a384ac2469449e8fa.jsp +++ b/src/main/webapp/challenges/d72ca2694422af2e6b3c5d90e4c11e7b4575a7bc12ee6d0a384ac2469449e8fa.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -53,43 +56,56 @@ String csrfToken = Encode.forHtml(tokenCookie.getValue()); %> - + - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- - - - -
- <%= bundle.getString("challenge.form.instruction") %> -
- -
-
"/>
- - -
-
- -
-

-
- + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %>
+
+ " /> +
+ + +
+
+ +
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/d779e34a54172cbc245300d3bc22937090ebd3769466a501a5e7ac605b9f34b7.jsp b/src/main/webapp/challenges/d779e34a54172cbc245300d3bc22937090ebd3769466a501a5e7ac605b9f34b7.jsp index a0dcc4ae2..4f2572ddc 100644 --- a/src/main/webapp/challenges/d779e34a54172cbc245300d3bc22937090ebd3769466a501a5e7ac605b9f34b7.jsp +++ b/src/main/webapp/challenges/d779e34a54172cbc245300d3bc22937090ebd3769466a501a5e7ac605b9f34b7.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% // Broken Authentication and Session Management Challenge Two @@ -55,61 +56,73 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

-
- - - - -
- <%= bundle.getString("challenge.form.userName") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
"/>
-
-
- <%= bundle.getString("challenge.form.forgotPass") %> -
- -
- - - -

+ + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+

+
+ + + + + + + + + + + + +
<%= bundle.getString("challenge.form.userName") %>
<%= bundle.getString("challenge.form.password") %>
+
+ " /> +
+
+
+ <%= bundle.getString("challenge.form.forgotPass") %> +
+ +
+ - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/dbae0baa3f71f196c4d2c6c984d45a6c1c635bf1b482dccfe32e9b01b69a042b.jsp b/src/main/webapp/challenges/dbae0baa3f71f196c4d2c6c984d45a6c1c635bf1b482dccfe32e9b01b69a042b.jsp index 3c2ec8bd5..0653ac08d 100644 --- a/src/main/webapp/challenges/dbae0baa3f71f196c4d2c6c984d45a6c1c635bf1b482dccfe32e9b01b69a042b.jsp +++ b/src/main/webapp/challenges/dbae0baa3f71f196c4d2c6c984d45a6c1c635bf1b482dccfe32e9b01b69a042b.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage=""%> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -58,28 +59,31 @@ if (request.getSession() != null) %> - - Security Shepherd - <%=LevelName%> - - + +Security Shepherd - <%=LevelName%> + + - - - - + + + +

<%=LevelName%>

- <%=levelBlurb%> -
<%= paragraph1 %>
-
-
+ <%=levelBlurb%> +
+ <%= paragraph1 %>


<%= mobile.getString("mobileBlurb.vmLink.1") + " ReverseEngineer3.apk " + mobile.getString("mobileBlurb.vmLink.2") %>

- <% if (Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if (Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -93,4 +97,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/dfa404130278f44b05dc06486dd06134dac7d843367763a3226c9081f537fb2f.jsp b/src/main/webapp/challenges/dfa404130278f44b05dc06486dd06134dac7d843367763a3226c9081f537fb2f.jsp index 3e9a2a384..65f233bc2 100644 --- a/src/main/webapp/challenges/dfa404130278f44b05dc06486dd06134dac7d843367763a3226c9081f537fb2f.jsp +++ b/src/main/webapp/challenges/dfa404130278f44b05dc06486dd06134dac7d843367763a3226c9081f537fb2f.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <% /** @@ -47,45 +50,60 @@ - - Security Shepherd - Insecure Direct Object References Challenge One - - + +Security Shepherd - Insecure Direct Object References + Challenge One + + - - - - -
-

Insecure Direct Object Reference Challenge One

-

- The result key for this challenge is stored in the private message for a user that is not listed below... -
-
-

-
- - + + + + +
+

Insecure Direct Object Reference Challenge One

+

+ The result key for this challenge is stored in the private message + for a user that is not listed below...

+

+ +
+ + - - -
-
- -
-
-
-
-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/dfd6bfba1033fa380e378299b6a998c759646bd8aea02511482b8ce5d707f93a.jsp b/src/main/webapp/challenges/dfd6bfba1033fa380e378299b6a998c759646bd8aea02511482b8ce5d707f93a.jsp index e4efd8e73..8ee36fa48 100644 --- a/src/main/webapp/challenges/dfd6bfba1033fa380e378299b6a998c759646bd8aea02511482b8ce5d707f93a.jsp +++ b/src/main/webapp/challenges/dfd6bfba1033fa380e378299b6a998c759646bd8aea02511482b8ce5d707f93a.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -52,34 +53,42 @@ String translatedLevelName = bundle.getString("challenge.challengeName"); %> - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

- -
-
"/>
+ + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+ + + + -
+
+ " /> +
-
- - -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/e1e109444bf5d7ae3d67b816538613e64f7d0f51c432a164efc8418513711b0a.jsp b/src/main/webapp/challenges/e1e109444bf5d7ae3d67b816538613e64f7d0f51c432a164efc8418513711b0a.jsp index 4f10ff68e..d8a7180a5 100644 --- a/src/main/webapp/challenges/e1e109444bf5d7ae3d67b816538613e64f7d0f51c432a164efc8418513711b0a.jsp +++ b/src/main/webapp/challenges/e1e109444bf5d7ae3d67b816538613e64f7d0f51c432a164efc8418513711b0a.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,50 +56,62 @@ String i18nLevelName = bundle.getString("challenge.challengeName"); - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- -
- - - - -
- <%= bundle.getString("challenge.form.pleaseEnter") %> -
- -
-
"/>
- - -
-
- -
-

+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/e40333fc2c40b8e0169e433366350f55c77b82878329570efa894838980de5b4.jsp b/src/main/webapp/challenges/e40333fc2c40b8e0169e433366350f55c77b82878329570efa894838980de5b4.jsp index 8fa48d39f..7663e4294 100644 --- a/src/main/webapp/challenges/e40333fc2c40b8e0169e433366350f55c77b82878329570efa894838980de5b4.jsp +++ b/src/main/webapp/challenges/e40333fc2c40b8e0169e433366350f55c77b82878329570efa894838980de5b4.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -53,34 +54,42 @@ String translatedLevelName = bundle.getString("challenge.challengeName"); %> - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

- -
-
"/>
+ + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+ + + + -
+
+ " /> +
-
- - -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/ec09515a304d2de1f552e961ab769967bdc75740ad2363803168b7907c794cd4.jsp b/src/main/webapp/challenges/ec09515a304d2de1f552e961ab769967bdc75740ad2363803168b7907c794cd4.jsp index f6a6249f1..dce4dde9b 100644 --- a/src/main/webapp/challenges/ec09515a304d2de1f552e961ab769967bdc75740ad2363803168b7907c794cd4.jsp +++ b/src/main/webapp/challenges/ec09515a304d2de1f552e961ab769967bdc75740ad2363803168b7907c794cd4.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,30 +57,33 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - - - - -
-

<%= levelName %>

-

-
- <%= paragraph1 %> -
-
- - <%= mobile.getString("mobileBlurb.vmLink.1") + " InsecureData2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + + + +
+

<%= levelName %>

+

+
+ <%= paragraph1 %> +

+ + <%= mobile.getString("mobileBlurb.vmLink.1") + " InsecureData2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% @@ -93,4 +97,4 @@ else { response.sendRedirect("../loggedOutSheep.html"); } -%> +%> diff --git a/src/main/webapp/challenges/ec43ae137b8bf7abb9c85a87cf95c23f7fadcf08a092e05620c9968bd60fcba6.jsp b/src/main/webapp/challenges/ec43ae137b8bf7abb9c85a87cf95c23f7fadcf08a092e05620c9968bd60fcba6.jsp index 2ff94dfc1..74fbf433d 100644 --- a/src/main/webapp/challenges/ec43ae137b8bf7abb9c85a87cf95c23f7fadcf08a092e05620c9968bd60fcba6.jsp +++ b/src/main/webapp/challenges/ec43ae137b8bf7abb9c85a87cf95c23f7fadcf08a092e05620c9968bd60fcba6.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** * Broken Authentication and Session Management Challenge Four @@ -53,35 +54,47 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

- - ") == -1) { - log.fatal("No Menu Header in ModuleStatusMenu: " + moduleStatusMenu); - fail("No Menu Header in moduleStatusMenu"); - } else if (moduleStatusMenu.indexOf("id='toOpen'") == -1) { - log.fatal("No Open Menu Detected in Output: " + moduleStatusMenu); - fail("No Open Meny Detected in Output"); - } else if (moduleStatusMenu.indexOf("id='toClose'") == -1) { - log.fatal("No Close Menu Detected in Output: " + moduleStatusMenu); - fail("No Close Meny Detected in Output"); - } else if (moduleStatusMenu.indexOf("id='toOpen'>") < 0) // Should be empty as all modules - // should be open - { - log.fatal("Modules are in the 'toOpen' list when all modules should already be open: " - + moduleStatusMenu); - fail("Modules are in the 'toOpen' list when all modules should already be open"); - } else { - // Make Sub String for the toClose List - int endOfToCloseMenu = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>")) - .indexOf("") - + (moduleStatusMenu.length() - - moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>")).length()); - String toCloseList = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>"), - endOfToCloseMenu); - log.debug("Close List: " + toCloseList); - if (toCloseList.indexOf(insecureDirectObjectReferenceLesson) == -1) { - log.fatal("Could not Find Insecure Direct Object Reference in toClose List"); - fail("Could not Find Insecure Direct Object Reference in toClose List"); - } else if (toCloseList.indexOf(dataStorageLessonId) == -1) { - log.fatal("Could not Find Insecure Data Storage in toClose List"); - fail("Could not Find Insecure Data Storage in toClose List"); - } else { - return; // PASS - } - } - } else { - fail("Could not open all modules"); - } - } - - /** - * Test to see if the module status menu is correct when all modules are open - */ - @Test - public void testGetModuleStatusMenuWhenClosed() { - String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); - String insecureDirectObjectReferenceLesson = new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); - if (Setter.closeAllModules(applicationRoot)) { - String moduleStatusMenu = Getter.getModuleStatusMenu(applicationRoot); - if (moduleStatusMenu.indexOf("") == -1) { - log.fatal("No Menu Header in ModuleStatusMenu: " + moduleStatusMenu); - fail("No Menu Header in moduleStatusMenu"); - } else if (moduleStatusMenu.indexOf("id='toOpen'") == -1) { - log.fatal("No Open Menu Detected in Output: " + moduleStatusMenu); - fail("No Open Meny Detected in Output"); - } else if (moduleStatusMenu.indexOf("id='toClose'") == -1) { - log.fatal("No Close Menu Detected in Output: " + moduleStatusMenu); - fail("No Close Meny Detected in Output"); - } else if (moduleStatusMenu.indexOf("id='toClose'>") < 0) // Should be empty as all modules - // should be closed - { - log.fatal("Modules are in the 'toClose' list when all modules should already be closed: " - + moduleStatusMenu); - fail("Modules are in the 'toClose' list when all modules should already be closed"); - } else { - // Make Sub String for the toOpen List - int endOfToOpenMenu = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>")) - .indexOf("") - + (moduleStatusMenu.length() - - moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>")).length()); - String toOpenList = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>"), - endOfToOpenMenu); - log.debug("Open List: " + toOpenList); - if (toOpenList.indexOf(insecureDirectObjectReferenceLesson) == -1) { - log.fatal("Could not Find Insecure Direct Object Reference in toOpen List"); - fail("Could not Find Insecure Direct Object Reference in toOpen List"); - } else if (toOpenList.indexOf(dataStorageLessonId) == -1) { - log.fatal("Found Insecure Data Storage in toOpen List when it should already be open"); - fail("Found Insecure Data Storage in toOpen List when it should already be open"); - } else { - return; // PASS - } - } - } else { - fail("Could not close all modules"); - } - } - - /** - * Test to see if the module status menu is correct when all modules are open - */ - @Test - public void testGetModuleStatusMenuWhenMobileOnlyOpen() { - String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); - String insecureDirectObjectReferenceLesson = new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); - if (Setter.openOnlyMobileCategories(applicationRoot)) { - String moduleStatusMenu = Getter.getModuleStatusMenu(applicationRoot); - if (moduleStatusMenu.indexOf("") == -1) { - log.fatal("No Menu Header in ModuleStatusMenu: " + moduleStatusMenu); - fail("No Menu Header in moduleStatusMenu"); - } else if (moduleStatusMenu.indexOf("id='toOpen'") == -1) { - log.fatal("No Open Menu Detected in Output: " + moduleStatusMenu); - fail("No Open Meny Detected in Output"); - } else if (moduleStatusMenu.indexOf("id='toClose'") == -1) { - log.fatal("No Close Menu Detected in Output: " + moduleStatusMenu); - fail("No Close Meny Detected in Output"); - } else if (moduleStatusMenu.indexOf("id='toClose'>") > 0) // Should not be empty as Web Levels - // should be closed - { - log.fatal("Modules are in the 'toClose' list when web modules should already be closed: " - + moduleStatusMenu); - fail("Modules are in the 'toClose' list when web modules should already be closed"); - } else if (moduleStatusMenu.indexOf("id='toOpen'>") > 0) // Should not be empty as Mobile - // Levels should be open - { - log.fatal("Modules are in the 'toOpen' list when mobile modules should already be closed: " - + moduleStatusMenu); - fail("Modules are in the 'toOpen' list when mobile modules should already be closed"); - } else { - // Make Sub String for the toOpen List - int endOfToOpenMenu = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>")) - .indexOf("") - + (moduleStatusMenu.length() - - moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>")).length()); - String toOpenList = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>"), - endOfToOpenMenu); - // Make Sub String for the toClose List - int endOfToCloseMenu = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>")) - .indexOf("") - + (moduleStatusMenu.length() - - moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>")).length()); - String toCloseList = moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>"), - endOfToCloseMenu); - log.debug("Open List: " + toOpenList); - log.debug("Close List: " + toCloseList); - if (toCloseList.indexOf(dataStorageLessonId) == -1) { - log.fatal("Could not Find Insecure Data Storage in toOpen List"); - fail("Could not Find Insecure Data Storage in toOpen List"); - } else if (toOpenList.indexOf(insecureDirectObjectReferenceLesson) == -1) { - log.fatal("Could not Find Insecure Direct Object Reference in toOpen List"); - fail("Could not Find Insecure Direct Object Reference in toOpen List"); - } else { - // Verify the correct number of modules are open/closed (At this point the Menu - // is fine. This is really now testing the mobile/web setter filters) - int numberOfMobileLevelsOpen = (toCloseList.length() - toCloseList.replace(" 9) - fail("Too Many Users Returned"); - else { - log.fatal("Then surely the number WAS 9? How did this happen"); - fail("Incorrect Amount of Users Returned"); - } - } - } catch (Exception e) { - log.fatal("Failed to itterate through playersByClass: " + e.toString()); - fail("Players By Class Result Set Issue"); - } - } catch (Exception e) { - log.fatal("Could not create Class/Users: " + e.toString()); - fail("Could not create Class/Users"); - } - } - - @Test - public void testGetProgress() { - String userName = new String("progressUser1"); - String className = new String("progressClass1"); - String otherUserName = new String("progressUser2"); - String otherClassName = new String("progressClass2"); - String anotherUserName = new String("progressClass3"); - String classId = new String(); - String classId2 = new String(); - String insecureDirectObjectRefLesson = "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // Direct Object Reference - // Module - try { - try { - classId = findCreateClassId(className); - classId2 = findCreateClassId(otherClassName); - } catch (Exception e) { - log.fatal("Could not Find or Create Class : " + e.toString()); - fail("Could not Create or Find Classes"); - } - if (verifyTestUser(applicationRoot, userName, userName, classId) - && verifyTestUser(applicationRoot, anotherUserName, anotherUserName, classId) - && verifyTestUser(applicationRoot, otherUserName, otherUserName, classId2)) { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); - // Open all Modules First - if (Setter.openAllModules(applicationRoot, false) && Setter.openAllModules(applicationRoot, true)) { - // Simulate user Opening Level - if (Getter.getModuleAddress(applicationRoot, insecureDirectObjectRefLesson, userId).isEmpty()) { - fail("Could not Simulate Opening Level for User 1"); - } else if (Getter.getModuleAddress(applicationRoot, insecureDirectObjectRefLesson, otherUserId) - .isEmpty()) { - fail("Could not Simulate Opening Level for User 1"); - } else { - String markLevelCompleteTest = Setter.updatePlayerResult(applicationRoot, - insecureDirectObjectRefLesson, userId, "Feedback is Disabled", 1, 1, 1); - if (markLevelCompleteTest != null) - markLevelCompleteTest = Setter.updatePlayerResult(applicationRoot, - insecureDirectObjectRefLesson, otherUserId, "Feedback is Disabled", 1, 1, 1); - else - fail("Could Not Mark Level as complete by User 1"); - if (markLevelCompleteTest != null) { - String classProgress = Getter.getProgress(applicationRoot, classId); - if (classProgress.indexOf(otherClassName) > 0) { - fail("User from wrong class is listed in getProgress response"); - } else if (classProgress.indexOf(userName) == -1) { - fail("Could not find user from class in getProgress response"); - } else if (classProgress.indexOf(anotherUserName) == -1) { - fail("Could not find user who has made no progress in getProgress response"); - } else { - String userRowStart = new String(userName - + "") == -1) { + log.fatal("No Menu Header in ModuleStatusMenu: " + moduleStatusMenu); + fail("No Menu Header in moduleStatusMenu"); + } else if (moduleStatusMenu.indexOf("id='toOpen'") == -1) { + log.fatal("No Open Menu Detected in Output: " + moduleStatusMenu); + fail("No Open Meny Detected in Output"); + } else if (moduleStatusMenu.indexOf("id='toClose'") == -1) { + log.fatal("No Close Menu Detected in Output: " + moduleStatusMenu); + fail("No Close Meny Detected in Output"); + } else if (moduleStatusMenu.indexOf("id='toOpen'>") + < 0) // Should be empty as all modules + // should be open + { + log.fatal( + "Modules are in the 'toOpen' list when all modules should already be open: " + + moduleStatusMenu); + fail("Modules are in the 'toOpen' list when all modules should already be open"); + } else { + // Make Sub String for the toClose List + int endOfToCloseMenu = + moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toClose'>")) + .indexOf("") + + (moduleStatusMenu.length() + - moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toClose'>")) + .length()); + String toCloseList = + moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>"), endOfToCloseMenu); + log.debug("Close List: " + toCloseList); + if (toCloseList.indexOf(insecureDirectObjectReferenceLesson) == -1) { + log.fatal("Could not Find Insecure Direct Object Reference in toClose List"); + fail("Could not Find Insecure Direct Object Reference in toClose List"); + } else if (toCloseList.indexOf(dataStorageLessonId) == -1) { + log.fatal("Could not Find Insecure Data Storage in toClose List"); + fail("Could not Find Insecure Data Storage in toClose List"); + } else { + return; // PASS + } + } + } else { + fail("Could not open all modules"); + } + } + + /** Test to see if the module status menu is correct when all modules are open */ + @Test + public void testGetModuleStatusMenuWhenClosed() { + String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); + String insecureDirectObjectReferenceLesson = + new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); + if (Setter.closeAllModules(applicationRoot)) { + String moduleStatusMenu = Getter.getModuleStatusMenu(applicationRoot); + if (moduleStatusMenu.indexOf("") == -1) { + log.fatal("No Menu Header in ModuleStatusMenu: " + moduleStatusMenu); + fail("No Menu Header in moduleStatusMenu"); + } else if (moduleStatusMenu.indexOf("id='toOpen'") == -1) { + log.fatal("No Open Menu Detected in Output: " + moduleStatusMenu); + fail("No Open Meny Detected in Output"); + } else if (moduleStatusMenu.indexOf("id='toClose'") == -1) { + log.fatal("No Close Menu Detected in Output: " + moduleStatusMenu); + fail("No Close Meny Detected in Output"); + } else if (moduleStatusMenu.indexOf("id='toClose'>") + < 0) // Should be empty as all modules + // should be closed + { + log.fatal( + "Modules are in the 'toClose' list when all modules should already be closed: " + + moduleStatusMenu); + fail("Modules are in the 'toClose' list when all modules should already be closed"); + } else { + // Make Sub String for the toOpen List + int endOfToOpenMenu = + moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toOpen'>")) + .indexOf("") + + (moduleStatusMenu.length() + - moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toOpen'>")) + .length()); + String toOpenList = + moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>"), endOfToOpenMenu); + log.debug("Open List: " + toOpenList); + if (toOpenList.indexOf(insecureDirectObjectReferenceLesson) == -1) { + log.fatal("Could not Find Insecure Direct Object Reference in toOpen List"); + fail("Could not Find Insecure Direct Object Reference in toOpen List"); + } else if (toOpenList.indexOf(dataStorageLessonId) == -1) { + log.fatal("Found Insecure Data Storage in toOpen List when it should already be open"); + fail("Found Insecure Data Storage in toOpen List when it should already be open"); + } else { + return; // PASS + } + } + } else { + fail("Could not close all modules"); + } + } + + /** Test to see if the module status menu is correct when all modules are open */ + @Test + public void testGetModuleStatusMenuWhenMobileOnlyOpen() { + String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); + String insecureDirectObjectReferenceLesson = + new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); + if (Setter.openOnlyMobileCategories(applicationRoot)) { + String moduleStatusMenu = Getter.getModuleStatusMenu(applicationRoot); + if (moduleStatusMenu.indexOf("") == -1) { + log.fatal("No Menu Header in ModuleStatusMenu: " + moduleStatusMenu); + fail("No Menu Header in moduleStatusMenu"); + } else if (moduleStatusMenu.indexOf("id='toOpen'") == -1) { + log.fatal("No Open Menu Detected in Output: " + moduleStatusMenu); + fail("No Open Meny Detected in Output"); + } else if (moduleStatusMenu.indexOf("id='toClose'") == -1) { + log.fatal("No Close Menu Detected in Output: " + moduleStatusMenu); + fail("No Close Meny Detected in Output"); + } else if (moduleStatusMenu.indexOf("id='toClose'>") + > 0) // Should not be empty as Web Levels + // should be closed + { + log.fatal( + "Modules are in the 'toClose' list when web modules should already be closed: " + + moduleStatusMenu); + fail("Modules are in the 'toClose' list when web modules should already be closed"); + } else if (moduleStatusMenu.indexOf("id='toOpen'>") + > 0) // Should not be empty as Mobile + // Levels should be open + { + log.fatal( + "Modules are in the 'toOpen' list when mobile modules should already be closed: " + + moduleStatusMenu); + fail("Modules are in the 'toOpen' list when mobile modules should already be closed"); + } else { + // Make Sub String for the toOpen List + int endOfToOpenMenu = + moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toOpen'>")) + .indexOf("") + + (moduleStatusMenu.length() + - moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toOpen'>")) + .length()); + String toOpenList = + moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toOpen'>"), endOfToOpenMenu); + // Make Sub String for the toClose List + int endOfToCloseMenu = + moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toClose'>")) + .indexOf("") + + (moduleStatusMenu.length() + - moduleStatusMenu + .substring(moduleStatusMenu.indexOf("id='toClose'>")) + .length()); + String toCloseList = + moduleStatusMenu.substring(moduleStatusMenu.indexOf("id='toClose'>"), endOfToCloseMenu); + log.debug("Open List: " + toOpenList); + log.debug("Close List: " + toCloseList); + if (toCloseList.indexOf(dataStorageLessonId) == -1) { + log.fatal("Could not Find Insecure Data Storage in toOpen List"); + fail("Could not Find Insecure Data Storage in toOpen List"); + } else if (toOpenList.indexOf(insecureDirectObjectReferenceLesson) == -1) { + log.fatal("Could not Find Insecure Direct Object Reference in toOpen List"); + fail("Could not Find Insecure Direct Object Reference in toOpen List"); + } else { + // Verify the correct number of modules are open/closed (At this point the Menu + // is fine. This is really now testing the mobile/web setter filters) + int numberOfMobileLevelsOpen = + (toCloseList.length() - toCloseList.replace(" 9) { + fail("Too Many Users Returned"); + } else { + log.fatal("Then surely the number WAS 9? How did this happen"); + fail("Incorrect Amount of Users Returned"); + } + } + } catch (Exception e) { + log.fatal("Failed to itterate through playersByClass: " + e.toString()); + fail("Players By Class Result Set Issue"); + } + } catch (Exception e) { + log.fatal("Could not create Class/Users: " + e.toString()); + fail("Could not create Class/Users"); + } + } + + @Test + public void testGetProgress() { + String userName = new String("progressUser1"); + String className = new String("progressClass1"); + String otherUserName = new String("progressUser2"); + String otherClassName = new String("progressClass2"); + String anotherUserName = new String("progressClass3"); + String classId = new String(); + String classId2 = new String(); + String insecureDirectObjectRefLesson = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // Direct Object Reference + // Module + try { + try { + classId = findCreateClassId(className); + classId2 = findCreateClassId(otherClassName); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create or Find Classes"); + } + if (verifyTestUser(applicationRoot, userName, userName, classId) + && verifyTestUser(applicationRoot, anotherUserName, anotherUserName, classId) + && verifyTestUser(applicationRoot, otherUserName, otherUserName, classId2)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (Getter.getModuleAddress(applicationRoot, insecureDirectObjectRefLesson, userId) + .isEmpty()) { + fail("Could not Simulate Opening Level for User 1"); + } else if (Getter.getModuleAddress( + applicationRoot, insecureDirectObjectRefLesson, otherUserId) + .isEmpty()) { + fail("Could not Simulate Opening Level for User 1"); + } else { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + userId, + "Feedback is Disabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + otherUserId, + "Feedback is Disabled", + 1, + 1, + 1); + } else { + fail("Could Not Mark Level as complete by User 1"); + } + if (markLevelCompleteTest != null) { + String classProgress = Getter.getProgress(applicationRoot, classId); + if (classProgress.indexOf(otherClassName) > 0) { + fail("User from wrong class is listed in getProgress response"); + } else if (classProgress.indexOf(userName) == -1) { + fail("Could not find user from class in getProgress response"); + } else if (classProgress.indexOf(anotherUserName) == -1) { + fail("Could not find user who has made no progress in getProgress response"); + } else { + String userRowStart = + new String( + userName + + "
-
"/>
+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+ + + + -
+
+ " /> +
- -
- - -

-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/efa08298fc6a4add4b9a4bbdbbbb18ac934667971fa275bd7d234589bd8a8467.jsp b/src/main/webapp/challenges/efa08298fc6a4add4b9a4bbdbbbb18ac934667971fa275bd7d234589bd8a8467.jsp index 34900d481..870794418 100644 --- a/src/main/webapp/challenges/efa08298fc6a4add4b9a4bbdbbbb18ac934667971fa275bd7d234589bd8a8467.jsp +++ b/src/main/webapp/challenges/efa08298fc6a4add4b9a4bbdbbbb18ac934667971fa275bd7d234589bd8a8467.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,28 +57,31 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= levelName %> - - + +Security Shepherd - <%= levelName %> + + - + - -
-

<%= levelName %>

-

-
- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " PoorAuthentication2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + +
+

<%= levelName %>

+

+
+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " PoorAuthentication2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/f37d45f597832cdc6e91358dca3f53039d4489c94df2ee280d6203b389dd5671.jsp b/src/main/webapp/challenges/f37d45f597832cdc6e91358dca3f53039d4489c94df2ee280d6203b389dd5671.jsp index f65c84ea5..64e7dab78 100644 --- a/src/main/webapp/challenges/f37d45f597832cdc6e91358dca3f53039d4489c94df2ee280d6203b389dd5671.jsp +++ b/src/main/webapp/challenges/f37d45f597832cdc6e91358dca3f53039d4489c94df2ee280d6203b389dd5671.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,39 +59,49 @@ - - Security Shepherd - <%= Encode.forHtml(translatedLevelName) %> - - + +Security Shepherd - <%= Encode.forHtml(translatedLevelName) %> + + - - - - -
-

<%= Encode.forHtml(translatedLevelName) %>

-

- <%= bundle.getString("challenge.description") %> -

- - - - -
- <%= bundle.getString("challenge.form.instruction") %>; -
- -
-
"/>
- -
-
- -
-

-
- + + + +
+

<%= Encode.forHtml(translatedLevelName) %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %>;
+
+ " /> +
+ +
+
+ +
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/f5a3f19dd44b53c6d29dda65fa90791bb312a3044b3110acb8a65d165376bf34.jsp b/src/main/webapp/challenges/f5a3f19dd44b53c6d29dda65fa90791bb312a3044b3110acb8a65d165376bf34.jsp index 2d037eeda..7362ac78f 100644 --- a/src/main/webapp/challenges/f5a3f19dd44b53c6d29dda65fa90791bb312a3044b3110acb8a65d165376bf34.jsp +++ b/src/main/webapp/challenges/f5a3f19dd44b53c6d29dda65fa90791bb312a3044b3110acb8a65d165376bf34.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,28 +57,31 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= LevelName %> - - + +Security Shepherd - <%= LevelName %> + + - + - -
-

<%= LevelName %>

-

- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " BrokenCrypto4.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + +
+

<%= LevelName %>

+

+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " BrokenCrypto4.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/fb5c9ce0f5539b737e534fd317befff7427f6610ed626dfd43abf35295f106bc.jsp b/src/main/webapp/challenges/fb5c9ce0f5539b737e534fd317befff7427f6610ed626dfd43abf35295f106bc.jsp index a26e4fbc1..26d3b4ed4 100644 --- a/src/main/webapp/challenges/fb5c9ce0f5539b737e534fd317befff7427f6610ed626dfd43abf35295f106bc.jsp +++ b/src/main/webapp/challenges/fb5c9ce0f5539b737e534fd317befff7427f6610ed626dfd43abf35295f106bc.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -56,28 +57,31 @@ if (request.getSession() != null) %> - - Security Shepherd - <%= LevelName %> - - + +Security Shepherd - <%= LevelName %> + + - - - - -
-

<%= LevelName %>

-

- <%= paragraph1 %> -
-
- <%= mobile.getString("mobileBlurb.vmLink.1") + " BrokenCrypto2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> - -

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + + + + +
+

<%= LevelName %>

+

+ <%= paragraph1 %> +

+ <%= mobile.getString("mobileBlurb.vmLink.1") + " BrokenCrypto2.apk " + mobile.getString("mobileBlurb.vmLink.2") %> + +

+
+ + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/ffd39cb26727f34cbf9fce3e82b9d703404e99cdef54d2aa745f497abe070b.jsp b/src/main/webapp/challenges/ffd39cb26727f34cbf9fce3e82b9d703404e99cdef54d2aa745f497abe070b.jsp index 1442d7bbf..54a6b5b8b 100644 --- a/src/main/webapp/challenges/ffd39cb26727f34cbf9fce3e82b9d703404e99cdef54d2aa745f497abe070b.jsp +++ b/src/main/webapp/challenges/ffd39cb26727f34cbf9fce3e82b9d703404e99cdef54d2aa745f497abe070b.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,50 +56,63 @@ ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwar - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- -
- - - - -
- <%= bundle.getString("challenge.form.pleaseEnter") %> -
- -
-
"/>
- - -
-
- -
-

+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/h8aa0fdc145fb8089661997214cc0e685e5f86a87f30c2ca641e1dde15b01177.jsp b/src/main/webapp/challenges/h8aa0fdc145fb8089661997214cc0e685e5f86a87f30c2ca641e1dde15b01177.jsp index 6dc459f5d..f6b0d2fcf 100644 --- a/src/main/webapp/challenges/h8aa0fdc145fb8089661997214cc0e685e5f86a87f30c2ca641e1dde15b01177.jsp +++ b/src/main/webapp/challenges/h8aa0fdc145fb8089661997214cc0e685e5f86a87f30c2ca641e1dde15b01177.jsp @@ -1,4 +1,5 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -52,35 +53,39 @@ String levelName = "Insecure Cryptographic Storage Challenge 2"; - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("insecureCryptoStorage.2.whatToDo") %> -
-
-

- - -
- "/> -
-
-
-
-
-

-
- + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("insecureCryptoStorage.2.whatToDo") %> +

+

+ + + + +
" /> +
+
+

+
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/o9a450a64cc2a196f55878e2bd9a27a72daea0f17017253f87e7ebd98c71c98c.jsp b/src/main/webapp/challenges/o9a450a64cc2a196f55878e2bd9a27a72daea0f17017253f87e7ebd98c71c98c.jsp index d1aaf05f2..d8285d86c 100644 --- a/src/main/webapp/challenges/o9a450a64cc2a196f55878e2bd9a27a72daea0f17017253f87e7ebd98c71c98c.jsp +++ b/src/main/webapp/challenges/o9a450a64cc2a196f55878e2bd9a27a72daea0f17017253f87e7ebd98c71c98c.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,26 +58,29 @@ String i18nChallengeName = bundle.getString("challenge.challengeName"); - - Security Shepherd - <%= i18nChallengeName %> - - + +Security Shepherd - <%= i18nChallengeName %> + + - - - - -
-

<%= i18nChallengeName %>

-

- <%= bundle.getString("challenge.whatToDo") %> -
-
-

-
- - + + + + +
+

<%= i18nChallengeName %>

+

+ <%= bundle.getString("challenge.whatToDo") %> +

+

+ +
+ + - - -
-
"/>
- -
-
-
-
-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/s74a796e84e25b854906d88f622170c1c06817e72b526b3d1e9a6085f429cf52.jsp b/src/main/webapp/challenges/s74a796e84e25b854906d88f622170c1c06817e72b526b3d1e9a6085f429cf52.jsp index 14865734f..69f859774 100644 --- a/src/main/webapp/challenges/s74a796e84e25b854906d88f622170c1c06817e72b526b3d1e9a6085f429cf52.jsp +++ b/src/main/webapp/challenges/s74a796e84e25b854906d88f622170c1c06817e72b526b3d1e9a6085f429cf52.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -63,67 +66,76 @@ - - Security Shepherd - <%= bundle.getString("title.csrf1") %> - - + +Security Shepherd - <%= bundle.getString("title.csrf1") %> + + - - - - -
-

<%= bundle.getString("title.csrf1") %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- GET /user/csrfchallengeone/plusplus?userid=<%= bundle.getString("challenge.userIdExample") %> -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%= bundle.getString("challenge.yourIdIs") %> <%= userId %><%= bundle.getString("challenge.yourIdIs.1") %> -
-
- <%= bundle.getString("challenge.useForumForImg") %> - <% + + + + +

+

<%= bundle.getString("title.csrf1") %>

+

+ <%= bundle.getString("challenge.intro") %> +

GET /user/csrfchallengeone/plusplus?userid=<%= bundle.getString("challenge.userIdExample") %> +

+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%= bundle.getString("challenge.yourIdIs") %> + <%= userId %><%= bundle.getString("challenge.yourIdIs.1") %> +

+ <%= bundle.getString("challenge.useForumForImg") %> + <% if(ModulePlan.isIncrementalFloor()) { %> - <%= bundle.getString("challenge.firstUser.get") %> - <% + <%= bundle.getString("challenge.firstUser.get") %> + <% } %> - <% + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.img.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.img.whatToDo") %>
+
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithImg(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithImg(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/t193c6634f049bcf65cdcac72269eeac25dbb2a6887bdb38873e57d0ef447bc3.jsp b/src/main/webapp/challenges/t193c6634f049bcf65cdcac72269eeac25dbb2a6887bdb38873e57d0ef447bc3.jsp index 6147733f0..167c71a7b 100644 --- a/src/main/webapp/challenges/t193c6634f049bcf65cdcac72269eeac25dbb2a6887bdb38873e57d0ef447bc3.jsp +++ b/src/main/webapp/challenges/t193c6634f049bcf65cdcac72269eeac25dbb2a6887bdb38873e57d0ef447bc3.jsp @@ -1,5 +1,6 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="utils.*" errorPage="" %> -<%@ page import="java.util.Locale, java.util.ResourceBundle" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" import="utils.*" errorPage=""%> +<%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** * Broken Authentication and Session Management Challenge Three @@ -53,71 +54,81 @@ String i18nLevelName = bundle.getString("challenge.challengeName"); %> - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("challenge.description") %> -
-

-
- - - - -
- <%= bundle.getString("challenge.form.userName") %> - - -
- <%= bundle.getString("challenge.form.password") %> - - -
-
"/>
-
-
- "/> -
- -
- - - -

+ + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +
+

+
+ + + + + + + + + + + + +
<%= bundle.getString("challenge.form.userName") %>
<%= bundle.getString("challenge.form.password") %>
+
+ " /> +
+
+
+ " /> +
+ +
+ - - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/t227357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888.jsp b/src/main/webapp/challenges/t227357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888.jsp index 93f5f471c..83d2d8ad1 100644 --- a/src/main/webapp/challenges/t227357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888.jsp +++ b/src/main/webapp/challenges/t227357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% @@ -56,40 +59,53 @@ - - Security Shepherd - <%= translatedLevelName %> - - + +Security Shepherd - <%= translatedLevelName %> + + - - - - -
-

<%= translatedLevelName %>

-

- <%= bundle.getString("challenge.description") %> -

- - - - -
- <%= bundle.getString("challenge.form.instruction") %> -
- -
-
"/>
- - -
-
- -
-

-
- + + + +
+

<%= translatedLevelName %>

+

+ <%= bundle.getString("challenge.description") %> +

+ + + + + + + + + + +
<%= bundle.getString("challenge.form.instruction") %>
+
+ " /> +
+ + +
+
+ +
+

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4.jsp b/src/main/webapp/challenges/vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4.jsp index 388717913..0ae80accb 100644 --- a/src/main/webapp/challenges/vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4.jsp +++ b/src/main/webapp/challenges/vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -55,45 +58,59 @@ - - Security Shepherd - <%= i18nChallengeName %> - - + +Security Shepherd - <%= i18nChallengeName %> + + - - - - -
-

<%= i18nChallengeName %>

-

- <%= bundle.getString("challenge.whatToDo") %> -
-
-

-
- - + + + + +
+

<%= i18nChallengeName %>

+

+ <%= bundle.getString("challenge.whatToDo") %> +

+

+ +
+ + - - -
-
"/>
- -
-
-
-
-

-
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/x9c408d23e75ec92495e0caf9a544edb2ee8f624249f3e920663edb733f15cd7.jsp b/src/main/webapp/challenges/x9c408d23e75ec92495e0caf9a544edb2ee8f624249f3e920663edb733f15cd7.jsp index dda96c00a..492d7a22c 100644 --- a/src/main/webapp/challenges/x9c408d23e75ec92495e0caf9a544edb2ee8f624249f3e920663edb733f15cd7.jsp +++ b/src/main/webapp/challenges/x9c408d23e75ec92495e0caf9a544edb2ee8f624249f3e920663edb733f15cd7.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -53,26 +56,29 @@ - - Security Shepherd - <%= i18nLevelName %> - - + +Security Shepherd - <%= i18nLevelName %> + + - - - - -
-

<%= i18nLevelName %>

-

- <%= bundle.getString("insecureCryptoStorage.1.whatToDo") %> -
-
- Ymj wjxzqy pjd ktw ymnx qjxxts nx ymj ktqqtbnsl xywnsl; rdqtajqdmtwxjwzssnslymwtzlmymjknjqibmjwjfwjdtzltnslbnymdtzwgnlf -

-
- + + + +
+

<%= i18nLevelName %>

+

+ <%= bundle.getString("insecureCryptoStorage.1.whatToDo") %> +

Ymj wjxzqy pjd ktw ymnx qjxxts nx ymj ktqqtbnsl + xywnsl; + rdqtajqdmtwxjwzssnslymwtzlmymjknjqibmjwjfwjdtzltnslbnymdtzwgnlf +

+
+ - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp b/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp index 038bc55bd..b555566e1 100644 --- a/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp +++ b/src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -62,61 +65,69 @@ - - Security Shepherd - <%= bundle.getString("title.csrf2") %> - - + +Security Shepherd - <%= bundle.getString("title.csrf2") %> + + - - - - -
-

<%= bundle.getString("title.csrf2") %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengetwo/plusplus -
- <%= bundle.getString("challenge.withThisParameter") %> userId = <%= bundle.getString("challenge.userIdExample") %> -
-
- <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %>  -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + + + + +

+

<%= bundle.getString("title.csrf2") %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengetwo/plusplus
+ <%= bundle.getString("challenge.withThisParameter") %> + userId = <%= bundle.getString("challenge.userIdExample") %>
+
+ <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %>  +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%= Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/challenges/z6b2f5ebbe112dd09a6c430a167415820adc5633256a7b44a7d1e262db105e3c.jsp b/src/main/webapp/challenges/z6b2f5ebbe112dd09a6c430a167415820adc5633256a7b44a7d1e262db105e3c.jsp index 6158abcbf..cfd053b03 100644 --- a/src/main/webapp/challenges/z6b2f5ebbe112dd09a6c430a167415820adc5633256a7b44a7d1e262db105e3c.jsp +++ b/src/main/webapp/challenges/z6b2f5ebbe112dd09a6c430a167415820adc5633256a7b44a7d1e262db105e3c.jsp @@ -1,4 +1,7 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> <%@ page import="java.util.Locale, java.util.ResourceBundle"%> <% /** @@ -62,61 +65,70 @@ - - Security Shepherd - <%= bundle.getString("title.csrf3") %> - - + +Security Shepherd - <%= bundle.getString("title.csrf3") %> + + - - - - -
-

<%= bundle.getString("title.csrf3") %>

-

- <%= bundle.getString("challenge.intro") %> -
-
- POST /user/csrfchallengethree/plusplus -
- <%= bundle.getString("challenge.withTheseParameters") %> userid=<%= bundle.getString("challenge.userIdExample") %> & csrfToken=<%= bundle.getString("challenge.userTokenExample") %> -
-
- <%= bundle.getString("challenge.csrfTokenGenerated") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%= bundle.getString("challenge.yourIdIs") %> <%= userId %><%= bundle.getString("challenge.yourIdIs.1") %> -
-
- <%= bundle.getString("challenge.useForumForIframe") %> - <% + + + + +

+

<%= bundle.getString("title.csrf3") %>

+

+ <%= bundle.getString("challenge.intro") %> +

POST /user/csrfchallengethree/plusplus
+ <%= bundle.getString("challenge.withTheseParameters") %> + userid=<%= bundle.getString("challenge.userIdExample") %> & + csrfToken=<%= bundle.getString("challenge.userTokenExample") %>
+
+ <%= bundle.getString("challenge.csrfTokenGenerated") %> <%= bundle.getString("challenge.userIdExample") %> <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %> <%= bundle.getString("challenge.yourIdIs") %> <%= userId %><%= bundle.getString("challenge.yourIdIs.1") %> +

+ <%= bundle.getString("challenge.useForumForIframe") %> + <% String moduleId = Getter.getModuleIdFromHash(ApplicationRoot, levelHash); if (Getter.isCsrfLevelComplete(ApplicationRoot, moduleId, userId)) { %> -

<%= bundle.getString("result.challengeCompleted") %>

-

- <%= bundle.getString("result.congratsTheKeyIs") %> - <%=Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>

- <% } %> -

- - - - + +
- <%= bundle.getString("forum.iframe.whatToDo") %> -
- -
-
"/>
+ +

<%= bundle.getString("result.challengeCompleted") %>

+

+ <%= bundle.getString("result.congratsTheKeyIs") %> + <%=Hash.generateUserSolution(Getter.getModuleResult(ApplicationRoot, moduleId), (String)ses.getAttribute("userName")) %>
+
+ <% } %> + + + + + + + + + + + -
<%= bundle.getString("forum.iframe.whatToDo") %>
+
+
+ " /> +
-
- - -

- <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %> -
-

+
+ + +
+ <%= Getter.getCsrfForumWithIframe(ApplicationRoot, userClass, Getter.getModuleIdFromHash(ApplicationRoot, levelHash), bundle) %>
- - <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %><% } %> + <% if(Analytics.googleAnalyticsOn) { %><%= Analytics.googleAnalyticsScript %> + <% } %> <% diff --git a/src/main/webapp/css/jquery.mCustomScrollbar.min.css b/src/main/webapp/css/jquery.mCustomScrollbar.min.css index 5441f76d9..173406425 100644 --- a/src/main/webapp/css/jquery.mCustomScrollbar.min.css +++ b/src/main/webapp/css/jquery.mCustomScrollbar.min.css @@ -1 +1,1546 @@ -.mCustomScrollbar{-ms-touch-action:none;touch-action:none}.mCustomScrollbar.mCS_no_scrollbar,.mCustomScrollbar.mCS_touch_action{-ms-touch-action:auto;touch-action:auto}.mCustomScrollBox{position:relative;overflow:hidden;height:100%;max-width:100%;outline:0;direction:ltr}.mCSB_container{overflow:hidden;width:auto;height:auto}.mCSB_inside>.mCSB_container{margin-right:30px}.mCSB_container.mCS_no_scrollbar_y.mCS_y_hidden{margin-right:0}.mCS-dir-rtl>.mCSB_inside>.mCSB_container{margin-right:0;margin-left:30px}.mCS-dir-rtl>.mCSB_inside>.mCSB_container.mCS_no_scrollbar_y.mCS_y_hidden{margin-left:0}.mCSB_scrollTools{position:absolute;width:16px;height:auto;left:auto;top:0;right:0;bottom:0;opacity:.75;filter:"alpha(opacity=75)";-ms-filter:"alpha(opacity=75)"}.mCSB_outside+.mCSB_scrollTools{right:-26px}.mCS-dir-rtl>.mCSB_inside>.mCSB_scrollTools,.mCS-dir-rtl>.mCSB_outside+.mCSB_scrollTools{right:auto;left:0}.mCS-dir-rtl>.mCSB_outside+.mCSB_scrollTools{left:-26px}.mCSB_scrollTools .mCSB_draggerContainer{position:absolute;top:0;left:0;bottom:0;right:0;height:auto}.mCSB_scrollTools a+.mCSB_draggerContainer{margin:20px 0}.mCSB_scrollTools .mCSB_draggerRail{width:2px;height:100%;margin:0 auto;-webkit-border-radius:16px;-moz-border-radius:16px;border-radius:16px}.mCSB_scrollTools .mCSB_dragger{cursor:pointer;width:100%;height:30px;z-index:1}.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{position:relative;width:4px;height:100%;margin:0 auto;-webkit-border-radius:16px;-moz-border-radius:16px;border-radius:16px;text-align:center}.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar,.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar{width:12px}.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail{width:8px}.mCSB_scrollTools .mCSB_buttonDown,.mCSB_scrollTools .mCSB_buttonUp{display:block;position:absolute;height:20px;width:100%;overflow:hidden;margin:0 auto;cursor:pointer}.mCSB_scrollTools .mCSB_buttonDown{bottom:0}.mCSB_horizontal.mCSB_inside>.mCSB_container{margin-right:0;margin-bottom:30px}.mCSB_horizontal.mCSB_outside>.mCSB_container{min-height:100%}.mCSB_horizontal>.mCSB_container.mCS_no_scrollbar_x.mCS_x_hidden{margin-bottom:0}.mCSB_scrollTools.mCSB_scrollTools_horizontal{width:auto;height:16px;top:auto;right:0;bottom:0;left:0}.mCustomScrollBox+.mCSB_scrollTools+.mCSB_scrollTools.mCSB_scrollTools_horizontal,.mCustomScrollBox+.mCSB_scrollTools.mCSB_scrollTools_horizontal{bottom:-26px}.mCSB_scrollTools.mCSB_scrollTools_horizontal a+.mCSB_draggerContainer{margin:0 20px}.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%;height:2px;margin:7px 0}.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_dragger{width:30px;height:100%;left:0}.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{width:100%;height:4px;margin:6px auto}.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar,.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar{height:12px;margin:2px auto}.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail{height:8px;margin:4px 0}.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonLeft,.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonRight{display:block;position:absolute;width:20px;height:100%;overflow:hidden;margin:0 auto;cursor:pointer}.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonLeft{left:0}.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonRight{right:0}.mCSB_container_wrapper{position:absolute;height:auto;width:auto;overflow:hidden;top:0;left:0;right:0;bottom:0;margin-right:30px;margin-bottom:30px}.mCSB_container_wrapper>.mCSB_container{padding-right:30px;padding-bottom:30px}.mCSB_vertical_horizontal>.mCSB_scrollTools.mCSB_scrollTools_vertical{bottom:20px}.mCSB_vertical_horizontal>.mCSB_scrollTools.mCSB_scrollTools_horizontal{right:20px}.mCSB_container_wrapper.mCS_no_scrollbar_x.mCS_x_hidden+.mCSB_scrollTools.mCSB_scrollTools_vertical{bottom:0}.mCS-dir-rtl>.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_scrollTools.mCSB_scrollTools_horizontal,.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden+.mCSB_scrollTools~.mCSB_scrollTools.mCSB_scrollTools_horizontal{right:0}.mCS-dir-rtl>.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_scrollTools.mCSB_scrollTools_horizontal{left:20px}.mCS-dir-rtl>.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden+.mCSB_scrollTools~.mCSB_scrollTools.mCSB_scrollTools_horizontal{left:0}.mCS-dir-rtl>.mCSB_inside>.mCSB_container_wrapper{margin-right:0;margin-left:30px}.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden>.mCSB_container{padding-right:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.mCSB_container_wrapper.mCS_no_scrollbar_x.mCS_x_hidden>.mCSB_container{padding-bottom:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden{margin-right:0;margin-left:0}.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_container_wrapper.mCS_no_scrollbar_x.mCS_x_hidden{margin-bottom:0}.mCSB_scrollTools,.mCSB_scrollTools .mCSB_buttonDown,.mCSB_scrollTools .mCSB_buttonLeft,.mCSB_scrollTools .mCSB_buttonRight,.mCSB_scrollTools .mCSB_buttonUp,.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{-webkit-transition:opacity .2s ease-in-out,background-color .2s ease-in-out;-moz-transition:opacity .2s ease-in-out,background-color .2s ease-in-out;-o-transition:opacity .2s ease-in-out,background-color .2s ease-in-out;transition:opacity .2s ease-in-out,background-color .2s ease-in-out}.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerRail,.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger_bar,.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerRail,.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger_bar{-webkit-transition:width .2s ease-out .2s,height .2s ease-out .2s,margin-left .2s ease-out .2s,margin-right .2s ease-out .2s,margin-top .2s ease-out .2s,margin-bottom .2s ease-out .2s,opacity .2s ease-in-out,background-color .2s ease-in-out;-moz-transition:width .2s ease-out .2s,height .2s ease-out .2s,margin-left .2s ease-out .2s,margin-right .2s ease-out .2s,margin-top .2s ease-out .2s,margin-bottom .2s ease-out .2s,opacity .2s ease-in-out,background-color .2s ease-in-out;-o-transition:width .2s ease-out .2s,height .2s ease-out .2s,margin-left .2s ease-out .2s,margin-right .2s ease-out .2s,margin-top .2s ease-out .2s,margin-bottom .2s ease-out .2s,opacity .2s ease-in-out,background-color .2s ease-in-out;transition:width .2s ease-out .2s,height .2s ease-out .2s,margin-left .2s ease-out .2s,margin-right .2s ease-out .2s,margin-top .2s ease-out .2s,margin-bottom .2s ease-out .2s,opacity .2s ease-in-out,background-color .2s ease-in-out}.mCS-autoHide>.mCustomScrollBox>.mCSB_scrollTools,.mCS-autoHide>.mCustomScrollBox~.mCSB_scrollTools{opacity:0;filter:"alpha(opacity=0)";-ms-filter:"alpha(opacity=0)"}.mCS-autoHide:hover>.mCustomScrollBox>.mCSB_scrollTools,.mCS-autoHide:hover>.mCustomScrollBox~.mCSB_scrollTools,.mCustomScrollBox:hover>.mCSB_scrollTools,.mCustomScrollBox:hover~.mCSB_scrollTools,.mCustomScrollbar>.mCustomScrollBox>.mCSB_scrollTools.mCSB_scrollTools_onDrag,.mCustomScrollbar>.mCustomScrollBox~.mCSB_scrollTools.mCSB_scrollTools_onDrag{opacity:1;filter:"alpha(opacity=100)";-ms-filter:"alpha(opacity=100)"}.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.4);filter:"alpha(opacity=40)";-ms-filter:"alpha(opacity=40)"}.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.75);filter:"alpha(opacity=75)";-ms-filter:"alpha(opacity=75)"}.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.85);filter:"alpha(opacity=85)";-ms-filter:"alpha(opacity=85)"}.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.9);filter:"alpha(opacity=90)";-ms-filter:"alpha(opacity=90)"}.mCSB_scrollTools .mCSB_buttonDown,.mCSB_scrollTools .mCSB_buttonLeft,.mCSB_scrollTools .mCSB_buttonRight,.mCSB_scrollTools .mCSB_buttonUp{background-image:url(mCSB_buttons.png);background-repeat:no-repeat;opacity:.4;filter:"alpha(opacity=40)";-ms-filter:"alpha(opacity=40)"}.mCSB_scrollTools .mCSB_buttonUp{background-position:0 0}.mCSB_scrollTools .mCSB_buttonDown{background-position:0 -20px}.mCSB_scrollTools .mCSB_buttonLeft{background-position:0 -40px}.mCSB_scrollTools .mCSB_buttonRight{background-position:0 -56px}.mCSB_scrollTools .mCSB_buttonDown:hover,.mCSB_scrollTools .mCSB_buttonLeft:hover,.mCSB_scrollTools .mCSB_buttonRight:hover,.mCSB_scrollTools .mCSB_buttonUp:hover{opacity:.75;filter:"alpha(opacity=75)";-ms-filter:"alpha(opacity=75)"}.mCSB_scrollTools .mCSB_buttonDown:active,.mCSB_scrollTools .mCSB_buttonLeft:active,.mCSB_scrollTools .mCSB_buttonRight:active,.mCSB_scrollTools .mCSB_buttonUp:active{opacity:.9;filter:"alpha(opacity=90)";-ms-filter:"alpha(opacity=90)"}.mCS-dark.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.15)}.mCS-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75)}.mCS-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:rgba(0,0,0,.85)}.mCS-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:rgba(0,0,0,.9)}.mCS-dark.mCSB_scrollTools .mCSB_buttonUp{background-position:-80px 0}.mCS-dark.mCSB_scrollTools .mCSB_buttonDown{background-position:-80px -20px}.mCS-dark.mCSB_scrollTools .mCSB_buttonLeft{background-position:-80px -40px}.mCS-dark.mCSB_scrollTools .mCSB_buttonRight{background-position:-80px -56px}.mCS-dark-2.mCSB_scrollTools .mCSB_draggerRail,.mCS-light-2.mCSB_scrollTools .mCSB_draggerRail{width:4px;background-color:#fff;background-color:rgba(255,255,255,.1);-webkit-border-radius:1px;-moz-border-radius:1px;border-radius:1px}.mCS-dark-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-light-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:4px;background-color:#fff;background-color:rgba(255,255,255,.75);-webkit-border-radius:1px;-moz-border-radius:1px;border-radius:1px}.mCS-dark-2.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-dark-2.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-light-2.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-light-2.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%;height:4px;margin:6px auto}.mCS-light-2.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.85)}.mCS-light-2.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-light-2.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.9)}.mCS-light-2.mCSB_scrollTools .mCSB_buttonUp{background-position:-32px 0}.mCS-light-2.mCSB_scrollTools .mCSB_buttonDown{background-position:-32px -20px}.mCS-light-2.mCSB_scrollTools .mCSB_buttonLeft{background-position:-40px -40px}.mCS-light-2.mCSB_scrollTools .mCSB_buttonRight{background-position:-40px -56px}.mCS-dark-2.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.1);-webkit-border-radius:1px;-moz-border-radius:1px;border-radius:1px}.mCS-dark-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75);-webkit-border-radius:1px;-moz-border-radius:1px;border-radius:1px}.mCS-dark-2.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-dark-2.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-dark-2.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-dark-2.mCSB_scrollTools .mCSB_buttonUp{background-position:-112px 0}.mCS-dark-2.mCSB_scrollTools .mCSB_buttonDown{background-position:-112px -20px}.mCS-dark-2.mCSB_scrollTools .mCSB_buttonLeft{background-position:-120px -40px}.mCS-dark-2.mCSB_scrollTools .mCSB_buttonRight{background-position:-120px -56px}.mCS-dark-thick.mCSB_scrollTools .mCSB_draggerRail,.mCS-light-thick.mCSB_scrollTools .mCSB_draggerRail{width:4px;background-color:#fff;background-color:rgba(255,255,255,.1);-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px}.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-light-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:6px;background-color:#fff;background-color:rgba(255,255,255,.75);-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px}.mCS-dark-thick.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-light-thick.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%;height:4px;margin:6px 0}.mCS-dark-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-light-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{width:100%;height:6px;margin:5px auto}.mCS-light-thick.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.85)}.mCS-light-thick.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-light-thick.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.9)}.mCS-light-thick.mCSB_scrollTools .mCSB_buttonUp{background-position:-16px 0}.mCS-light-thick.mCSB_scrollTools .mCSB_buttonDown{background-position:-16px -20px}.mCS-light-thick.mCSB_scrollTools .mCSB_buttonLeft{background-position:-20px -40px}.mCS-light-thick.mCSB_scrollTools .mCSB_buttonRight{background-position:-20px -56px}.mCS-dark-thick.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.1);-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px}.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75);-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px}.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonUp{background-position:-96px 0}.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonDown{background-position:-96px -20px}.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonLeft{background-position:-100px -40px}.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonRight{background-position:-100px -56px}.mCS-light-thin.mCSB_scrollTools .mCSB_draggerRail{background-color:#fff;background-color:rgba(255,255,255,.1)}.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-light-thin.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:2px}.mCS-dark-thin.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-light-thin.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%}.mCS-dark-thin.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-light-thin.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{width:100%;height:2px;margin:7px auto}.mCS-dark-thin.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.15)}.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75)}.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonUp{background-position:-80px 0}.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonDown{background-position:-80px -20px}.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonLeft{background-position:-80px -40px}.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonRight{background-position:-80px -56px}.mCS-rounded.mCSB_scrollTools .mCSB_draggerRail{background-color:#fff;background-color:rgba(255,255,255,.15)}.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger,.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger,.mCS-rounded-dots.mCSB_scrollTools .mCSB_dragger,.mCS-rounded.mCSB_scrollTools .mCSB_dragger{height:14px}.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded-dots.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:14px;margin:0 1px}.mCS-rounded-dark.mCSB_scrollTools_horizontal .mCSB_dragger,.mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_dragger,.mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_dragger,.mCS-rounded.mCSB_scrollTools_horizontal .mCSB_dragger{width:14px}.mCS-rounded-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{height:14px;margin:1px 0}.mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar,.mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar,.mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar{width:16px;height:16px;margin:-1px 0}.mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail,.mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail{width:4px}.mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar,.mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar,.mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar{height:16px;width:16px;margin:0 -1px}.mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail,.mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail{height:4px;margin:6px 0}.mCS-rounded.mCSB_scrollTools .mCSB_buttonUp{background-position:0 -72px}.mCS-rounded.mCSB_scrollTools .mCSB_buttonDown{background-position:0 -92px}.mCS-rounded.mCSB_scrollTools .mCSB_buttonLeft{background-position:0 -112px}.mCS-rounded.mCSB_scrollTools .mCSB_buttonRight{background-position:0 -128px}.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75)}.mCS-rounded-dark.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.15)}.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar,.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonUp{background-position:-80px -72px}.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonDown{background-position:-80px -92px}.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonLeft{background-position:-80px -112px}.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonRight{background-position:-80px -128px}.mCS-rounded-dots-dark.mCSB_scrollTools_vertical .mCSB_draggerRail,.mCS-rounded-dots.mCSB_scrollTools_vertical .mCSB_draggerRail{width:4px}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-rounded-dots.mCSB_scrollTools .mCSB_draggerRail,.mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_draggerRail{background-color:transparent;background-position:center}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-rounded-dots.mCSB_scrollTools .mCSB_draggerRail{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAANElEQVQYV2NkIAAYiVbw//9/Y6DiM1ANJoyMjGdBbLgJQAX/kU0DKgDLkaQAvxW4HEvQFwCRcxIJK1XznAAAAABJRU5ErkJggg==);background-repeat:repeat-y;opacity:.3;filter:"alpha(opacity=30)";-ms-filter:"alpha(opacity=30)"}.mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_draggerRail{height:4px;margin:6px 0;background-repeat:repeat-x}.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonUp{background-position:-16px -72px}.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonDown{background-position:-16px -92px}.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonLeft{background-position:-20px -112px}.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonRight{background-position:-20px -128px}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_draggerRail{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAALElEQVQYV2NkIAAYSVFgDFR8BqrBBEifBbGRTfiPZhpYjiQFBK3A6l6CvgAAE9kGCd1mvgEAAAAASUVORK5CYII=)}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonUp{background-position:-96px -72px}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonDown{background-position:-96px -92px}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonLeft{background-position:-100px -112px}.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonRight{background-position:-100px -128px}.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-repeat:repeat-y;background-image:-moz-linear-gradient(left,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(255,255,255,.5)),color-stop(100%,rgba(255,255,255,0)));background-image:-webkit-linear-gradient(left,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:-o-linear-gradient(left,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:-ms-linear-gradient(left,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:linear-gradient(to right,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%)}.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{background-repeat:repeat-x;background-image:-moz-linear-gradient(top,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:-webkit-gradient(linear,left top,left bottom,color-stop(0,rgba(255,255,255,.5)),color-stop(100%,rgba(255,255,255,0)));background-image:-webkit-linear-gradient(top,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:-o-linear-gradient(top,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:-ms-linear-gradient(top,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%);background-image:linear-gradient(to bottom,rgba(255,255,255,.5) 0,rgba(255,255,255,0) 100%)}.mCS-3d-dark.mCSB_scrollTools_vertical .mCSB_dragger,.mCS-3d.mCSB_scrollTools_vertical .mCSB_dragger{height:70px}.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_dragger,.mCS-3d.mCSB_scrollTools_horizontal .mCSB_dragger{width:70px}.mCS-3d-dark.mCSB_scrollTools,.mCS-3d.mCSB_scrollTools{opacity:1;filter:"alpha(opacity=30)";-ms-filter:"alpha(opacity=30)"}.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_draggerRail{-webkit-border-radius:16px;-moz-border-radius:16px;border-radius:16px}.mCS-3d-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-3d.mCSB_scrollTools .mCSB_draggerRail{width:8px;background-color:#000;background-color:rgba(0,0,0,.2);box-shadow:inset 1px 0 1px rgba(0,0,0,.5),inset -1px 0 1px rgba(255,255,255,.2)}.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#555}.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:8px}.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-3d.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%;height:8px;margin:4px 0;box-shadow:inset 0 1px 1px rgba(0,0,0,.5),inset 0 -1px 1px rgba(255,255,255,.2)}.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-3d.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{width:100%;height:8px;margin:4px auto}.mCS-3d.mCSB_scrollTools .mCSB_buttonUp{background-position:-32px -72px}.mCS-3d.mCSB_scrollTools .mCSB_buttonDown{background-position:-32px -92px}.mCS-3d.mCSB_scrollTools .mCSB_buttonLeft{background-position:-40px -112px}.mCS-3d.mCSB_scrollTools .mCSB_buttonRight{background-position:-40px -128px}.mCS-3d-dark.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.1);box-shadow:inset 1px 0 1px rgba(0,0,0,.1)}.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail{box-shadow:inset 0 1px 1px rgba(0,0,0,.1)}.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonUp{background-position:-112px -72px}.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonDown{background-position:-112px -92px}.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonLeft{background-position:-120px -112px}.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonRight{background-position:-120px -128px}.mCS-3d-thick-dark.mCSB_scrollTools,.mCS-3d-thick.mCSB_scrollTools{opacity:1;filter:"alpha(opacity=30)";-ms-filter:"alpha(opacity=30)"}.mCS-3d-thick-dark.mCSB_scrollTools,.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_draggerContainer,.mCS-3d-thick.mCSB_scrollTools,.mCS-3d-thick.mCSB_scrollTools .mCSB_draggerContainer{-webkit-border-radius:7px;-moz-border-radius:7px;border-radius:7px}.mCSB_inside+.mCS-3d-thick-dark.mCSB_scrollTools_vertical,.mCSB_inside+.mCS-3d-thick.mCSB_scrollTools_vertical{right:1px}.mCS-3d-thick-dark.mCSB_scrollTools_vertical,.mCS-3d-thick.mCSB_scrollTools_vertical{box-shadow:inset 1px 0 1px rgba(0,0,0,.1),inset 0 0 14px rgba(0,0,0,.5)}.mCS-3d-thick-dark.mCSB_scrollTools_horizontal,.mCS-3d-thick.mCSB_scrollTools_horizontal{bottom:1px;box-shadow:inset 0 1px 1px rgba(0,0,0,.1),inset 0 0 14px rgba(0,0,0,.5)}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{-webkit-border-radius:5px;-moz-border-radius:5px;border-radius:5px;box-shadow:inset 1px 0 0 rgba(255,255,255,.4);width:12px;margin:2px;position:absolute;height:auto;top:0;bottom:0;left:0;right:0}.mCS-3d-thick-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{box-shadow:inset 0 1px 0 rgba(255,255,255,.4);height:12px;width:auto}.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#555}.mCS-3d-thick.mCSB_scrollTools .mCSB_draggerContainer{background-color:#000;background-color:rgba(0,0,0,.05);box-shadow:inset 1px 1px 16px rgba(0,0,0,.1)}.mCS-3d-thick.mCSB_scrollTools .mCSB_draggerRail{background-color:transparent}.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonUp{background-position:-32px -72px}.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonDown{background-position:-32px -92px}.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonLeft{background-position:-40px -112px}.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonRight{background-position:-40px -128px}.mCS-3d-thick-dark.mCSB_scrollTools{box-shadow:inset 0 0 14px rgba(0,0,0,.2)}.mCS-3d-thick-dark.mCSB_scrollTools_horizontal{box-shadow:inset 0 1px 1px rgba(0,0,0,.1),inset 0 0 14px rgba(0,0,0,.2)}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{box-shadow:inset 1px 0 0 rgba(255,255,255,.4),inset -1px 0 0 rgba(0,0,0,.2)}.mCS-3d-thick-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{box-shadow:inset 0 1px 0 rgba(255,255,255,.4),inset 0 -1px 0 rgba(0,0,0,.2)}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#777}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_draggerContainer{background-color:#fff;background-color:rgba(0,0,0,.05);box-shadow:inset 1px 1px 16px rgba(0,0,0,.1)}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-minimal-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-minimal.mCSB_scrollTools .mCSB_draggerRail{background-color:transparent}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonUp{background-position:-112px -72px}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonDown{background-position:-112px -92px}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonLeft{background-position:-120px -112px}.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonRight{background-position:-120px -128px}.mCSB_outside+.mCS-minimal-dark.mCSB_scrollTools_vertical,.mCSB_outside+.mCS-minimal.mCSB_scrollTools_vertical{right:0;margin:12px 0}.mCustomScrollBox.mCS-minimal+.mCSB_scrollTools+.mCSB_scrollTools.mCSB_scrollTools_horizontal,.mCustomScrollBox.mCS-minimal+.mCSB_scrollTools.mCSB_scrollTools_horizontal,.mCustomScrollBox.mCS-minimal-dark+.mCSB_scrollTools+.mCSB_scrollTools.mCSB_scrollTools_horizontal,.mCustomScrollBox.mCS-minimal-dark+.mCSB_scrollTools.mCSB_scrollTools_horizontal{bottom:0;margin:0 12px}.mCS-dir-rtl>.mCSB_outside+.mCS-minimal-dark.mCSB_scrollTools_vertical,.mCS-dir-rtl>.mCSB_outside+.mCS-minimal.mCSB_scrollTools_vertical{left:0;right:auto}.mCS-minimal-dark.mCSB_scrollTools_vertical .mCSB_dragger,.mCS-minimal.mCSB_scrollTools_vertical .mCSB_dragger{height:50px}.mCS-minimal-dark.mCSB_scrollTools_horizontal .mCSB_dragger,.mCS-minimal.mCSB_scrollTools_horizontal .mCSB_dragger{width:50px}.mCS-minimal.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.2);filter:"alpha(opacity=20)";-ms-filter:"alpha(opacity=20)"}.mCS-minimal.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-minimal.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.5);filter:"alpha(opacity=50)";-ms-filter:"alpha(opacity=50)"}.mCS-minimal-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.2);filter:"alpha(opacity=20)";-ms-filter:"alpha(opacity=20)"}.mCS-minimal-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-minimal-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.5);filter:"alpha(opacity=50)";-ms-filter:"alpha(opacity=50)"}.mCS-dark-3.mCSB_scrollTools .mCSB_draggerRail,.mCS-light-3.mCSB_scrollTools .mCSB_draggerRail{width:6px;background-color:#000;background-color:rgba(0,0,0,.2)}.mCS-dark-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-light-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:6px}.mCS-dark-3.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-dark-3.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-light-3.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-light-3.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%;height:6px;margin:5px 0}.mCS-dark-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-dark-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail,.mCS-light-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-light-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail{width:12px}.mCS-dark-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-dark-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail,.mCS-light-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail,.mCS-light-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail{height:12px;margin:2px 0}.mCS-light-3.mCSB_scrollTools .mCSB_buttonUp{background-position:-32px -72px}.mCS-light-3.mCSB_scrollTools .mCSB_buttonDown{background-position:-32px -92px}.mCS-light-3.mCSB_scrollTools .mCSB_buttonLeft{background-position:-40px -112px}.mCS-light-3.mCSB_scrollTools .mCSB_buttonRight{background-position:-40px -128px}.mCS-dark-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75)}.mCS-dark-3.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-dark-3.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-dark-3.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-dark-3.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.1)}.mCS-dark-3.mCSB_scrollTools .mCSB_buttonUp{background-position:-112px -72px}.mCS-dark-3.mCSB_scrollTools .mCSB_buttonDown{background-position:-112px -92px}.mCS-dark-3.mCSB_scrollTools .mCSB_buttonLeft{background-position:-120px -112px}.mCS-dark-3.mCSB_scrollTools .mCSB_buttonRight{background-position:-120px -128px}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-2.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-3.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset.mCSB_scrollTools .mCSB_draggerRail{width:12px;background-color:#000;background-color:rgba(0,0,0,.2)}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{width:6px;margin:3px 5px;position:absolute;height:auto;top:0;bottom:0;left:0;right:0}.mCS-inset-2-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-2.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-3.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar,.mCS-inset.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar{height:6px;margin:5px 3px;position:absolute;width:auto;top:0;bottom:0;left:0;right:0}.mCS-inset-2-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-inset-2.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-inset-3-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-inset-3.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-inset-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail,.mCS-inset.mCSB_scrollTools_horizontal .mCSB_draggerRail{width:100%;height:12px;margin:2px 0}.mCS-inset-2.mCSB_scrollTools .mCSB_buttonUp,.mCS-inset-3.mCSB_scrollTools .mCSB_buttonUp,.mCS-inset.mCSB_scrollTools .mCSB_buttonUp{background-position:-32px -72px}.mCS-inset-2.mCSB_scrollTools .mCSB_buttonDown,.mCS-inset-3.mCSB_scrollTools .mCSB_buttonDown,.mCS-inset.mCSB_scrollTools .mCSB_buttonDown{background-position:-32px -92px}.mCS-inset-2.mCSB_scrollTools .mCSB_buttonLeft,.mCS-inset-3.mCSB_scrollTools .mCSB_buttonLeft,.mCS-inset.mCSB_scrollTools .mCSB_buttonLeft{background-position:-40px -112px}.mCS-inset-2.mCSB_scrollTools .mCSB_buttonRight,.mCS-inset-3.mCSB_scrollTools .mCSB_buttonRight,.mCS-inset.mCSB_scrollTools .mCSB_buttonRight{background-position:-40px -128px}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar,.mCS-inset-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75)}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar,.mCS-inset-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar,.mCS-inset-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-inset-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-dark.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.1)}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonUp,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonUp,.mCS-inset-dark.mCSB_scrollTools .mCSB_buttonUp{background-position:-112px -72px}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonDown,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonDown,.mCS-inset-dark.mCSB_scrollTools .mCSB_buttonDown{background-position:-112px -92px}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonLeft,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonLeft,.mCS-inset-dark.mCSB_scrollTools .mCSB_buttonLeft{background-position:-120px -112px}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonRight,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonRight,.mCS-inset-dark.mCSB_scrollTools .mCSB_buttonRight{background-position:-120px -128px}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail,.mCS-inset-2.mCSB_scrollTools .mCSB_draggerRail{background-color:transparent;border-width:1px;border-style:solid;border-color:#fff;border-color:rgba(255,255,255,.2);-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail{border-color:#000;border-color:rgba(0,0,0,.2)}.mCS-inset-3.mCSB_scrollTools .mCSB_draggerRail{background-color:#fff;background-color:rgba(255,255,255,.6)}.mCS-inset-3-dark.mCSB_scrollTools .mCSB_draggerRail{background-color:#000;background-color:rgba(0,0,0,.6)}.mCS-inset-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.75)}.mCS-inset-3.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.85)}.mCS-inset-3.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-inset-3.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#000;background-color:rgba(0,0,0,.9)}.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.75)}.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.85)}.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar,.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar{background-color:#fff;background-color:rgba(255,255,255,.9)} \ No newline at end of file +.mCustomScrollbar { + -ms-touch-action: none; + touch-action: none +} + +.mCustomScrollbar.mCS_no_scrollbar, .mCustomScrollbar.mCS_touch_action { + -ms-touch-action: auto; + touch-action: auto +} + +.mCustomScrollBox { + position: relative; + overflow: hidden; + height: 100%; + max-width: 100%; + outline: 0; + direction: ltr +} + +.mCSB_container { + overflow: hidden; + width: auto; + height: auto +} + +.mCSB_inside>.mCSB_container { + margin-right: 30px +} + +.mCSB_container.mCS_no_scrollbar_y.mCS_y_hidden { + margin-right: 0 +} + +.mCS-dir-rtl>.mCSB_inside>.mCSB_container { + margin-right: 0; + margin-left: 30px +} + +.mCS-dir-rtl>.mCSB_inside>.mCSB_container.mCS_no_scrollbar_y.mCS_y_hidden + { + margin-left: 0 +} + +.mCSB_scrollTools { + position: absolute; + width: 16px; + height: auto; + left: auto; + top: 0; + right: 0; + bottom: 0; + opacity: .75; + filter: "alpha(opacity=75)"; + -ms-filter: "alpha(opacity=75)" +} + +.mCSB_outside+.mCSB_scrollTools { + right: -26px +} + +.mCS-dir-rtl>.mCSB_inside>.mCSB_scrollTools, .mCS-dir-rtl>.mCSB_outside+.mCSB_scrollTools + { + right: auto; + left: 0 +} + +.mCS-dir-rtl>.mCSB_outside+.mCSB_scrollTools { + left: -26px +} + +.mCSB_scrollTools .mCSB_draggerContainer { + position: absolute; + top: 0; + left: 0; + bottom: 0; + right: 0; + height: auto +} + +.mCSB_scrollTools a+.mCSB_draggerContainer { + margin: 20px 0 +} + +.mCSB_scrollTools .mCSB_draggerRail { + width: 2px; + height: 100%; + margin: 0 auto; + -webkit-border-radius: 16px; + -moz-border-radius: 16px; + border-radius: 16px +} + +.mCSB_scrollTools .mCSB_dragger { + cursor: pointer; + width: 100%; + height: 30px; + z-index: 1 +} + +.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + position: relative; + width: 4px; + height: 100%; + margin: 0 auto; + -webkit-border-radius: 16px; + -moz-border-radius: 16px; + border-radius: 16px; + text-align: center +} + +.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar, + .mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar + { + width: 12px +} + +.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail + { + width: 8px +} + +.mCSB_scrollTools .mCSB_buttonDown, .mCSB_scrollTools .mCSB_buttonUp { + display: block; + position: absolute; + height: 20px; + width: 100%; + overflow: hidden; + margin: 0 auto; + cursor: pointer +} + +.mCSB_scrollTools .mCSB_buttonDown { + bottom: 0 +} + +.mCSB_horizontal.mCSB_inside>.mCSB_container { + margin-right: 0; + margin-bottom: 30px +} + +.mCSB_horizontal.mCSB_outside>.mCSB_container { + min-height: 100% +} + +.mCSB_horizontal>.mCSB_container.mCS_no_scrollbar_x.mCS_x_hidden { + margin-bottom: 0 +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal { + width: auto; + height: 16px; + top: auto; + right: 0; + bottom: 0; + left: 0 +} + +.mCustomScrollBox+.mCSB_scrollTools+.mCSB_scrollTools.mCSB_scrollTools_horizontal, + .mCustomScrollBox+.mCSB_scrollTools.mCSB_scrollTools_horizontal { + bottom: -26px +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal a+.mCSB_draggerContainer { + margin: 0 20px +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_draggerRail { + width: 100%; + height: 2px; + margin: 7px 0 +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_dragger { + width: 30px; + height: 100%; + left: 0 +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + width: 100%; + height: 4px; + margin: 6px auto +} + +.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar, + .mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar + { + height: 12px; + margin: 2px auto +} + +.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail + { + height: 8px; + margin: 4px 0 +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonLeft, + .mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonRight { + display: block; + position: absolute; + width: 20px; + height: 100%; + overflow: hidden; + margin: 0 auto; + cursor: pointer +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonLeft { + left: 0 +} + +.mCSB_scrollTools.mCSB_scrollTools_horizontal .mCSB_buttonRight { + right: 0 +} + +.mCSB_container_wrapper { + position: absolute; + height: auto; + width: auto; + overflow: hidden; + top: 0; + left: 0; + right: 0; + bottom: 0; + margin-right: 30px; + margin-bottom: 30px +} + +.mCSB_container_wrapper>.mCSB_container { + padding-right: 30px; + padding-bottom: 30px +} + +.mCSB_vertical_horizontal>.mCSB_scrollTools.mCSB_scrollTools_vertical { + bottom: 20px +} + +.mCSB_vertical_horizontal>.mCSB_scrollTools.mCSB_scrollTools_horizontal + { + right: 20px +} + +.mCSB_container_wrapper.mCS_no_scrollbar_x.mCS_x_hidden+.mCSB_scrollTools.mCSB_scrollTools_vertical + { + bottom: 0 +} + +.mCS-dir-rtl>.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_scrollTools.mCSB_scrollTools_horizontal, + .mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden+.mCSB_scrollTools + ~.mCSB_scrollTools.mCSB_scrollTools_horizontal { + right: 0 +} + +.mCS-dir-rtl>.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_scrollTools.mCSB_scrollTools_horizontal + { + left: 20px +} + +.mCS-dir-rtl>.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden+.mCSB_scrollTools + ~.mCSB_scrollTools.mCSB_scrollTools_horizontal { + left: 0 +} + +.mCS-dir-rtl>.mCSB_inside>.mCSB_container_wrapper { + margin-right: 0; + margin-left: 30px +} + +.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden>.mCSB_container + { + padding-right: 0; + -webkit-box-sizing: border-box; + -moz-box-sizing: border-box; + box-sizing: border-box +} + +.mCSB_container_wrapper.mCS_no_scrollbar_x.mCS_x_hidden>.mCSB_container + { + padding-bottom: 0; + -webkit-box-sizing: border-box; + -moz-box-sizing: border-box; + box-sizing: border-box +} + +.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_container_wrapper.mCS_no_scrollbar_y.mCS_y_hidden + { + margin-right: 0; + margin-left: 0 +} + +.mCustomScrollBox.mCSB_vertical_horizontal.mCSB_inside>.mCSB_container_wrapper.mCS_no_scrollbar_x.mCS_x_hidden + { + margin-bottom: 0 +} + +.mCSB_scrollTools, .mCSB_scrollTools .mCSB_buttonDown, .mCSB_scrollTools .mCSB_buttonLeft, + .mCSB_scrollTools .mCSB_buttonRight, .mCSB_scrollTools .mCSB_buttonUp, + .mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + -webkit-transition: opacity .2s ease-in-out, background-color .2s + ease-in-out; + -moz-transition: opacity .2s ease-in-out, background-color .2s + ease-in-out; + -o-transition: opacity .2s ease-in-out, background-color .2s ease-in-out; + transition: opacity .2s ease-in-out, background-color .2s ease-in-out +} + +.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerRail, + .mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger_bar, + .mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerRail, + .mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger_bar + { + -webkit-transition: width .2s ease-out .2s, height .2s ease-out .2s, + margin-left .2s ease-out .2s, margin-right .2s ease-out .2s, + margin-top .2s ease-out .2s, margin-bottom .2s ease-out .2s, opacity + .2s ease-in-out, background-color .2s ease-in-out; + -moz-transition: width .2s ease-out .2s, height .2s ease-out .2s, + margin-left .2s ease-out .2s, margin-right .2s ease-out .2s, + margin-top .2s ease-out .2s, margin-bottom .2s ease-out .2s, opacity + .2s ease-in-out, background-color .2s ease-in-out; + -o-transition: width .2s ease-out .2s, height .2s ease-out .2s, + margin-left .2s ease-out .2s, margin-right .2s ease-out .2s, + margin-top .2s ease-out .2s, margin-bottom .2s ease-out .2s, opacity + .2s ease-in-out, background-color .2s ease-in-out; + transition: width .2s ease-out .2s, height .2s ease-out .2s, margin-left + .2s ease-out .2s, margin-right .2s ease-out .2s, margin-top .2s + ease-out .2s, margin-bottom .2s ease-out .2s, opacity .2s ease-in-out, + background-color .2s ease-in-out +} + +.mCS-autoHide>.mCustomScrollBox>.mCSB_scrollTools, .mCS-autoHide>.mCustomScrollBox + ~.mCSB_scrollTools { + opacity: 0; + filter: "alpha(opacity=0)"; + -ms-filter: "alpha(opacity=0)" +} + +.mCS-autoHide:hover>.mCustomScrollBox>.mCSB_scrollTools, .mCS-autoHide:hover>.mCustomScrollBox + ~.mCSB_scrollTools, .mCustomScrollBox:hover>.mCSB_scrollTools, + .mCustomScrollBox:hover ~.mCSB_scrollTools, .mCustomScrollbar>.mCustomScrollBox>.mCSB_scrollTools.mCSB_scrollTools_onDrag, + .mCustomScrollbar>.mCustomScrollBox ~.mCSB_scrollTools.mCSB_scrollTools_onDrag + { + opacity: 1; + filter: "alpha(opacity=100)"; + -ms-filter: "alpha(opacity=100)" +} + +.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .4); + filter: "alpha(opacity=40)"; + -ms-filter: "alpha(opacity=40)" +} + +.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .75); + filter: "alpha(opacity=75)"; + -ms-filter: "alpha(opacity=75)" +} + +.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .85); + filter: "alpha(opacity=85)"; + -ms-filter: "alpha(opacity=85)" +} + +.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .9); + filter: "alpha(opacity=90)"; + -ms-filter: "alpha(opacity=90)" +} + +.mCSB_scrollTools .mCSB_buttonDown, .mCSB_scrollTools .mCSB_buttonLeft, + .mCSB_scrollTools .mCSB_buttonRight, .mCSB_scrollTools .mCSB_buttonUp { + background-image: url(mCSB_buttons.png); + background-repeat: no-repeat; + opacity: .4; + filter: "alpha(opacity=40)"; + -ms-filter: "alpha(opacity=40)" +} + +.mCSB_scrollTools .mCSB_buttonUp { + background-position: 0 0 +} + +.mCSB_scrollTools .mCSB_buttonDown { + background-position: 0 -20px +} + +.mCSB_scrollTools .mCSB_buttonLeft { + background-position: 0 -40px +} + +.mCSB_scrollTools .mCSB_buttonRight { + background-position: 0 -56px +} + +.mCSB_scrollTools .mCSB_buttonDown:hover, .mCSB_scrollTools .mCSB_buttonLeft:hover, + .mCSB_scrollTools .mCSB_buttonRight:hover, .mCSB_scrollTools .mCSB_buttonUp:hover + { + opacity: .75; + filter: "alpha(opacity=75)"; + -ms-filter: "alpha(opacity=75)" +} + +.mCSB_scrollTools .mCSB_buttonDown:active, .mCSB_scrollTools .mCSB_buttonLeft:active, + .mCSB_scrollTools .mCSB_buttonRight:active, .mCSB_scrollTools .mCSB_buttonUp:active + { + opacity: .9; + filter: "alpha(opacity=90)"; + -ms-filter: "alpha(opacity=90)" +} + +.mCS-dark.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .15) +} + +.mCS-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75) +} + +.mCS-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: rgba(0, 0, 0, .85) +} + +.mCS-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: rgba(0, 0, 0, .9) +} + +.mCS-dark.mCSB_scrollTools .mCSB_buttonUp { + background-position: -80px 0 +} + +.mCS-dark.mCSB_scrollTools .mCSB_buttonDown { + background-position: -80px -20px +} + +.mCS-dark.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -80px -40px +} + +.mCS-dark.mCSB_scrollTools .mCSB_buttonRight { + background-position: -80px -56px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_draggerRail, .mCS-light-2.mCSB_scrollTools .mCSB_draggerRail + { + width: 4px; + background-color: #fff; + background-color: rgba(255, 255, 255, .1); + -webkit-border-radius: 1px; + -moz-border-radius: 1px; + border-radius: 1px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + width: 4px; + background-color: #fff; + background-color: rgba(255, 255, 255, .75); + -webkit-border-radius: 1px; + -moz-border-radius: 1px; + border-radius: 1px +} + +.mCS-dark-2.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-dark-2.mCSB_scrollTools_horizontal .mCSB_draggerRail, .mCS-light-2.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-2.mCSB_scrollTools_horizontal .mCSB_draggerRail { + width: 100%; + height: 4px; + margin: 6px auto +} + +.mCS-light-2.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .85) +} + +.mCS-light-2.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-light-2.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .9) +} + +.mCS-light-2.mCSB_scrollTools .mCSB_buttonUp { + background-position: -32px 0 +} + +.mCS-light-2.mCSB_scrollTools .mCSB_buttonDown { + background-position: -32px -20px +} + +.mCS-light-2.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -40px -40px +} + +.mCS-light-2.mCSB_scrollTools .mCSB_buttonRight { + background-position: -40px -56px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .1); + -webkit-border-radius: 1px; + -moz-border-radius: 1px; + border-radius: 1px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75); + -webkit-border-radius: 1px; + -moz-border-radius: 1px; + border-radius: 1px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-dark-2.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_buttonUp { + background-position: -112px 0 +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_buttonDown { + background-position: -112px -20px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -120px -40px +} + +.mCS-dark-2.mCSB_scrollTools .mCSB_buttonRight { + background-position: -120px -56px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_draggerRail, .mCS-light-thick.mCSB_scrollTools .mCSB_draggerRail + { + width: 4px; + background-color: #fff; + background-color: rgba(255, 255, 255, .1); + -webkit-border-radius: 2px; + -moz-border-radius: 2px; + border-radius: 2px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + width: 6px; + background-color: #fff; + background-color: rgba(255, 255, 255, .75); + -webkit-border-radius: 2px; + -moz-border-radius: 2px; + border-radius: 2px +} + +.mCS-dark-thick.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-light-thick.mCSB_scrollTools_horizontal .mCSB_draggerRail { + width: 100%; + height: 4px; + margin: 6px 0 +} + +.mCS-dark-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + width: 100%; + height: 6px; + margin: 5px auto +} + +.mCS-light-thick.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar + { + background-color: #fff; + background-color: rgba(255, 255, 255, .85) +} + +.mCS-light-thick.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-light-thick.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #fff; + background-color: rgba(255, 255, 255, .9) +} + +.mCS-light-thick.mCSB_scrollTools .mCSB_buttonUp { + background-position: -16px 0 +} + +.mCS-light-thick.mCSB_scrollTools .mCSB_buttonDown { + background-position: -16px -20px +} + +.mCS-light-thick.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -20px -40px +} + +.mCS-light-thick.mCSB_scrollTools .mCSB_buttonRight { + background-position: -20px -56px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .1); + -webkit-border-radius: 2px; + -moz-border-radius: 2px; + border-radius: 2px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75); + -webkit-border-radius: 2px; + -moz-border-radius: 2px; + border-radius: 2px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-dark-thick.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonUp { + background-position: -96px 0 +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonDown { + background-position: -96px -20px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -100px -40px +} + +.mCS-dark-thick.mCSB_scrollTools .mCSB_buttonRight { + background-position: -100px -56px +} + +.mCS-light-thin.mCSB_scrollTools .mCSB_draggerRail { + background-color: #fff; + background-color: rgba(255, 255, 255, .1) +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-thin.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + width: 2px +} + +.mCS-dark-thin.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-light-thin.mCSB_scrollTools_horizontal .mCSB_draggerRail { + width: 100% +} + +.mCS-dark-thin.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-thin.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + width: 100%; + height: 2px; + margin: 7px auto +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .15) +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75) +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-dark-thin.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonUp { + background-position: -80px 0 +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonDown { + background-position: -80px -20px +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -80px -40px +} + +.mCS-dark-thin.mCSB_scrollTools .mCSB_buttonRight { + background-position: -80px -56px +} + +.mCS-rounded.mCSB_scrollTools .mCSB_draggerRail { + background-color: #fff; + background-color: rgba(255, 255, 255, .15) +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger, .mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger, + .mCS-rounded-dots.mCSB_scrollTools .mCSB_dragger, .mCS-rounded.mCSB_scrollTools .mCSB_dragger + { + height: 14px +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded-dots.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + width: 14px; + margin: 0 1px +} + +.mCS-rounded-dark.mCSB_scrollTools_horizontal .mCSB_dragger, + .mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_dragger, + .mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_dragger, + .mCS-rounded.mCSB_scrollTools_horizontal .mCSB_dragger { + width: 14px +} + +.mCS-rounded-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + height: 14px; + margin: 1px 0 +} + +.mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar, + .mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar, + .mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar + { + width: 16px; + height: 16px; + margin: -1px 0 +} + +.mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-rounded-dark.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail, + .mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-rounded.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail + { + width: 4px +} + +.mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar, + .mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded .mCSB_dragger_bar, + .mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_dragger .mCSB_dragger_bar + { + height: 16px; + width: 16px; + margin: 0 -1px +} + +.mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-rounded-dark.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail, + .mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-rounded.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail + { + height: 4px; + margin: 6px 0 +} + +.mCS-rounded.mCSB_scrollTools .mCSB_buttonUp { + background-position: 0 -72px +} + +.mCS-rounded.mCSB_scrollTools .mCSB_buttonDown { + background-position: 0 -92px +} + +.mCS-rounded.mCSB_scrollTools .mCSB_buttonLeft { + background-position: 0 -112px +} + +.mCS-rounded.mCSB_scrollTools .mCSB_buttonRight { + background-position: 0 -128px +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .75) +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .15) +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar, + .mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-rounded-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonUp { + background-position: -80px -72px +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonDown { + background-position: -80px -92px +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -80px -112px +} + +.mCS-rounded-dark.mCSB_scrollTools .mCSB_buttonRight { + background-position: -80px -128px +} + +.mCS-rounded-dots-dark.mCSB_scrollTools_vertical .mCSB_draggerRail, + .mCS-rounded-dots.mCSB_scrollTools_vertical .mCSB_draggerRail { + width: 4px +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_draggerRail, + .mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-rounded-dots.mCSB_scrollTools .mCSB_draggerRail, .mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_draggerRail + { + background-color: transparent; + background-position: center +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_draggerRail, + .mCS-rounded-dots.mCSB_scrollTools .mCSB_draggerRail { + background-image: + url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAANElEQVQYV2NkIAAYiVbw//9/Y6DiM1ANJoyMjGdBbLgJQAX/kU0DKgDLkaQAvxW4HEvQFwCRcxIJK1XznAAAAABJRU5ErkJggg==); + background-repeat: repeat-y; + opacity: .3; + filter: "alpha(opacity=30)"; + -ms-filter: "alpha(opacity=30)" +} + +.mCS-rounded-dots-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-rounded-dots.mCSB_scrollTools_horizontal .mCSB_draggerRail { + height: 4px; + margin: 6px 0; + background-repeat: repeat-x +} + +.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonUp { + background-position: -16px -72px +} + +.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonDown { + background-position: -16px -92px +} + +.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -20px -112px +} + +.mCS-rounded-dots.mCSB_scrollTools .mCSB_buttonRight { + background-position: -20px -128px +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_draggerRail { + background-image: + url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAALElEQVQYV2NkIAAYSVFgDFR8BqrBBEifBbGRTfiPZhpYjiQFBK3A6l6CvgAAE9kGCd1mvgEAAAAASUVORK5CYII=) +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonUp { + background-position: -96px -72px +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonDown { + background-position: -96px -92px +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -100px -112px +} + +.mCS-rounded-dots-dark.mCSB_scrollTools .mCSB_buttonRight { + background-position: -100px -128px +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, .mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar + { + background-repeat: repeat-y; + background-image: -moz-linear-gradient(left, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: -webkit-gradient(linear, left top, right top, color-stop(0, rgba(255, + 255, 255, .5)), color-stop(100%, rgba(255, 255, 255, 0))); + background-image: -webkit-linear-gradient(left, rgba(255, 255, 255, .5) + 0, rgba(255, 255, 255, 0) 100%); + background-image: -o-linear-gradient(left, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: -ms-linear-gradient(left, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: linear-gradient(to right, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%) +} + +.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar { + background-repeat: repeat-x; + background-image: -moz-linear-gradient(top, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0, rgba(255, + 255, 255, .5)), color-stop(100%, rgba(255, 255, 255, 0))); + background-image: -webkit-linear-gradient(top, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: -o-linear-gradient(top, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: -ms-linear-gradient(top, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%); + background-image: linear-gradient(to bottom, rgba(255, 255, 255, .5) 0, + rgba(255, 255, 255, 0) 100%) +} + +.mCS-3d-dark.mCSB_scrollTools_vertical .mCSB_dragger, .mCS-3d.mCSB_scrollTools_vertical .mCSB_dragger + { + height: 70px +} + +.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_dragger, .mCS-3d.mCSB_scrollTools_horizontal .mCSB_dragger + { + width: 70px +} + +.mCS-3d-dark.mCSB_scrollTools, .mCS-3d.mCSB_scrollTools { + opacity: 1; + filter: "alpha(opacity=30)"; + -ms-filter: "alpha(opacity=30)" +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d.mCSB_scrollTools .mCSB_draggerRail { + -webkit-border-radius: 16px; + -moz-border-radius: 16px; + border-radius: 16px +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-3d.mCSB_scrollTools .mCSB_draggerRail + { + width: 8px; + background-color: #000; + background-color: rgba(0, 0, 0, .2); + box-shadow: inset 1px 0 1px rgba(0, 0, 0, .5), inset -1px 0 1px + rgba(255, 255, 255, .2) +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-3d-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-3d-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar, + .mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, .mCS-3d.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-3d.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-3d.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #555 +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, .mCS-3d.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar + { + width: 8px +} + +.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail, .mCS-3d.mCSB_scrollTools_horizontal .mCSB_draggerRail + { + width: 100%; + height: 8px; + margin: 4px 0; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, .5), inset 0 -1px 1px + rgba(255, 255, 255, .2) +} + +.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar { + width: 100%; + height: 8px; + margin: 4px auto +} + +.mCS-3d.mCSB_scrollTools .mCSB_buttonUp { + background-position: -32px -72px +} + +.mCS-3d.mCSB_scrollTools .mCSB_buttonDown { + background-position: -32px -92px +} + +.mCS-3d.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -40px -112px +} + +.mCS-3d.mCSB_scrollTools .mCSB_buttonRight { + background-position: -40px -128px +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .1); + box-shadow: inset 1px 0 1px rgba(0, 0, 0, .1) +} + +.mCS-3d-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail { + box-shadow: inset 0 1px 1px rgba(0, 0, 0, .1) +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonUp { + background-position: -112px -72px +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonDown { + background-position: -112px -92px +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -120px -112px +} + +.mCS-3d-dark.mCSB_scrollTools .mCSB_buttonRight { + background-position: -120px -128px +} + +.mCS-3d-thick-dark.mCSB_scrollTools, .mCS-3d-thick.mCSB_scrollTools { + opacity: 1; + filter: "alpha(opacity=30)"; + -ms-filter: "alpha(opacity=30)" +} + +.mCS-3d-thick-dark.mCSB_scrollTools, .mCS-3d-thick-dark.mCSB_scrollTools .mCSB_draggerContainer, + .mCS-3d-thick.mCSB_scrollTools, .mCS-3d-thick.mCSB_scrollTools .mCSB_draggerContainer + { + -webkit-border-radius: 7px; + -moz-border-radius: 7px; + border-radius: 7px +} + +.mCSB_inside+.mCS-3d-thick-dark.mCSB_scrollTools_vertical, .mCSB_inside+.mCS-3d-thick.mCSB_scrollTools_vertical + { + right: 1px +} + +.mCS-3d-thick-dark.mCSB_scrollTools_vertical, .mCS-3d-thick.mCSB_scrollTools_vertical + { + box-shadow: inset 1px 0 1px rgba(0, 0, 0, .1), inset 0 0 14px + rgba(0, 0, 0, .5) +} + +.mCS-3d-thick-dark.mCSB_scrollTools_horizontal, .mCS-3d-thick.mCSB_scrollTools_horizontal + { + bottom: 1px; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, .1), inset 0 0 14px + rgba(0, 0, 0, .5) +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + -webkit-border-radius: 5px; + -moz-border-radius: 5px; + border-radius: 5px; + box-shadow: inset 1px 0 0 rgba(255, 255, 255, .4); + width: 12px; + margin: 2px; + position: absolute; + height: auto; + top: 0; + bottom: 0; + left: 0; + right: 0 +} + +.mCS-3d-thick-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + box-shadow: inset 0 1px 0 rgba(255, 255, 255, .4); + height: 12px; + width: auto +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-3d-thick.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #555 +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_draggerContainer { + background-color: #000; + background-color: rgba(0, 0, 0, .05); + box-shadow: inset 1px 1px 16px rgba(0, 0, 0, .1) +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_draggerRail { + background-color: transparent +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonUp { + background-position: -32px -72px +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonDown { + background-position: -32px -92px +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -40px -112px +} + +.mCS-3d-thick.mCSB_scrollTools .mCSB_buttonRight { + background-position: -40px -128px +} + +.mCS-3d-thick-dark.mCSB_scrollTools { + box-shadow: inset 0 0 14px rgba(0, 0, 0, .2) +} + +.mCS-3d-thick-dark.mCSB_scrollTools_horizontal { + box-shadow: inset 0 1px 1px rgba(0, 0, 0, .1), inset 0 0 14px + rgba(0, 0, 0, .2) +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + box-shadow: inset 1px 0 0 rgba(255, 255, 255, .4), inset -1px 0 0 + rgba(0, 0, 0, .2) +} + +.mCS-3d-thick-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + box-shadow: inset 0 1px 0 rgba(255, 255, 255, .4), inset 0 -1px 0 + rgba(0, 0, 0, .2) +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-3d-thick-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar + { + background-color: #777 +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_draggerContainer { + background-color: #fff; + background-color: rgba(0, 0, 0, .05); + box-shadow: inset 1px 1px 16px rgba(0, 0, 0, .1) +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-minimal-dark.mCSB_scrollTools .mCSB_draggerRail, + .mCS-minimal.mCSB_scrollTools .mCSB_draggerRail { + background-color: transparent +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonUp { + background-position: -112px -72px +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonDown { + background-position: -112px -92px +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -120px -112px +} + +.mCS-3d-thick-dark.mCSB_scrollTools .mCSB_buttonRight { + background-position: -120px -128px +} + +.mCSB_outside+.mCS-minimal-dark.mCSB_scrollTools_vertical, .mCSB_outside+.mCS-minimal.mCSB_scrollTools_vertical + { + right: 0; + margin: 12px 0 +} + +.mCustomScrollBox.mCS-minimal+.mCSB_scrollTools+.mCSB_scrollTools.mCSB_scrollTools_horizontal, + .mCustomScrollBox.mCS-minimal+.mCSB_scrollTools.mCSB_scrollTools_horizontal, + .mCustomScrollBox.mCS-minimal-dark+.mCSB_scrollTools+.mCSB_scrollTools.mCSB_scrollTools_horizontal, + .mCustomScrollBox.mCS-minimal-dark+.mCSB_scrollTools.mCSB_scrollTools_horizontal + { + bottom: 0; + margin: 0 12px +} + +.mCS-dir-rtl>.mCSB_outside+.mCS-minimal-dark.mCSB_scrollTools_vertical, + .mCS-dir-rtl>.mCSB_outside+.mCS-minimal.mCSB_scrollTools_vertical { + left: 0; + right: auto +} + +.mCS-minimal-dark.mCSB_scrollTools_vertical .mCSB_dragger, .mCS-minimal.mCSB_scrollTools_vertical .mCSB_dragger + { + height: 50px +} + +.mCS-minimal-dark.mCSB_scrollTools_horizontal .mCSB_dragger, + .mCS-minimal.mCSB_scrollTools_horizontal .mCSB_dragger { + width: 50px +} + +.mCS-minimal.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .2); + filter: "alpha(opacity=20)"; + -ms-filter: "alpha(opacity=20)" +} + +.mCS-minimal.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-minimal.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .5); + filter: "alpha(opacity=50)"; + -ms-filter: "alpha(opacity=50)" +} + +.mCS-minimal-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .2); + filter: "alpha(opacity=20)"; + -ms-filter: "alpha(opacity=20)" +} + +.mCS-minimal-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-minimal-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .5); + filter: "alpha(opacity=50)"; + -ms-filter: "alpha(opacity=50)" +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_draggerRail, .mCS-light-3.mCSB_scrollTools .mCSB_draggerRail + { + width: 6px; + background-color: #000; + background-color: rgba(0, 0, 0, .2) +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + width: 6px +} + +.mCS-dark-3.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-dark-3.mCSB_scrollTools_horizontal .mCSB_draggerRail, .mCS-light-3.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-light-3.mCSB_scrollTools_horizontal .mCSB_draggerRail { + width: 100%; + height: 6px; + margin: 5px 0 +} + +.mCS-dark-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-dark-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail, + .mCS-light-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-light-3.mCSB_scrollTools_vertical.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail + { + width: 12px +} + +.mCS-dark-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-dark-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail, + .mCS-light-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_dragger.mCSB_dragger_onDrag_expanded+.mCSB_draggerRail, + .mCS-light-3.mCSB_scrollTools_horizontal.mCSB_scrollTools_onDrag_expand .mCSB_draggerContainer:hover .mCSB_draggerRail + { + height: 12px; + margin: 2px 0 +} + +.mCS-light-3.mCSB_scrollTools .mCSB_buttonUp { + background-position: -32px -72px +} + +.mCS-light-3.mCSB_scrollTools .mCSB_buttonDown { + background-position: -32px -92px +} + +.mCS-light-3.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -40px -112px +} + +.mCS-light-3.mCSB_scrollTools .mCSB_buttonRight { + background-position: -40px -128px +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75) +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-dark-3.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .1) +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_buttonUp { + background-position: -112px -72px +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_buttonDown { + background-position: -112px -92px +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -120px -112px +} + +.mCS-dark-3.mCSB_scrollTools .mCSB_buttonRight { + background-position: -120px -128px +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-inset-2.mCSB_scrollTools .mCSB_draggerRail, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-inset-3.mCSB_scrollTools .mCSB_draggerRail, + .mCS-inset-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-inset.mCSB_scrollTools .mCSB_draggerRail + { + width: 12px; + background-color: #000; + background-color: rgba(0, 0, 0, .2) +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-2.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + width: 6px; + margin: 3px 5px; + position: absolute; + height: auto; + top: 0; + bottom: 0; + left: 0; + right: 0 +} + +.mCS-inset-2-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-2.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-3.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-dark.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset.mCSB_scrollTools_horizontal .mCSB_dragger .mCSB_dragger_bar + { + height: 6px; + margin: 5px 3px; + position: absolute; + width: auto; + top: 0; + bottom: 0; + left: 0; + right: 0 +} + +.mCS-inset-2-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-inset-2.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-inset-3-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-inset-3.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-inset-dark.mCSB_scrollTools_horizontal .mCSB_draggerRail, + .mCS-inset.mCSB_scrollTools_horizontal .mCSB_draggerRail { + width: 100%; + height: 12px; + margin: 2px 0 +} + +.mCS-inset-2.mCSB_scrollTools .mCSB_buttonUp, .mCS-inset-3.mCSB_scrollTools .mCSB_buttonUp, + .mCS-inset.mCSB_scrollTools .mCSB_buttonUp { + background-position: -32px -72px +} + +.mCS-inset-2.mCSB_scrollTools .mCSB_buttonDown, .mCS-inset-3.mCSB_scrollTools .mCSB_buttonDown, + .mCS-inset.mCSB_scrollTools .mCSB_buttonDown { + background-position: -32px -92px +} + +.mCS-inset-2.mCSB_scrollTools .mCSB_buttonLeft, .mCS-inset-3.mCSB_scrollTools .mCSB_buttonLeft, + .mCS-inset.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -40px -112px +} + +.mCS-inset-2.mCSB_scrollTools .mCSB_buttonRight, .mCS-inset-3.mCSB_scrollTools .mCSB_buttonRight, + .mCS-inset.mCSB_scrollTools .mCSB_buttonRight { + background-position: -40px -128px +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar, + .mCS-inset-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75) +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar, + .mCS-inset-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-inset-2-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar, + .mCS-inset-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-inset-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-inset-3-dark.mCSB_scrollTools .mCSB_draggerRail, + .mCS-inset-dark.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .1) +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonUp, .mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonUp, + .mCS-inset-dark.mCSB_scrollTools .mCSB_buttonUp { + background-position: -112px -72px +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonDown, .mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonDown, + .mCS-inset-dark.mCSB_scrollTools .mCSB_buttonDown { + background-position: -112px -92px +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonLeft, .mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonLeft, + .mCS-inset-dark.mCSB_scrollTools .mCSB_buttonLeft { + background-position: -120px -112px +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_buttonRight, .mCS-inset-3-dark.mCSB_scrollTools .mCSB_buttonRight, + .mCS-inset-dark.mCSB_scrollTools .mCSB_buttonRight { + background-position: -120px -128px +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail, .mCS-inset-2.mCSB_scrollTools .mCSB_draggerRail + { + background-color: transparent; + border-width: 1px; + border-style: solid; + border-color: #fff; + border-color: rgba(255, 255, 255, .2); + -webkit-box-sizing: border-box; + -moz-box-sizing: border-box; + box-sizing: border-box +} + +.mCS-inset-2-dark.mCSB_scrollTools .mCSB_draggerRail { + border-color: #000; + border-color: rgba(0, 0, 0, .2) +} + +.mCS-inset-3.mCSB_scrollTools .mCSB_draggerRail { + background-color: #fff; + background-color: rgba(255, 255, 255, .6) +} + +.mCS-inset-3-dark.mCSB_scrollTools .mCSB_draggerRail { + background-color: #000; + background-color: rgba(0, 0, 0, .6) +} + +.mCS-inset-3.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .75) +} + +.mCS-inset-3.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .85) +} + +.mCS-inset-3.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-inset-3.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar { + background-color: #000; + background-color: rgba(0, 0, 0, .9) +} + +.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger .mCSB_dragger_bar { + background-color: #fff; + background-color: rgba(255, 255, 255, .75) +} + +.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:hover .mCSB_dragger_bar + { + background-color: #fff; + background-color: rgba(255, 255, 255, .85) +} + +.mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger.mCSB_dragger_onDrag .mCSB_dragger_bar, + .mCS-inset-3-dark.mCSB_scrollTools .mCSB_dragger:active .mCSB_dragger_bar + { + background-color: #fff; + background-color: rgba(255, 255, 255, .9) +} \ No newline at end of file diff --git a/src/main/webapp/css/lessonCss/theCss.css b/src/main/webapp/css/lessonCss/theCss.css index 55b3493b2..bc0c121a7 100644 --- a/src/main/webapp/css/lessonCss/theCss.css +++ b/src/main/webapp/css/lessonCss/theCss.css @@ -6,7 +6,8 @@ body { } body, th, td, input, textarea, select, option, p, div { - font-family: "Helvetica Neue", Helvetica Arial, "Lucida Grande", sans-serif; + font-family: "Helvetica Neue", Helvetica Arial, "Lucida Grande", + sans-serif; } h1, h2, h3 { @@ -52,12 +53,13 @@ a:hover { } td { - word-wrap:break-word; + word-wrap: break-word; max-width: 400px; } #wrapper { /* Empty */ + } #header { @@ -79,9 +81,10 @@ td { padding-left: 73px; margin-top: -10px; } + #header a { color: #A878EF; - text-decoration:none; + text-decoration: none; } #page { @@ -93,32 +96,36 @@ td { float: right; width: 100%; margin: 0; - padding-left:20px; + padding-left: 20px; } #resultDiv { - word-wrap:break-word; + word-wrap: break-word; max-width: 610px; } .errorMessage { padding: 10px 10px 10px 10px; background: #FFFFFF; - border-style:ridge; - border-width:5px; - border-color:#E42217; + border-style: ridge; + border-width: 5px; + border-color: #E42217; } .errorAlert { background: #E42217; - color:#FFFFFF; - padding-left = 10px; + color: #FFFFFF; + padding-left + = + 10px; } .successAlert { background: #7B55B4; - color:#FFFFFF; - padding-left = 10px; + color: #FFFFFF; + padding-left + = + 10px; } .title { @@ -138,7 +145,6 @@ td { list-style: none; } - #footer { clear: both; width: 760px; @@ -155,38 +161,39 @@ td { } .tooltipped { - position:relative; + position: relative; } -.tooltipped::before{ - position:absolute; - z-index:1000001; - display:none; - width:0; - height:0; - color:rgba(0,0,0,0.8); - pointer-events:none; - content:""; - border:5px solid; +.tooltipped::before { + position: absolute; + z-index: 1000001; + display: none; + width: 0; + height: 0; + color: rgba(0, 0, 0, 0.8); + pointer-events: none; + content: ""; + border: 5px solid; } -.tooltipped::after{ +.tooltipped::after { background: rgba(212, 212, 212, 0.8); - border: 2px solid rgba(168, 120, 239, 0.8); - border-radius: 3px; - content: attr(aria-label); - display: inline-block; - font:normal normal 11px/1.5 Helvetica,arial,nimbussansl,liberationsans,freesans,clean,sans-serif"; - letter-spacing: 0.5px; - padding: 5px 8px; - pointer-events: none; - position: absolute; - text-align: center; - text-decoration: none; - text-shadow: none; - text-transform: none; - white-space: pre; - word-wrap: break-word; - z-index: 1000000; - -webkit-font-smoothing:subpixel-antialiased; -} + border: 2px solid rgba(168, 120, 239, 0.8); + border-radius: 3px; + content: attr(aria-label); + display: inline-block; + font: normal normal 11px/1.5 Helvetica, arial, nimbussansl, + liberationsans, freesans, clean, sans-serif"; + letter-spacing: 0.5px; + padding: 5px 8px; + pointer-events: none; + position: absolute; + text-align: center; + text-decoration: none; + text-shadow: none; + text-transform: none; + white-space: pre; + word-wrap: break-word; + z-index: 1000000; + -webkit-font-smoothing: subpixel-antialiased; +} \ No newline at end of file diff --git a/src/main/webapp/css/theCss.css b/src/main/webapp/css/theCss.css index 28a73ba9a..2ad30e21c 100644 --- a/src/main/webapp/css/theCss.css +++ b/src/main/webapp/css/theCss.css @@ -7,7 +7,8 @@ body { } body, th, td, input, textarea, select, option, p, div { - font-family: "Helvetica Neue", Helvetica Arial, "Lucida Grande", sans-serif; + font-family: "Helvetica Neue", Helvetica Arial, "Lucida Grande", + sans-serif; } h1, h2, h3 { @@ -48,6 +49,7 @@ a:hover { #wrapper { /* Empty */ + } #header { @@ -70,9 +72,10 @@ a:hover { padding-left: 73px; margin-top: -10px; } + #header a { color: #A878EF; - text-decoration:none; + text-decoration: none; } #page { @@ -89,21 +92,25 @@ a:hover { .errorMessage { padding: 10px 10px 10px 10px; background: #FFFFFF; - border-style:ridge; - border-width:5px; - border-color:#E42217; + border-style: ridge; + border-width: 5px; + border-color: #E42217; } .errorAlert { background: #E42217; - color:#FFFFFF; - padding-left = 10px; + color: #FFFFFF; + padding-left + = + 10px; } .successAlert { background: #7B55B4; - color:#FFFFFF; - padding-left = 10px; + color: #FFFFFF; + padding-left + = + 10px; } .title { @@ -123,6 +130,7 @@ a:hover { } #sidebar li { + } #sidebar li ul { @@ -145,23 +153,23 @@ a:hover { } #sidebar a:hover { + } #searchResults { width: 100%; } -#searchResults li { - cursor: pointer; +#searchResults li { + cursor: pointer; cursor: hand; border-bottom: 1px solid #d4d4d4; - padding-left: 5px; - padding-right: 5px; - width: 90%; + padding-left: 5px; + padding-right: 5px; + width: 90%; } /* Footer */ - #footer { clear: both; width: 760px; @@ -178,12 +186,12 @@ a:hover { color: #FFFFFF; } -.menuIcon{ - position: relative; - padding-left: 0.05em; - font-size: 3em; - display: none; - padding-top: 5px; +.menuIcon { + position: relative; + padding-left: 0.05em; + font-size: 3em; + display: none; + padding-top: 5px; } .menuButton { @@ -198,18 +206,19 @@ a:hover { text-decoration: none; vertical-align: middle; margin-bottom: 5px; - } - +} + .menuButton:hover { - border-top-color: #CC99FF; - background: #BFBFBF; - } + border-top-color: #CC99FF; + background: #BFBFBF; +} + .menuButton:active { - border-top-color: #8660BF; - background: #8660BF; - } - - .scoreBar { + border-top-color: #8660BF; + background: #8660BF; +} + +.scoreBar { background-color: #965BED; height: 30px; position: relative; @@ -239,16 +248,16 @@ a:hover { color: white; } -.scoreLine{ - display:inline; +.scoreLine { + display: inline; min-width: 100%; } -.leaderboard{ +.leaderboard { min-width: 100%; } -.scoreName{ +.scoreName { white-space: nowrap; overflow: hidden; text-overflow: ellipsis; @@ -258,14 +267,14 @@ a:hover { width: 50% } -.place{ - display: inline; +.place { + display: inline; color: #000000; - min-width:25px; + min-width: 25px; } -.scoreNumber{ - display: inline; +.scoreNumber { + display: inline; float: right; padding-right: 5px; padding-top: 2px; @@ -276,7 +285,6 @@ a:hover { display: inline; } - .goldMedalAmountBubble { width: 20px; height: 20px; @@ -323,33 +331,31 @@ a:hover { } .informationBox { - display: block; - margin 0; - border-color:#A878EF; - border-style:dashed; - background-color: #D4D4D4; - padding-top:5px; - padding-bottom:5px; - padding-right:5px; - padding-left:5px; + display: block; margin 0; + border-color: #A878EF; + border-style: dashed; + background-color: #D4D4D4; + padding-top: 5px; + padding-bottom: 5px; + padding-right: 5px; + padding-left: 5px; margin-bottom: 5px; } .cheatBox { - float: right; - margin 0; + float: right; margin 0; width: 685px; - border-color:#A878EF; - border-style:dashed; + border-color: #A878EF; + border-style: dashed; background-color: #D4D4D4; - padding-top:5px; - padding-bottom:5px; - padding-right:5px; - padding-left:5px; - margin-bottom:10px; + padding-top: 5px; + padding-bottom: 5px; + padding-right: 5px; + padding-left: 5px; + margin-bottom: 10px; } -.moduleSearchBox{ +.moduleSearchBox { height: 26px; width: 100%; padding: 0 12px 0 25px; @@ -371,60 +377,61 @@ a:hover { box-shadow: inset 0 1px #e5e7ed, 0 1px 0 #fcfcfc; } -.resultbox{ +.resultbox { width: 620px; } -#submitResult{ - display: none; - float: right; +#submitResult { + display: none; + float: right; } -.levelIframe{ +.levelIframe { word-wrap: break-word; width: 100%; height: 2056px; } -.levelList{ - max-height: 230px; +.levelList { + max-height: 230px; } .tooltipped { - position:relative; + position: relative; } -.tooltipped::before{ - position:absolute; - z-index:1000001; - display:none; - width:0; - height:0; - color:rgba(0,0,0,0.8); - pointer-events:none; - content:""; - border:5px solid; +.tooltipped::before { + position: absolute; + z-index: 1000001; + display: none; + width: 0; + height: 0; + color: rgba(0, 0, 0, 0.8); + pointer-events: none; + content: ""; + border: 5px solid; } -.tooltipped::after{ +.tooltipped::after { background: rgba(212, 212, 212, 0.8); - border: 2px solid rgba(168, 120, 239, 0.8); - border-radius: 3px; - content: attr(aria-label); - display: inline-block; - font:normal normal 11px/1.5 Helvetica,arial,nimbussansl,liberationsans,freesans,clean,sans-serif"; - letter-spacing: 0.5px; - padding: 5px 8px; - pointer-events: none; - position: absolute; - text-align: center; - text-decoration: none; - text-shadow: none; - text-transform: none; - white-space: pre; - word-wrap: break-word; - z-index: 1000000; - -webkit-font-smoothing:subpixel-antialiased; + border: 2px solid rgba(168, 120, 239, 0.8); + border-radius: 3px; + content: attr(aria-label); + display: inline-block; + font: normal normal 11px/1.5 Helvetica, arial, nimbussansl, + liberationsans, freesans, clean, sans-serif"; + letter-spacing: 0.5px; + padding: 5px 8px; + pointer-events: none; + position: absolute; + text-align: center; + text-decoration: none; + text-shadow: none; + text-transform: none; + white-space: pre; + word-wrap: break-word; + z-index: 1000000; + -webkit-font-smoothing: subpixel-antialiased; } .setupPage { @@ -434,60 +441,61 @@ a:hover { margin-right: auto; } -.setupPage input[type=text], .setupPage input[type=password], .setupPage select, div .setupPage textarea{ - width: 100%; - padding: 12px; - border: 1px solid #ccc; - border-radius: 4px; - box-sizing: border-box; - resize: vertical; +.setupPage input[type=text], .setupPage input[type=password], .setupPage select, + div .setupPage textarea { + width: 100%; + padding: 12px; + border: 1px solid #ccc; + border-radius: 4px; + box-sizing: border-box; + resize: vertical; } .setupPage label { - padding: 12px 12px 12px 0; - display: inline-block; + padding: 12px 12px 12px 0; + display: inline-block; } .setupPage input[type=submit] { - background-color: #4CAF50; - color: white; - padding: 12px 20px; - border: none; - border-radius: 4px; - cursor: pointer; - display: block; - margin-left: auto; - margin-right: auto; - margin-top: 10px; + background-color: #4CAF50; + color: white; + padding: 12px 20px; + border: none; + border-radius: 4px; + cursor: pointer; + display: block; + margin-left: auto; + margin-right: auto; + margin-top: 10px; } .setupPage .container { - border-radius: 5px; - background-color: #f2f2f2; - padding: 20px; + border-radius: 5px; + background-color: #f2f2f2; + padding: 20px; } .setupPage .col-25 { - float: left; - width: 25%; - margin-top: 6px; + float: left; + width: 25%; + margin-top: 6px; } .setupPage .col-75 { - float: left; - width: 75%; - margin-top: 6px; + float: left; + width: 75%; + margin-top: 6px; } .setupPage .row:after { - content: ""; - display: table; - clear: both; + content: ""; + display: table; + clear: both; } @media screen and (max-width: 600px) { - .setupPage .col-25, .setupPage .col-75, .setupPage [type=submit] { - width: 100%; - margin-top: 0; - } -} + .setupPage .col-25, .setupPage .col-75, .setupPage [type=submit] { + width: 100%; + margin-top: 0; + } +} \ No newline at end of file diff --git a/src/main/webapp/css/theResponsiveCss.css b/src/main/webapp/css/theResponsiveCss.css index 810ec7402..06c0655b3 100644 --- a/src/main/webapp/css/theResponsiveCss.css +++ b/src/main/webapp/css/theResponsiveCss.css @@ -1,19 +1,15 @@ @media screen and (max-width: 1020px) { - #page { width: 100%; } - #sidebar { display: none; width: 100%; } - #contentDiv { width: 85%; margin-right: 5%; } - .sidebarWrapper { width: 40px; background: #D4D4D4; @@ -25,7 +21,6 @@ text-decoration: none; vertical-align: top; } - .sidebarWrapper:hover { width: 200px; background: #AEACAC; @@ -39,15 +34,12 @@ padding-right: 10px; padding-top: 10px; } - - .sidebarWrapper:hover #sidebar{ + .sidebarWrapper:hover #sidebar { display: block; } - - .sidebarWrapper:hover .menuIcon{ + .sidebarWrapper:hover .menuIcon { display: none; } - .sidebarWrapperAlwaysOpen { width: 200px; background: #AEACAC; @@ -62,47 +54,37 @@ padding-right: 10px; padding-top: 10px; } - - .sidebarWrapperAlwaysOpen #sidebar{ + .sidebarWrapperAlwaysOpen #sidebar { display: block; } - - .sidebarWrapperAlwaysOpen .menuIcon{ + .sidebarWrapperAlwaysOpen .menuIcon { display: none; } - - .menuIcon{ - display:block; + .menuIcon { + display: block; } - .menuIcon:before { display: block; } - #submitResult { margin-left: 10%; - float: left; + float: left; width: 90%; } - .resultTable { width: 100% } - - .resultBoxCell{ + .resultBoxCell { width: 85% } - - .submitResultCell{ + .submitResultCell { width: 15% } - - .resultbox{ + .resultbox { width: 100%; } - - .cheatBox{ - float: left; - width: 90%; + .cheatBox { + float: left; + width: 90%; } } \ No newline at end of file diff --git a/src/main/webapp/getStarted.jsp b/src/main/webapp/getStarted.jsp index 72e6eccb4..579f4fb6d 100644 --- a/src/main/webapp/getStarted.jsp +++ b/src/main/webapp/getStarted.jsp @@ -1,5 +1,8 @@ -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %> -<%@ include file="translation.jsp" %> +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" + language="java" + import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" + errorPage=""%> +<%@ include file="translation.jsp"%> <% /** * This file is part of the Security Shepherd Project. @@ -75,89 +78,123 @@ if(changePassword) //If password is temporary, ask user to change %> -
- -

-
-
+
+ +
+
+
+ - - - - + + + + + + + + + + + + + + +
Current Password:
New Password:
Password Confirmation:
Current Password:
New Password:
Password Confirmation:
- -
+
- <% +
+<% } else if(changeUsername) { // If username is temporary, allow user to change (but not compulsory) %> -
- -

-
-
+
+ +
+
+
+ - - + + + + + + +
New username:
New username:
- -
+
- <% +
+<% } else { %> -
To OpenTo Close
To OpenTo Close
To OpenTo Close
0) { - fail("User from wrong class is listed in getJsonProgress response"); - } else if (jsonProgressString.indexOf(userName) == -1) { - fail("Could not find user from class in getJsonProgress response"); - } else if (jsonProgressString.indexOf(anotherUserName) == -1) { - fail("Could not find user who has made no progress in getJsonProgress response"); - } else { - log.debug("Going through JsonArray"); - // Take the JSON String and make it Java JSON friendly - JSONArray jsonProgress = (JSONArray) JSONValue.parse(jsonProgressString); - // Loop through array to find Our user - for (int i = 0; i < jsonProgress.size(); i++) { - JSONObject userProgress = (JSONObject) jsonProgress.get(i); - if (userProgress.get("userName").toString().compareTo(userName) == 0) { - int progressBar = Integer.parseInt(userProgress.get("progressBar").toString()); - if (progressBar <= 0) { - fail("User has no progress according to response when they have completed a level"); - } - } else if (userProgress.get("userName").toString() - .compareTo(anotherUserName) == 0) { - int progressBar = Integer.parseInt(userProgress.get("progressBar").toString()); - if (progressBar != 0) { - fail("User that has done nothing has progress != 0"); - } - } - } - } - } else { - fail("Could not Mark level as Complete by user 2"); - } - } - } else { - fail("Could not Mark All Modules as Open"); - } - } else { - fail("Could not Verify Users"); - } - } catch (Exception e) { - log.fatal("Could not complete getJsonProgress use case: " + e.toString()); - fail("Could not Complete getJsonProgress use case"); - } - } - - /** - * Tests the Tournament Floor Plan when all modules are opened - */ - @Test - public void testGetTournamentModules() { - String userName = new String("allOpenTournUser"); - String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); - String insecureDirectObjectReferenceLesson = new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); - try { - if (verifyTestUser(applicationRoot, userName, userName)) { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - // Open all Modules First so that the GetAllModuleInfo method will return data - if (Setter.openAllModules(applicationRoot, false) && Setter.openAllModules(applicationRoot, true)) { - // Simulate user Opening Level - if (!Getter.getModuleAddress(applicationRoot, dataStorageLessonId, userId).isEmpty()) { - // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) - String markLevelCompleteTest = Setter.updatePlayerResult(applicationRoot, dataStorageLessonId, - userId, "Feedback is Disabled", 1, 1, 1); - if (markLevelCompleteTest != null) { - String tournamentModules = Getter.getTournamentModules(applicationRoot, userId, locale); - if (!tournamentModules.isEmpty()) // Some Modules were included in response - { - // Get number of Challenges returned by getChallenges method - int numberofChallengesReturned = (tournamentModules.length() - - tournamentModules.replace("class='lesson'", "").length()) - / "class='lesson'".length(); - if (numberofChallengesReturned > totalNumberOfModulesInShepherd) { - log.debug("Found " + numberofChallengesReturned + " modules"); - if (!tournamentModules.contains("Corporal")) // English String Expected to be in the - // response when submitted with the - // locale for this unit test - { - fail("Could not detect i18n English String in Tournament Output"); - } else if (tournamentModules - .indexOf(" modules = Getter.getAllModuleInfo(applicationRoot); + if (modules.size() + > 75) // Shepherd v3.0 has 76 Modules. If less than All are Returned, then there is a + // problem with the Open Modules Function or the Retrieve data function + { + log.debug("PASS: Found " + modules.size() + " modules"); + return; + } else { + log.fatal("Too Few Modules Returned to Pass Test: " + modules.size()); + fail("Only " + modules.size() + "/~76 modules returned from function"); + } + } + + @Test + public void testGetChallenges() { + String userName = new String("testGetChallengesUser"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First so that the GetAllModuleInfo method will return data + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + String modules = Getter.getChallenges(applicationRoot, userId, locale); + if (!modules.isEmpty()) // Some Modules were included in response + { + // Get number of Challenges returned by getChallenges method + int numberofChallengesReturned = + (modules.length() - modules.replace("class='lesson'", "").length()) + / "class='lesson'".length(); + if (numberofChallengesReturned > totalNumberOfModulesInShepherd) { + log.debug("PASS: Found " + numberofChallengesReturned + " modules"); + return; + } else { + log.debug( + "Too Few Challenges Returned to pass: " + + numberofChallengesReturned + + " returned. Expected at least:" + + totalNumberOfModulesInShepherd); + fail("Too Few Challenges Returned to Pass"); + } + } else { + log.fatal("No Modules Found. Returned empty String"); + fail("No Modules Found"); + } + } else { + fail("Could Not Mark Modules as Open Before Test"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetChallengesWhenModulesClosed() { + String userName = new String("getChallengesCLosedUser"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First so that the GetAllModuleInfo method will return data + if (Setter.closeAllModules(applicationRoot)) { + String modules = Getter.getChallenges(applicationRoot, userId, locale); + if (!modules.isEmpty()) // Some Modules were included in response + { + // Get number of Challenges returned by getChallenges method + int numberofChallengesReturned = + (modules.length() - modules.replace("class='lesson'", "").length()) + / "class='lesson'".length(); + if (!(numberofChallengesReturned > 0)) { + log.debug("PASS: Found " + numberofChallengesReturned + " modules"); + return; + } else { + log.debug( + "Too Many Challenges Returned to pass: " + + numberofChallengesReturned + + " returned"); + fail("Challenges Returned when all modules were closed"); + } + } else { + log.fatal("No Modules Found. Returned empty String"); + fail("No Modules Found"); + } + } else { + fail("Could Not Mark Modules as Open Before Test"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetClassCount() { + String className = new String("NewClassForGetCount"); + try { + findCreateClassId(className); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create/Find Class"); + } + int classCount = Getter.getClassCount(applicationRoot); + if (classCount < 1) { + fail("Class Count Too Low to Pass"); + } else { + log.debug("PASS: Atleast One Class Returned"); + return; + } + } + + @Test + public void testGetClassInfoString() throws SQLException { + + findCreateClassId("NewClassForGetInfo"); + ResultSet rs = Getter.getClassInfo(applicationRoot); + if (rs.next()) { + if (!rs.getString(1).isEmpty()) { + log.debug("PASS: Class Information was returned"); + } else { + fail("Data in Class Info Result Set was Blank"); + } + } else { + fail("No Rows In Class Info Result Set"); + } + rs.close(); + } + + @Test + public void testGetClassInfoStringString() { + String classId = new String(); + String className = new String("NewClassForGetInfo2"); + try { + findCreateClassId(className); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create/Find Class"); + } + try { + ResultSet rs = Getter.getClassInfo(applicationRoot); + while (rs.next()) { + if (rs.getString(2).equalsIgnoreCase("NewClassForGetInfo2")) { + classId = rs.getString(1); + break; + } + } + rs.close(); + if (classId.isEmpty()) { + fail("Could not Find Class ID in Get Info Result"); + } else { + String[] classInfo = Getter.getClassInfo(applicationRoot, classId); + if (classInfo[0].equalsIgnoreCase("NewClassForGetInfo2") + && classInfo[1].equalsIgnoreCase("2015")) { + log.debug("PASS: Expected Data Returned from getClassInfo"); + } else { + if (!classInfo[0].equalsIgnoreCase("NewClassForGetInfo2")) { + fail("Incorrect Class Name returned from getClassInfo"); + } else if (!classInfo[1].equalsIgnoreCase("2015")) { + fail("Incorrect Class Year returned from getClassInfo"); + } else { + fail("Unexpected Failure"); + } + } + } + } catch (Exception e) { + log.fatal("ClassInfo Failure: " + e.toString()); + fail("Could not open ClassInfo Result Set"); + } + } + + @Test + public void testGetCsrfForumWithIframe() { + String classId = new String(); + String moduleId = new String("0a37cb9296ff3763f7f3a45ff313bce47afa9384"); // CSRF Challenge 5 + Locale locale = new Locale("en_GB"); + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + try { + classId = findCreateClassId("NewClassForCsrfIframeFourm"); + String userName = new String("userforiframeclass"); + if (verifyTestUser(applicationRoot, userName, userName, classId)) { + // Open all Modules First so that the Module Can Be Opened by the user + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress( + applicationRoot, moduleId, Getter.getUserIdFromName(applicationRoot, userName)) + .isEmpty()) { + String csrfFourm = + Getter.getCsrfForumWithIframe(applicationRoot, classId, moduleId, bundle); + if (csrfFourm.indexOf(userName) > -1) { + log.debug("PASS: User was found in the fourm"); + return; + } else { + log.error("Could not find user name '" + userName + "' in this: " + csrfFourm); + fail("User was not contained in the CSRF iFrame Forum"); + } + } else { + fail("Could not open CSRF 5 as Created User"); + } + } else { + fail("Could not Mark All Modules as Open"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("User/Class Error: " + e.toString()); + fail("Could not Create User or Class"); + } + log.debug("End of CSRF Iframe Forum Test"); + } + + @Test + public void testGetCsrfForumWithImg() { + String classId = new String(); + String moduleId = new String("0a37cb9296ff3763f7f3a45ff313bce47afa9384"); // CSRF Challenge 5 + ResourceBundle bundle = + ResourceBundle.getBundle("i18n.servlets.challenges.csrf.csrfGenerics", locale); + String className = new String("NewClassForGetInfo"); + try { + classId = findCreateClassId(className); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + } + if (classId.isEmpty()) { + fail("Could not get ClassId"); + } else { + String userName = new String("userforimgclass"); + try { + if (verifyTestUser(applicationRoot, userName, userName, classId)) { + // Open all Modules First so that the Module Can Be Opened by the user + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress( + applicationRoot, moduleId, Getter.getUserIdFromName(applicationRoot, userName)) + .isEmpty()) { + String csrfFourm = + Getter.getCsrfForumWithImg(applicationRoot, classId, moduleId, bundle); + if (csrfFourm.indexOf(userName) > -1) { + log.debug("PASS: User was found in the fourm"); + return; + } else { + log.error("Could not find user name '" + userName + "' in this: " + csrfFourm); + fail("User was not contained in the CSRF Img Forum"); + } + } else { + fail("Could not open CSRF 5 as Created User"); + } + } else { + fail("Could not Mark All Modules as Open"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + } + + @Test + public void testGetFeedback() { + String userName = new String("userGetFeedback"); + String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First so that the Module Can Be Opened + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, dataStorageLessonId, userId).isEmpty()) { + // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) + String feedbackSearchCode = "RwarUNiqueFeedbackCodeToSEARCHFor1182371723"; + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, dataStorageLessonId, userId, feedbackSearchCode, 1, 1, 1); + if (markLevelCompleteTest != null) { + String checkPlayerResultTest = + Getter.checkPlayerResult(applicationRoot, dataStorageLessonId, userId); + log.debug("checkPlayerResultTest" + checkPlayerResultTest); + if (checkPlayerResultTest == null) { + log.debug( + "Checking to see if the feedback is included in the getFeeback response for the" + + " module"); + String feedback = Getter.getFeedback(applicationRoot, dataStorageLessonId); + if (feedback.indexOf(feedbackSearchCode) > -1) { + log.debug("PASS: Detected the user's feedback"); + return; + } else { + log.fatal( + "User's Feedback '" + feedbackSearchCode + "' was not found in: " + feedback); + fail("Could not find user's feedback"); + } + } else { + fail("Function says user has not completed module"); // Even though this test just + // marked it as Completed + } + } else { + fail("Could not mark data storage lesson as complete for user"); + } + } else { + fail("Could not Mark Data Storage Lesson as Opened by Default admin"); + } + } else { + fail("Could not Open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetIncrementalModulesWithModulesClosed() { + String userName = new String("testIncModuleMenu2"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Close all Modules First + if (Setter.closeAllModules(applicationRoot)) { + String incrementalModules = + Getter.getIncrementalModules(applicationRoot, userId, lang, "testingCSRFtoken"); + if (incrementalModules.indexOf("You've Finished!") + > -1) // IF no modules are open, this is the + // expected leading string + { + log.debug("PASS: Menu appears to have compiled correctly"); + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Could not Detect Finished Message"); + } + } else { + fail("Could not Close All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetIncrementalModulesWithNoneComplete() { + String userName = new String("testIncModuleMenu1"); + String lowestRankModuleId = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // This should be changed if an easier + // module is made + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + String incrementalModules = + Getter.getIncrementalModules(applicationRoot, userId, lang, "testingCSRFtoken"); + if (incrementalModules.indexOf("Completed") + == -1) // User should not have completed any modules. + // The Completed Button should not be present + { + if (incrementalModules.indexOf(lowestRankModuleId) + > -1) // The only module Id to be returned + // should be this one as it is the + // first presented (Lowest + // Incremental Rank) + { + if (incrementalModules.indexOf("Get Next Challenge") + > -1) // This is the English string + // that should be included with + // the lang submitted in this + // unit test + { + log.debug( + "PASS: Incremental Menu Appears to have Rendered correctly with the" + + " Preconditions of this test"); + return; + } else { + fail("Could not Detect i18n English Values in Menu"); + } + } else { + fail( + "The Module Id Returned was not the Known First Level. Ie not: " + + lowestRankModuleId); + } + } else { + fail("CTF Menu Appears as if User Has Completed Modules When They Have Not"); + } + // Wont Log unless unit doesnt pass + log.debug(incrementalModules); + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetIncrementalModulesWithOneModuleComplete() { + String userName = new String("testIncModuleMenu3"); + String lowestRankModuleId = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // This should be changed if an easier + // module is made + String secondLowestRankModuleId = + "b9d82aa7b46ddaddb6acfe470452a8362136a31e"; // This should be changed if an + // easier module is made or is + // orded before this + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, lowestRankModuleId, userId).isEmpty()) { + // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + lowestRankModuleId, + userId, + "Feedback is Not Enabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + String checkPlayerResultTest = + Getter.checkPlayerResult(applicationRoot, lowestRankModuleId, userId); + log.debug("checkPlayerResultTest" + checkPlayerResultTest); + if (checkPlayerResultTest == null) { + String incrementalModules = + Getter.getIncrementalModules(applicationRoot, userId, lang, "testingCSRFtoken"); + if (incrementalModules.indexOf("Completed") > -1) // User should have completed one + // module. The Completed Button + // should be present + { + if (incrementalModules.indexOf(lowestRankModuleId) > -1) // The only completed + // module Id to be + // returned should be + // this one + { + if (incrementalModules.indexOf(secondLowestRankModuleId) > -1) { + if (incrementalModules.indexOf("Get Next Challenge") > -1) // This is the + // English + // string that + // should be + // included with + // the lang + // submitted in + // this unit + // test + { + log.debug( + "PASS: Incremental Menu Appears to have Rendered correctly with the" + + " Preconditions of this test"); + return; + } else { + fail("Could not Detect i18n English Values in Menu"); + } + } else { + fail( + "The Module Id Returned to be Completed Next was not the Known 2nd Level." + + " Ie not: " + + secondLowestRankModuleId); + } + } else { + fail( + "The Module Id Returned was not the Known First Level. Ie not: " + + lowestRankModuleId); + } + } else { + fail("CTF Menu Appears as if User Has Completed Modules When They Have Not"); + } + // Wont Log unless unit doesnt pass + log.debug(incrementalModules); + } else { + fail( + "checkPlayerResultTest says user has not completed module"); // Even though this + // test just marked + // it as Completed + } + } else { + fail("Could not mark data storage lesson as complete for user"); + } + } else { + fail("Could not Lowest Rank Lesson as Opened by User"); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetIncrementalModulesWithoutScriptWithModulesClosed() { + String userName = new String("testIncModuleMenuScript2"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Close all Modules First + if (Setter.closeAllModules(applicationRoot)) { + String incrementalModules = + Getter.getIncrementalModulesWithoutScript( + applicationRoot, userId, lang, "testingCSRFtoken"); + if (incrementalModules.indexOf("You've Finished!") + > -1) // IF no modules are open, this is the + // expected leading string + { + if (!incrementalModules.endsWith(";")) { + log.debug( + "PASS: Incremental Menu Appears to have Rendered correctly with the Preconditions" + + " of this test without ending in the button script"); + return; + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Function Ended in Unexpected Script"); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Could not Detect Finished Message"); + } + } else { + fail("Could not Close All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetIncrementalModulesWithoutScriptWithNoneComplete() { + String userName = new String("testIncModuleMenuScript1"); + String lowestRankModuleId = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // This should be changed if an easier + // module is made + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + String incrementalModules = + Getter.getIncrementalModulesWithoutScript( + applicationRoot, userId, lang, "testingCSRFtoken"); + if (incrementalModules.indexOf("Completed") + == -1) // User should not have completed any modules. + // The Completed Button should not be present + { + if (incrementalModules.indexOf(lowestRankModuleId) + > -1) // The only module Id to be returned + // should be this one as it is the + // first presented (Lowest + // Incremental Rank) + { + if (incrementalModules.indexOf("Get Next Challenge") + > -1) // This is the English string + // that should be included with + // the lang submitted in this + // unit test + { + if (!incrementalModules.endsWith(";")) { + log.debug( + "PASS: Incremental Menu Appears to have Rendered correctly with the" + + " Preconditions of this test without ending in the button script"); + return; + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Function Ended in Unexpected Script"); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Could not Detect i18n English Values in Menu"); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail( + "The Module Id Returned was not the Known First Level. Ie not: " + + lowestRankModuleId); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("CTF Menu Appears as if User Has Completed Modules When They Have Not"); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetIncrementalModulesWithoutScriptWithOneModuleComplete() { + String userName = new String("testIncModuleMenuScript3"); + String lowestRankModuleId = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // This should be changed if an easier + // module is made + String secondLowestRankModuleId = + "b9d82aa7b46ddaddb6acfe470452a8362136a31e"; // This should be changed if an + // easier module is made or is + // orded before this + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, lowestRankModuleId, userId).isEmpty()) { + // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + lowestRankModuleId, + userId, + "Feedback is Not Enabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + String checkPlayerResultTest = + Getter.checkPlayerResult(applicationRoot, lowestRankModuleId, userId); + log.debug("checkPlayerResultTest" + checkPlayerResultTest); + if (checkPlayerResultTest == null) { + String incrementalModules = + Getter.getIncrementalModulesWithoutScript( + applicationRoot, userId, lang, "testingCSRFtoken"); + if (incrementalModules.indexOf("Completed") > -1) // User should have completed one + // module. The Completed Button + // should be present + { + if (incrementalModules.indexOf(lowestRankModuleId) > -1) // The only completed + // module Id to be + // returned should be + // this one + { + if (incrementalModules.indexOf(secondLowestRankModuleId) > -1) { + if (incrementalModules.indexOf("Get Next Challenge") > -1) // This is the + // English + // string that + // should be + // included with + // the lang + // submitted in + // this unit + // test + { + if (!incrementalModules.endsWith(";")) { + log.debug( + "PASS: Incremental Menu Appears to have Rendered correctly with the" + + " Preconditions of this test without ending in the button" + + " script"); + return; + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Function Ended in Unexpected Script"); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("Could not Detect i18n English Values in Menu"); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail( + "The Module Id Returned to be Completed Next was not the Known 2nd Level." + + " Ie not: " + + secondLowestRankModuleId); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail( + "The Module Id Returned was not the Known First Level. Ie not: " + + lowestRankModuleId); + } + } else { + log.debug("incrementalModules returned: " + incrementalModules); + fail("CTF Menu Appears as if User Has Completed Modules When They Have Not"); + } + } else { + fail( + "checkPlayerResultTest says user has not completed module"); // Even though this + // test just marked + // it as Completed + } + } else { + fail("Could not mark data storage lesson as complete for user"); + } + } else { + fail("Could not Lowest Rank Lesson as Opened by User"); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + /** + * Tests to ensure that user can only see their data in the scoreboard, and cannot see the data + * from users in other classes in the scoreboard + */ + @Test + public void testGetJsonScoreClassSpecific() { + String userName = new String("scoreUserClassSpecific"); + String className = new String("ScoreClassSpec"); + String otherUserName = new String("scoreUserClassSpecific2"); + String otherClassName = new String("ScoreClassSpec2"); + String classId = new String(); + String classId2 = new String(); + String insecureDirectObjectRefLesson = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // Direct Object Reference + // Module + try { + try { + classId = findCreateClassId(className); + classId2 = findCreateClassId(otherClassName); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create or Find Classes"); + } + if (verifyTestUser(applicationRoot, userName, userName, classId) + && verifyTestUser(applicationRoot, otherUserName, otherUserName, classId2)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + userId, + "Feedback is Disabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + otherUserId, + "Feedback is Disabled", + 1, + 1, + 1); + } else { + fail("Could Not Mark Level as complete by User 1"); + } + if (markLevelCompleteTest != null) { + boolean pass = false; + // Configure Score board for class Specific + ScoreboardStatus.setScoreboardClassSpecific(); + // Get Score board Data + String scoreboardData = Getter.getJsonScore(applicationRoot, classId); + // Take the JSON String and make it Java JSON friendly + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + pass = true; + log.debug("Found " + userName + " in scoreboard"); + } + if (scoreRowJson.get("username").toString().compareTo(otherUserName) == 0) { + log.fatal("Found Class User that shouldn't be included in the output"); + log.debug("Found " + otherUserName + " in: " + scoreboardData); + fail("Found Class User that shouldn't be included in the Scoreboard Data"); + } + } + if (!pass) { + log.error("Could not find " + userName + " in JSON Data: " + scoreboardData); + fail("Could not find user in scoreboard"); + } else { + return; // PASS + } + } else { + fail("Failed to Mark Direct Object Level as Complete for 2nd User"); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify users (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify Users: " + e.toString()); + fail("Could not Verify Users " + userName); + } + } + + /** + * Test to ensure users that have not scored any points, or are on negative points are not shown + * in the scoreboard + */ + @Test + public void testGetJsonScoreTotalNoneOrNegPoints() { + String userName = new String("userZero"); + String className = new String("LowScoreTeam"); + String otherUserName = new String("userMinusFive"); + String classId = new String(); + try { + try { + classId = findCreateClassId(className); + log.debug("Class Found"); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create or Find Class"); + } + if (verifyTestUser(applicationRoot, userName, userName, classId) + && verifyTestUser(applicationRoot, otherUserName, otherUserName, classId)) { + log.debug("User's Verified"); + String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); + log.debug("UserId retrieved"); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + log.debug("Opened All Modules"); + // Not Touching User Zero, But dropping five points from other user + if (Setter.updateUserPoints(applicationRoot, otherUserId, -5)) { + log.debug("Updated Points of user Minus 5"); + // Configure Score board for total open + ScoreboardStatus.setScoreboardOpen(); + log.debug("Scoreboard Set to Open"); + // Get Score board Data + String scoreboardData = Getter.getJsonScore(applicationRoot, classId); + if (scoreboardData.isEmpty()) { + log.debug( + "PASS: The Scoreboard response was empty. Therefore the users are not valid to be" + + " returned"); + return; // PASS + } + log.debug("Got Scoreboard Data"); + // Take the JSON String and make it Java JSON friendly + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + log.debug("Parsed Scoreboard Data"); + if (scoreboardJson == null) { + log.debug("scoreboardJson is Null. json was: " + scoreboardData); + } + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + log.debug("Looping through Array " + i); + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + fail("Found " + userName + " in scoreboard"); + } + if (scoreRowJson.get("username").toString().compareTo(otherUserName) == 0) { + fail("Found " + otherUserName + " in scoreboard"); + } + } + log.debug( + "PASS: Did not ether user's in the response, therefore they were not included"); + return; // PASS + } else { + fail("Failed to Subtract points from " + otherUserName); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify users (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify Users: " + e.toString()); + fail("Could not Verify Users " + userName); + } + } + + /** Test to see if Score board returns score for entire user base regardless of class */ + @Test + public void testGetJsonScoreTotalOpen() { + String userName = new String("scoreUserTotalScore"); + String className = new String("ScoreTotalScore"); + String otherUserName = new String("scoreUserTotalScoreb2"); + String otherClassName = new String("ScoreTotalScoreb2"); + String classId = new String(); + String classId2 = new String(); + String insecureDirectObjectRefLesson = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // Direct Object Reference + // Module + try { + try { + classId = findCreateClassId(className); + classId2 = findCreateClassId(otherClassName); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create or Find Classes"); + } + if (verifyTestUser(applicationRoot, userName, userName, classId) + && verifyTestUser(applicationRoot, otherUserName, otherUserName, classId2)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + userId, + "Feedback is Disabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + otherUserId, + "Feedback is Disabled", + 1, + 1, + 1); + } else { + fail("Could Not Mark Level as complete by User 1"); + } + if (markLevelCompleteTest != null) { + boolean pass = false; + boolean user2 = false; + // Configure Score board for class Specific + ScoreboardStatus.setScoreboardOpen(); + // Get Score board Data + String scoreboardData = Getter.getJsonScore(applicationRoot, classId); + // Take the JSON String and make it Java JSON friendly + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + pass = true; + log.debug("Found " + userName + " in scoreboard"); + } + if (scoreRowJson.get("username").toString().compareTo(otherUserName) == 0) { + user2 = true; + log.debug("Found " + otherUserName + " in scoreboard"); + } + } + if (!(pass && user2)) { + if (!pass) { + log.error("Could not find " + userName + " in JSON Data: " + scoreboardData); + fail("Could not find user in scoreboard"); + } else { + log.error("Could not see users from other class in total scoreboard data"); + log.error("Could not find " + otherUserName + " in " + scoreboardData); + fail("Could not see users from other class in total scoreboard data"); + } + } else { + return; // PASS + } + } else { + fail("Failed to Mark Direct Object Level as Complete for 2nd User"); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify users (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify Users: " + e.toString()); + fail("Could not Verify Users " + userName); + } + } + + /** Ensuring HTML is encoded from untrusted user inputs in scoreboard */ + @Test + public void testGetJsonScoreTotalOpenHtmlChars() { + String userName = new String(""); + String otherUserName = new String("\"onerror=\"alert('Name');//"); + String otherClassName = new String("\"onerror=\"alert('C');//"); + String classId = new String(); + String classId2 = new String(); + String insecureDirectObjectRefLesson = + "0dbea4cb5811fff0527184f99bd5034ca9286f11"; // Direct Object Reference + // Module + try { + try { + classId = findCreateClassId(className); + classId2 = findCreateClassId(otherClassName); + } catch (Exception e) { + log.fatal("Could not Find or Create Class : " + e.toString()); + fail("Could not Create or Find Classes"); + } + if (verifyTestUser(applicationRoot, userName, userName, classId) + && verifyTestUser(applicationRoot, otherUserName, otherUserName, classId2)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + userId, + "Feedback is Disabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + insecureDirectObjectRefLesson, + otherUserId, + "Feedback is Disabled", + 1, + 1, + 1); + } else { + fail("Could Not Mark Level as complete by User 1"); + } + if (markLevelCompleteTest != null) { + // Configure Score board for total open + ScoreboardStatus.setScoreboardOpen(); + // Get Score board Data + String scoreboardData = Getter.getJsonScore(applicationRoot, classId); + // Take the JSON String and make it Java JSON friendly + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) // Therefore not + // encoded for HTML + { + fail("Found " + userName + " in scoreboard"); + } + if (scoreRowJson.get("username").toString().compareTo(otherUserName) + == 0) // Therefore not + // encoded for + // HTML + { + fail("Found " + otherUserName + " in scoreboard"); + } + } + log.debug( + "PASS: Did not find HTML Strings in Scoreboard Response. Therefore they are" + + " encoded"); + return; // PASS + } else { + fail("Failed to Mark Direct Object Level as Complete for 2nd User"); + } + } else { + fail("Could not open All Modules"); + } + } else { + fail("Could not verify users (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify Users: " + e.toString()); + fail("Could not Verify Users " + userName); + } + } + + @Test + public void testGetLessons() { + String userName = new String("getLessonsUser"); + String inscureDirectObjectLesson = "0dbea4cb5811fff0527184f99bd5034ca9286f11"; + String poorDataValidationLesson = "b9d82aa7b46ddaddb6acfe470452a8362136a31e"; + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, inscureDirectObjectLesson, userId) + .isEmpty()) { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, + inscureDirectObjectLesson, + userId, + "Feedback is Disabled", + 1, + 1, + 1); + if (markLevelCompleteTest != null) { + String lessonsMenu = Getter.getLessons(applicationRoot, userId, locale); + if (lessonsMenu.indexOf("class='lesson'") + > -1) // Menu Should include this at least once + { + if (lessonsMenu.indexOf(inscureDirectObjectLesson) + > -1) // This module should be in the + // response + { + if (lessonsMenu.indexOf( + " -1) // English string should exist in output based + // on the submitted locale + { + log.debug( + "PASS: GetLessons Menu Appears to have Rendered correctly with the Preconditions" + + " of this test"); + return; + } else { + log.fatal("Could not find i18n English String in lessons Menu: " + lessonsMenu); + fail("Could not Detect i18n Locale Strings In Lessons Menu"); + } + } + } else { + fail("Could not close All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetModuleAddress() { + String userName = new String("userGetModuleAddress"); + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First so that the Module Can Be Opened + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, insecureCryptoLesson, userId).isEmpty()) { + log.debug("PASS: Could mark level open when level was marked as open"); + return; + } else { + fail("Could not Insecure Crypto Lesson as Opened by user"); + } + } else { + fail("Could not Open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetModuleAddressWhenClosed() { + String userName = new String("userGetModuleAddressTwo"); + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Close all modules first + if (Setter.closeAllModules(applicationRoot)) { + // Simulate user Opening Level + if (Getter.getModuleAddress(applicationRoot, insecureCryptoLesson, userId).isEmpty()) { + log.debug("PASS: Could not get Module URL when Module Closed"); + } else { + fail("Could Get Module Address when marked as closed"); + } + } else { + fail("Could not Close All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + } catch (Exception e) { + log.fatal("Could not Verify User: " + e.toString()); + fail("Could not Verify User " + userName); + } + } + + @Test + public void testGetModuleCategory() { + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + if (Getter.getModuleCategory(applicationRoot, insecureCryptoLesson) + .compareTo("Insecure Cryptographic Storage") + != 0) { + fail("Incorrect Category Returned for Insecure Crypto Lesson"); + } else { + log.debug("PASS: Expected Category Returned"); + } + } + + @Test + public void testGetModuleHash() { + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + if (Getter.getModuleHash(applicationRoot, insecureCryptoLesson) + .compareTo("if38ebb58ea2d245fa792709370c00ca655fded295c90ef36f3a6c5146c29ef2") + != 0) { + fail("Incorrect Hash Returned for Insecure Crypto Lesson"); + } else { + log.debug("PASS: Expected Hash Returned"); + } + } + + @Test + public void testGetModuleIdFromHash() { + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + if (Getter.getModuleIdFromHash( + applicationRoot, Getter.getModuleHash(applicationRoot, insecureCryptoLesson)) + .compareTo(insecureCryptoLesson) + != 0) { + fail("Incorrect moduleId Returned for Insecure Crypto Lesson Hash Search"); + } else { + log.debug("PASS: Expected Id Returned"); + } + } + + @Test + public void testGetModuleKeyTypeEncryptedKey() { + String csrfChallengeThree = new String("5ca9115f3279b9b9f3308eb6a59a4fcd374846d6"); + if (!Getter.getModuleKeyType(applicationRoot, csrfChallengeThree)) { + log.debug("PASS: Encrypted Key Detected on Encrypted Level"); + } else { + log.fatal("Hardcoded Key Detected On Encrypted Key Module"); + fail("Hardcoded Key Detected On Encrypted Key Module"); + } + } + + @Test + public void testGetModuleKeyTypeHardcodedKey() { + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + if (Getter.getModuleKeyType(applicationRoot, insecureCryptoLesson)) { + log.debug("PASS: Hardcoded Key Detected on Hardcoded Level"); + } else { + log.fatal("Encrypted Key Detected On Hardcoded Key Module"); + fail("Encrypted Key Detected On Hardcoded Key Module"); + } + } + + @Test + public void testGetModuleNameLocaleKey() { + try { + String moduleId = + new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); // Insecure Direct Object + // References Module Id + String moduleName = new String("Insecure Direct Object References"); + String moduleLocalNameKey = Getter.getModuleNameLocaleKey(applicationRoot, moduleId); + ResourceBundle bundle = ResourceBundle.getBundle("i18n.moduleGenerics.moduleNames", locale); + String localName = bundle.getString(moduleLocalNameKey); + if (localName.compareTo(moduleName) != 0) { + log.error(localName + " != " + moduleName); + fail("Name Retrieved != expected result"); + } + } catch (Exception e) { + log.fatal("Could not complete testGetModuleNameLocaleKey: " + e.toString()); + fail("Could not complete testGetModuleNameLocaleKey"); + } + } + + /** Test to return stored result key from DB via getModuleResult Function */ + @Test + public void testGetModuleResult() { + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + String knownStoredResult = + new String("base64isNotEncryptionBase64isEncodingBase64HidesNothingFromYou"); + String methodReturnResult = Getter.getModuleResult(applicationRoot, insecureCryptoLesson); + if (knownStoredResult.compareTo(methodReturnResult) != 0) { + log.fatal( + "Known Result (" + + knownStoredResult + + ") did not match returned result (" + + methodReturnResult + + ")"); + fail("Stored and Known Results Differed"); + } + } + + /** Test to return stored result key from DB via getModuleResultFromHash Function */ + @Test + public void testGetModuleResultFromHash() { + String insecureCryptoLessonHash = + new String("if38ebb58ea2d245fa792709370c00ca655fded295c90ef36f3a6c5146c29ef2"); + String knownStoredResult = + new String("base64isNotEncryptionBase64isEncodingBase64HidesNothingFromYou"); + String methodReturnResult = + Getter.getModuleResultFromHash(applicationRoot, insecureCryptoLessonHash); + if (knownStoredResult.compareTo(methodReturnResult) != 0) { + log.fatal( + "Known Result (" + + knownStoredResult + + ") did not match returned result (" + + methodReturnResult + + ")"); + fail("Stored and Known Results Differed"); + } + } + + /** Function should return the entire list of modules regardless of status in options tags */ + @Test + public void testGetModulesInOptionTags() { + String insecureCryptoLesson = new String("201ae6f8c55ba3f3b5881806387fbf34b15c30c2"); + String modules = Getter.getModulesInOptionTags(applicationRoot); + if (modules.indexOf(insecureCryptoLesson) == -1) { + log.fatal("Insecure Crypto Lesson ID Ommited from list: " + modules); + fail("Entire List of Modules not returned"); + } else if (modules.indexOf("option") == -1) { + log.fatal("No Options Tags Detected in List: " + modules); + fail("No Options Tags Detected in List"); + } + } + + @Test + public void testGetModulesInOptionTagsCTF() { + String lowestRankLevel = new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); + String modules = Getter.getModulesInOptionTagsCTF(applicationRoot); + if (modules.indexOf(lowestRankLevel) == -1) { + log.fatal("Insecure Crypto Lesson ID Ommited from list: " + modules); + fail("Entire List of Modules not returned"); + } else if (modules.indexOf("option") == -1) { + log.fatal("No Options Tags Detected in List: " + modules); + fail("No Options Tags Detected in List"); + } else if (!modules.startsWith("
To OpenTo Close
To OpenTo Close
To OpenTo Close
0) { + fail("User from wrong class is listed in getJsonProgress response"); + } else if (jsonProgressString.indexOf(userName) == -1) { + fail("Could not find user from class in getJsonProgress response"); + } else if (jsonProgressString.indexOf(anotherUserName) == -1) { + fail("Could not find user who has made no progress in getJsonProgress response"); + } else { + log.debug("Going through JsonArray"); + // Take the JSON String and make it Java JSON friendly + JSONArray jsonProgress = (JSONArray) JSONValue.parse(jsonProgressString); + // Loop through array to find Our user + for (int i = 0; i < jsonProgress.size(); i++) { + JSONObject userProgress = (JSONObject) jsonProgress.get(i); + if (userProgress.get("userName").toString().compareTo(userName) == 0) { + int progressBar = Integer.parseInt(userProgress.get("progressBar").toString()); + if (progressBar <= 0) { + fail( + "User has no progress according to response when they have completed a" + + " level"); + } + } else if (userProgress.get("userName").toString().compareTo(anotherUserName) + == 0) { + int progressBar = Integer.parseInt(userProgress.get("progressBar").toString()); + if (progressBar != 0) { + fail("User that has done nothing has progress != 0"); + } + } + } + } + } else { + fail("Could not Mark level as Complete by user 2"); + } + } + } else { + fail("Could not Mark All Modules as Open"); + } + } else { + fail("Could not Verify Users"); + } + } catch (Exception e) { + log.fatal("Could not complete getJsonProgress use case: " + e.toString()); + fail("Could not Complete getJsonProgress use case"); + } + } + + /** Tests the Tournament Floor Plan when all modules are opened */ + @Test + public void testGetTournamentModules() { + String userName = new String("allOpenTournUser"); + String dataStorageLessonId = new String("53a53a66cb3bf3e4c665c442425ca90e29536edd"); + String insecureDirectObjectReferenceLesson = + new String("0dbea4cb5811fff0527184f99bd5034ca9286f11"); + try { + if (verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First so that the GetAllModuleInfo method will return data + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, dataStorageLessonId, userId).isEmpty()) { + // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, dataStorageLessonId, userId, "Feedback is Disabled", 1, 1, 1); + if (markLevelCompleteTest != null) { + String tournamentModules = + Getter.getTournamentModules(applicationRoot, userId, locale); + if (!tournamentModules.isEmpty()) // Some Modules were included in response + { + // Get number of Challenges returned by getChallenges method + int numberofChallengesReturned = + (tournamentModules.length() + - tournamentModules.replace("class='lesson'", "").length()) + / "class='lesson'".length(); + if (numberofChallengesReturned > totalNumberOfModulesInShepherd) { + log.debug("Found " + numberofChallengesReturned + " modules"); + if (!tournamentModules.contains( + "Corporal")) // English String Expected to be in the + // response when submitted with the + // locale for this unit test + { + fail("Could not detect i18n English String in Tournament Output"); + } else if (tournamentModules.indexOf( + " 0: " + scoreboardData); - TestProperties.failAndPrint("User has score of 0 before BadSubmission Emulation"); - } - - // Resetting resetBadSubmission count back to 0 - if (!Setter.resetBadSubmission(applicationRoot, userId)) - TestProperties.failAndPrint("Could not Reset bad submission count"); - // Simulating 41 bad submissions - for (int i = 0; i <= 40; i++) - Setter.incrementBadSubmission(applicationRoot, userId); - - // Check Score again - int scoreAfter = 0; - scoreboardData = Getter.getJsonScore(applicationRoot, ""); - scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); - // Loop through array to find Our user - for (int i = 0; i < scoreboardJson.size(); i++) { - log.debug("Looping through Array " + i); - JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); - if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { - log.debug("Found user with score: " + scoreRowJson.get("score")); - scoreAfter = Integer.parseInt(scoreRowJson.get("score").toString()); - break; - } - } - - int expectedAfter = scoreBefore - (scoreBefore / 10); - log.debug("expected score: " + expectedAfter); - if (scoreAfter != expectedAfter)// Checking exact number should be equal to and number - // below as well incase rounded d - { - log.debug("score before: " + scoreBefore); - log.debug("score after : " + scoreAfter); - log.debug("Expected After: " + expectedAfter); - int roundedUp = scoreAfter + 1; - if (roundedUp != expectedAfter) - TestProperties.failAndPrint("Invalid Score Deduction Detected"); - else - return; // PASS - } else { - return; // Pass - } - } - } else { - TestProperties.failAndPrint("Could not Mark First level as complete"); - } - } - } - } else { - TestProperties.failAndPrint("Could not Create/Verify User"); - } - } - - @Test - public void testOpenOnlyMobileCategories() { - if (!Setter.openOnlyMobileCategories(applicationRoot)) - TestProperties.failAndPrint("Could not Open Only Mobile Categories"); - } - - @Test - public void testOpenOnlyWebCategories() { - if (!Setter.openOnlyWebCategories(applicationRoot, 0)) - TestProperties.failAndPrint("Could not Open Only Web Categories"); - } - - @Test - public void testResetBadSubmission() throws SQLException { - String moduleId = "853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"; // CSRF7 - String userName = new String("BadSubResetUser"); - - if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - if (!Setter.openAllModules(applicationRoot, false) && !Setter.openAllModules(applicationRoot, true)) { - TestProperties.failAndPrint("Could not mark all modules as open"); - } else { - // Simulate user Opening Level - if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { - TestProperties.failAndPrint("Could not Simulate Opening First Level for User"); - } else { - String markLevelCompleteTest = Setter.updatePlayerResult(applicationRoot, moduleId, userId, - "Feedback is Disabled", 1, 1, 1); - if (markLevelCompleteTest != null) { - int scoreBefore = 0; - ScoreboardStatus.setScoreboardOpen(); - String scoreboardData = Getter.getJsonScore(applicationRoot, ""); - if (scoreboardData.isEmpty()) { - fail("Could not detect user in scoreboard before bad submission test"); - } else { - JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); - // Loop through array to find Our user - for (int i = 0; i < scoreboardJson.size(); i++) { - JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); - if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { - log.debug("Found user with score: " + scoreRowJson.get("score")); - scoreBefore = Integer.parseInt(scoreRowJson.get("score").toString()); - break; - } - } - if (scoreBefore == 0) { - log.fatal("Could not find user " + userName + " with score > 0: " + scoreboardData); - TestProperties.failAndPrint("User has score of 0 before BadSubmission Emulation"); - } - - // Resetting resetBadSubmission count back to 0 - if (!Setter.resetBadSubmission(applicationRoot, userId)) - TestProperties.failAndPrint("Could not Reset bad submission count"); - // Simulating 40 bad submissions - for (int i = 0; i < 40; i++) { - if (!Setter.incrementBadSubmission(applicationRoot, userId)) - TestProperties.failAndPrint("Could not Increment Bad Submission Counter"); - } - // Resetting Bad Submission Count back to 0 again - if (!Setter.resetBadSubmission(applicationRoot, userId)) - TestProperties.failAndPrint("Could not Reset bad submission count"); - // Incrementing one more time (Should set user bad submission counter to 1) - if (!Setter.incrementBadSubmission(applicationRoot, userId)) - TestProperties.failAndPrint("Could not Increment Bad Submission Counter"); - - // Check Score again - int scoreAfter = 0; - scoreboardData = Getter.getJsonScore(applicationRoot, ""); - scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); - // Loop through array to find Our user - for (int i = 0; i < scoreboardJson.size(); i++) { - log.debug("Looping through Array " + i); - JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); - if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { - log.debug("Found user with score: " + scoreRowJson.get("score")); - scoreAfter = Integer.parseInt(scoreRowJson.get("score").toString()); - break; - } - } - - if (scoreAfter != scoreBefore)// Checking exact number should be equal to and number - // below as well incase rounded d - { - log.debug("score before: " + scoreBefore); - log.debug("score after : " + scoreAfter); - TestProperties.failAndPrint("Invalid Score Deduction Detected"); - } else { - return; // Pass - } - } - } else { - TestProperties.failAndPrint("Could not Mark First level as complete"); - } - } - } - } else { - TestProperties.failAndPrint("Could not Create/Verify User"); - } - - } - - @Test - public void testSetCsrfChallengeFourCsrfToken() throws SQLException { - String userName = new String("csrfFourUser"); - - if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - String csrfTokenValue = new String("CsrfTokenTest"); - String csrfToken = Setter.setCsrfChallengeFourCsrfToken(userId, csrfTokenValue, applicationRoot); - if (csrfToken.compareTo(csrfTokenValue) != 0) - fail("Retrieved CSRF token did not Match the Set Value"); - } else { - fail("Could not Verify User"); - } - } - - @Test - public void testSetCsrfChallengeSevenCsrfToken() throws SQLException { - String userName = new String("csrfSevenUser"); - - if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - String csrfToken = new String("CsrfTokenTest"); - if (!Setter.setCsrfChallengeSevenCsrfToken(userId, csrfToken, applicationRoot)) - fail("Could not Set CSRF Chalenge 7 Token"); - } else { - fail("Could not Verify User"); - } - - } - - @Test - public void testSetModuleCategoryStatusOpen() throws SQLException { - String moduleCategory = new String("Injection"); - if (!Setter.closeAllModules(applicationRoot)) - fail("Could not Mark all modules as closed"); - else if (!Setter.setModuleCategoryStatusOpen(applicationRoot, moduleCategory, "open")) - fail("Could not Open module Category"); - else { - Connection conn = Database.getCoreConnection(applicationRoot); - - log.debug("Getting Number of Mobile Levels From DB"); - PreparedStatement prepStatement = conn - .prepareStatement("SELECT DISTINCT moduleCategory FROM modules WHERE moduleStatus = 'open';"); - ResultSet rs = prepStatement.executeQuery(); - while (rs.next()) { - if (rs.getString(1).compareTo(moduleCategory) != 0) { - log.debug("Found Category that wa snot injection: " + rs.getString(1)); - fail("Detected Category that was not Injection Open"); - } - } - - } - } - - @Test - public void testSetModuleCategoryStatusClosed() throws SQLException { - String moduleCategory = new String("Injection"); - if (!Setter.openAllModules(applicationRoot, false) && !Setter.openAllModules(applicationRoot, true)) - fail("Could not Mark all modules as open"); - else if (!Setter.setModuleCategoryStatusOpen(applicationRoot, moduleCategory, "closed")) - fail("Could not close module Category"); - else { - Connection conn = Database.getCoreConnection(applicationRoot); - - log.debug("Getting Number of Mobile Levels From DB"); - PreparedStatement prepStatement = conn - .prepareStatement("SELECT DISTINCT moduleCategory FROM modules WHERE moduleStatus = 'closed';"); - ResultSet rs = prepStatement.executeQuery(); - while (rs.next()) { - if (rs.getString(1).compareTo(moduleCategory) != 0) { - log.debug("Found Category that wa snot injection: " + rs.getString(1)); - fail("Detected Category that was not Injection Closed"); - } - } - - } - } - - @Test - public void testSetModuleStatusClosed() throws SQLException { - String moduleId = new String("853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"); // CSRF 7 - if (!Setter.openAllModules(applicationRoot, false)) - fail("Could not Mark all modules as open"); - else if (!Setter.setModuleStatusClosed(applicationRoot, moduleId)) - fail("Could not close CSRF 7 Module"); - else { - Connection conn = Database.getCoreConnection(applicationRoot); - - log.debug("Getting Number of Mobile Levels From DB"); - PreparedStatement prepStatement = conn - .prepareStatement("SELECT moduleStatus FROM modules WHERE moduleId = ?"); - prepStatement.setString(1, moduleId); - ResultSet rs = prepStatement.executeQuery(); - if (rs.next()) { - if (rs.getString(1).compareTo("closed") != 0) { - log.debug("Module was not closed by method"); - fail("Module was not closed by method"); - } - } - - } - } - - @Test - public void testSetModuleStatusOpen() throws SQLException { - String moduleId = new String("853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"); // CSRF 7 - if (!Setter.closeAllModules(applicationRoot)) - fail("Could not Mark all modules as closed"); - else if (!Setter.setModuleStatusOpen(applicationRoot, moduleId)) - fail("Could not close CSRF 7 Module"); - else { - Connection conn = Database.getCoreConnection(applicationRoot); - - log.debug("Getting Number of Mobile Levels From DB"); - PreparedStatement prepStatement = conn - .prepareStatement("SELECT moduleStatus FROM modules WHERE moduleId = ?"); - prepStatement.setString(1, moduleId); - ResultSet rs = prepStatement.executeQuery(); - if (rs.next()) { - if (rs.getString(1).compareTo("open") != 0) { - log.debug("Module was not opened by method"); - fail("Module was not opened by method"); - } - } - - } - } - - @Test - public void testSetStoredMessage() throws SQLException { - log.debug("Testing Set Stored message"); - String userName = new String("storedMessageUser"); - String className = new String("sMessageClass"); - String moduleId = new String("853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"); // CSRF 7 - String message = new String("TestStoredMessage"); - - log.debug("Getting class id"); - String classId = GetterTest.findCreateClassId(className, applicationRoot); - log.debug("Checking User Name in DB"); - if (GetterTest.verifyTestUser(applicationRoot, userName, userName, classId)) { - // Open all Modules First so that the Module Can Be Opened - if (!Setter.openAllModules(applicationRoot, false)) { - fail("Could not open all modules"); - } - String userId = Getter.getUserIdFromName(applicationRoot, userName); - // Simulate user Opening Level - if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { - fail("Could not Simulate Opening First Level for User"); - } else { - Setter.setStoredMessage(applicationRoot, message, userId, moduleId); - Connection conn = Database.getCoreConnection(applicationRoot); - - CallableStatement callstmt = conn.prepareCall("call resultMessageByClass(?, ?)"); - log.debug("Gathering resultMessageByClass ResultSet"); - callstmt.setString(1, classId); - callstmt.setString(2, moduleId); - ResultSet resultSet = callstmt.executeQuery(); - log.debug("resultMessageByClass executed"); - while (resultSet.next()) { - if (resultSet.getString(1).compareTo(userName) == 0) { - if (resultSet.getString(2).compareTo(message) != 0) - fail("Stored Message does not equal the one set"); - else - return; // Pass - } - } - fail("Could not find user stored message"); - - } - } else { - fail("Could not verify test User"); - } - - } - - @Test - public void testSuspendUser() throws SQLException { - String userName = new String("suspendedUser"); - - log.debug("Checking User Name in DB"); - boolean loggedIn = false; - try { - log.debug("Trying to Verify User"); - loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, userName); - } catch (SQLException e) { - log.debug("Could not verify. May be suspended. Unsuspending"); - // Might need to unsuspend player - Setter.unSuspendUser(applicationRoot, Getter.getUserIdFromName(applicationRoot, userName)); - // Gotta Sleep for a sec otherwise the time setting for suspension will fail - // test. Must be 1 sec after unsuspend function ran - try { - Thread.sleep(1000); - } catch (InterruptedException e1) { - // Ignore if we're interrupted - log.debug("Sleep was interrupted, continuing anyway..."); - } - loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, userName); - } - if (!loggedIn) { - fail("Could not Verify User"); - } else { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - if (!Setter.suspendUser(applicationRoot, userId, 10)) { - fail("Could not suspend User"); - } else { - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - return;// PASS: User Could not Authenticate after suspension - } else { - TestProperties.failAndPrint("Fail: could still authenticate as user after suspension"); - } - } - } - - } - - @Test - public void testUnSuspendUser() throws SQLException { - String userName = new String("UnsuspendedUser"); - - log.debug("Checking User Name in DB"); - if (!GetterTest.verifyTestUser(applicationRoot, userName, userName)) { - fail("Could not Verify User"); - } else { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - if (!Setter.suspendUser(applicationRoot, userId, 10)) { - fail("Could not suspend User"); - } else { - if (!Setter.unSuspendUser(applicationRoot, userId)) { - fail("Could not unsusepend user"); - } else { - // Gotta Sleep for a sec, otherwise the time compair will round down and user - // auth will fail. User is unsuspended 1 second after unsuspend funciton - try { - Thread.sleep(1000); - } catch (InterruptedException e) { - // Ignore if we're interrupted - log.debug("Sleep was interrupted, continuing anyway..."); - } - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - fail("Could not Authenticate after unsuspension"); - } else { - return;// PASS: User Could not Authenticate after unsuspension - } - } - } - } - - } - - @Test - public void testUpdateUsername() { - log.debug("Testing update Password"); - String userName = new String("updateUsernameTest"); - String newUsername = new String("newUpdatedUsernameTest"); - - String password = new String("justaTestingPassword"); - - boolean loggedIn = false; - - try { - log.debug("Logging in as test user " + userName); - loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, password); - } catch (SQLException e) { - loggedIn = false; - TestProperties.failAndPrint("Could not log in with default pass: " + e.toString()); - } - if (!loggedIn) { - TestProperties.failAndPrint("Could not sign in as the test user."); - } else { - log.debug("Logged in! Updating Username now"); - if (!Setter.updateUsername(applicationRoot, userName, newUsername)) { - TestProperties.failAndPrint("Could not update username."); - } else { - log.debug("Username Updated: " + newUsername + ", testing auth as new name"); - String user[]; - - log.debug("Logging in with new username"); - user = Getter.authUser(applicationRoot, newUsername, password); - - if (user != null && !user[0].isEmpty()) { - log.debug("Pass: Could log in with new username"); - - } else { - TestProperties.failAndPrint("Could not sign in as the test user."); - } - - } - } - } - - @Test - public void testUpdatePassword() { - log.debug("Testing update Password"); - String userName = new String("updatePassword"); - String currentPass = new String(); - String newPass = new String(); - boolean loggedIn = false; - - try { - currentPass = userName; - newPass = userName + userName; - log.debug("Logging in with default Pass"); - loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, currentPass); - } catch (SQLException e) { - newPass = userName; - currentPass = userName + userName; - log.debug("Could not log in with default pass: " + e.toString()); - log.debug("Logging in with alternative pass: " + currentPass); - String[] auth = Getter.authUser(applicationRoot, userName, currentPass); - loggedIn = auth != null; - } - if (!loggedIn) { - log.debug("Could not sign in with any pass."); - fail("Could not Verify User"); - } else { - log.debug("Logged in! Updating Password now"); - if (!Setter.updatePassword(applicationRoot, userName, currentPass, newPass)) { - log.debug("Could not update password"); - fail("Could not update password"); - } else { - log.debug("Password Updated. Authenticating with new pass: " + newPass); - String[] auth = Getter.authUser(applicationRoot, userName, newPass); - if (auth == null) { - fail("Could Not Auth With New Pass"); - } - - log.debug("Also attempting auth with old pass: " + currentPass); - auth = Getter.authUser(applicationRoot, userName, currentPass); - if (auth != null) { - fail("Could auth with old password!"); - } - } - } - - } - - @Test - public void testUpdatePasswordAdmin() { - log.debug("Testing update Password"); - String userName = new String("adminPassUp"); - String currentPass = new String(); - String newPass = new String(); - boolean loggedIn = false; - - try { - currentPass = userName; - newPass = userName + userName; - log.debug("Logging in with default Pass"); - loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, currentPass); - } catch (SQLException e) { - newPass = userName; - currentPass = userName + userName; - log.debug("Could not log in with default pass: " + e.toString()); - log.debug("Logging in with alternative pass: " + currentPass); - String[] auth = Getter.authUser(applicationRoot, userName, currentPass); - loggedIn = auth != null; - } - if (!loggedIn) { - log.debug("Could not sign in with any pass."); - fail("Could not Verify User"); - } else { - log.debug("Logged in! Updating Password now"); - if (!Setter.updatePasswordAdmin(applicationRoot, Getter.getUserIdFromName(applicationRoot, userName), - newPass)) { - log.debug("Could not update password"); - fail("Could not update password"); - } else { - log.debug("Password Updated. Authenticating with new pass: " + newPass); - String[] auth = Getter.authUser(applicationRoot, userName, newPass); - if (auth == null) { - fail("Could Not Auth With New Pass"); - } else { - return; // PASS: Authenticated With New Pass - } - } - } - - } - - @Test - public void testUpdatePlayerClass() throws SQLException { - String userName = new String("UpdateClassUser"); - String className = new String("Old Class"); - String otherClassName = new String("Other Class"); - String classId = new String(); - String otherClassId = new String(); - String newClass = new String(); - - log.debug("Getting class ids"); - classId = GetterTest.findCreateClassId(className, applicationRoot); - otherClassId = GetterTest.findCreateClassId(otherClassName, applicationRoot); - log.debug("Verifying User"); - if (!GetterTest.verifyTestUser(applicationRoot, userName, userName, classId)) { - fail("Could not verify user"); - } else { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - String currentClass = Getter.getUserClassFromName(applicationRoot, userName); - newClass = otherClassId; - - log.debug("Current Class: " + currentClass); - log.debug("New Class: " + newClass); - if (!Setter.updatePlayerClass(applicationRoot, newClass, userId).equalsIgnoreCase(userName)) { - fail("Could not update player class"); - } else { - String latestClass = Getter.getUserClassFromName(applicationRoot, userName); - if (latestClass.compareTo(newClass) != 0) { - log.debug("Latest Class: " + latestClass); - log.debug("New Class: " + newClass); - fail("Retrieved Class is not the Set Class"); - } else { - return; // PASS - } - } - } - - } - - @Test - public void testUpdatePlayerClassToNull() throws SQLException { - String userName = new String("UpdateClassUserFromNull"); - String className = new String("WutClass"); - String classId = new String(); - - log.debug("Getting class ids"); - try { - classId = GetterTest.findCreateClassId(className, applicationRoot); - } catch (SQLException e) { - TestProperties - .failAndPrint("Could not find or create class ID from name " + className + ": " + e.toString()); - } - if (!GetterTest.verifyTestUser(applicationRoot, userName, userName, classId)) { - fail("Could not verify user"); - } else { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - String currentClass = Getter.getUserClassFromName(applicationRoot, userName); - log.debug("Current Class: " + currentClass); - if (!Setter.updatePlayerClassToNull(applicationRoot, userId).equalsIgnoreCase(userName)) { - fail("Could not update player class to null"); - } else { - String latestClass = Getter.getUserClassFromName(applicationRoot, userName); - if (latestClass == null || latestClass.isEmpty()) { - return;// PASS - } else { - log.debug("Latest Class: " + latestClass); - fail("Retrieved Class is not null"); - } - } - } - - } - - @Test - public void testUpdateUserRole() throws SQLException { - String userName = new String("WasUserNowAdmin"); - String currentRole = new String(); - String newRole = new String(); - boolean testUserVerified = false; - - try { - testUserVerified = GetterTest.verifyTestUser(applicationRoot, userName, userName); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not create test user " + userName + ": " + e.toString()); - } - - assertTrue(testUserVerified); - - Connection conn = Database.getCoreConnection(applicationRoot); - PreparedStatement ps = null; - try { - ps = conn.prepareStatement("SELECT userRole FROM users WHERE userName = ?"); - } catch (SQLException e) { - TestProperties.failAndPrint("Could prepare DB statement : " + e.toString()); - } - - assertNotEquals(ps, null); - - try { - ps.setString(1, userName); - } catch (SQLException e) { - TestProperties.failAndPrint("Could set statement username " + userName + ": " + e.toString()); - } - - ResultSet rs = null; - try { - rs = ps.executeQuery(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could execute DB Query : " + e.toString()); - } - - assertNotEquals(rs, null); - - boolean couldAdvance = false; - - try { - couldAdvance = rs.next(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not advance in result set : " + e.toString()); - } - - assertTrue(couldAdvance); - - if (couldAdvance) { - try { - currentRole = rs.getString(1); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not get currentRole from result set: " + e.toString()); - } - if (currentRole.equalsIgnoreCase("admin")) { - log.debug("User is currently an admin. Changing to player"); - newRole = new String("player"); - } else { - log.debug("User is currently a player. Changing to admin"); - newRole = new String("admin"); - } - } else { - fail("User not found in DB after it was created"); - } - try { - rs.close(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not close result set: " + e.toString()); - } - try { - conn.close(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not close db connection: " + e.toString()); - - } - String userId = Getter.getUserIdFromName(applicationRoot, userName); - if (!Setter.updateUserRole(applicationRoot, userId, newRole).equalsIgnoreCase(userName)) { - fail("Could not update user role from " + currentRole + " to " + newRole); - } else { - log.debug("Checking if change occurred"); - conn = Database.getCoreConnection(applicationRoot); - try { - ps = conn.prepareStatement("SELECT userRole FROM users WHERE userName = ?"); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not prepare DB statement: " + e.toString()); - } - try { - ps.setString(1, userName); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not set string in DB statement: " + e.toString()); - } - try { - rs = ps.executeQuery(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not execute DB query: " + e.toString()); - } - - couldAdvance = false; - - try { - couldAdvance = rs.next(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not advance in result set: " + e.toString()); - } - - assertTrue(couldAdvance); - String returnedRole = ""; - - try { - returnedRole = rs.getString(1); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not get returned string from db result: " + e.toString()); - } - - assertNotEquals(returnedRole, ""); - - if (!newRole.equalsIgnoreCase(returnedRole)) { - fail("User Role was not updated in DB"); - } - - try { - rs.close(); - conn.close(); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not close DB connection: " + e.toString()); - } - - } - - } - - @Test - public void testMutipleClassMedals() { - String moduleId = "853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"; // CSRF7 - String userName = new String("classUserOne"); - String otherUserName = new String("difClassUserTwo"); - - String classOne = ""; - try { - classOne = TestProperties.findCreateClassId(log, "classA2737", applicationRoot); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not create class classA2737: " + e.toString()); - } - - assertNotEquals(classOne, ""); - - String classTwo = ""; - try { - classTwo = TestProperties.findCreateClassId(log, "classB2737", applicationRoot); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not create class classB2737: " + e.toString()); - } - assertNotEquals(classTwo, ""); - - log.debug("classOne: " + classOne); - log.debug("classTwo: " + classTwo); - - boolean firstTestUserVerified = false; - try { - firstTestUserVerified = TestProperties.verifyTestUser(log, applicationRoot, userName, userName, classOne); - } catch (SQLException e) { - TestProperties - .failAndPrint("Unhandled exception when verifying test user " + userName + ": " + e.toString()); - } - - assertTrue(firstTestUserVerified); - - boolean secondTestUserVerified = false; - try { - secondTestUserVerified = TestProperties.verifyTestUser(log, applicationRoot, otherUserName, otherUserName, - classTwo); - } catch (SQLException e) { - TestProperties.failAndPrint( - "Unhandled exception when verifying test user " + otherUserName + ": " + e.toString()); - } - - assertTrue(secondTestUserVerified); - - String userId = Getter.getUserIdFromName(applicationRoot, userName); - String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); - - boolean modulesOpened = Setter.openAllModules(applicationRoot, false); - - if (!modulesOpened) { - TestProperties.failAndPrint("Could not mark all modules as open"); - } - - // Simulate user Opening Level - if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty() - || Getter.getModuleAddress(applicationRoot, moduleId, otherUserId).isEmpty()) { - fail("Could not Simulate Opening Level for Users"); - } else { - String markLevelCompleteTest = Setter.updatePlayerResult(applicationRoot, moduleId, userId, - "Feedback is Disabled", 1, 1, 1); - if (markLevelCompleteTest != null) { - String markLevelCompleteTestOtherUser = Setter.updatePlayerResult(applicationRoot, moduleId, - otherUserId, "Feedback is Disabled", 1, 1, 1); - // Do both Users have a gold medal? - if (markLevelCompleteTestOtherUser != null) { - ScoreboardStatus.setScoreboardOpen(); - String scoreboardData = Getter.getJsonScore(applicationRoot, ""); - if (scoreboardData.isEmpty()) { - fail("Could not detect user in scoreboard before bad submission test"); - } else { - JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); - // Loop through array to find Our first user - boolean goldMedal = false; - for (int i = 0; i < scoreboardJson.size(); i++) { - // log.debug("Looping through Array " + i); - JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); - if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { - log.debug("Found user with goldMedalCount: " + scoreRowJson.get("goldMedalCount")); - goldMedal = Integer.parseInt(scoreRowJson.get("goldMedalCount").toString()) > 0; - break; - } - } - if (!goldMedal) { - TestProperties.failAndPrint("User " + userName - + " should have a gold medal and does not. They were first in their class to complete module " - + moduleId); - } else { - // Search for the other user - goldMedal = false; - for (int i = 0; i < scoreboardJson.size(); i++) { - // log.debug("Looping through Array " + i); - JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); - if (scoreRowJson.get("username").toString().compareTo(otherUserName) == 0) { - log.debug("Found user with goldMedalCount: " + scoreRowJson.get("goldMedalCount")); - goldMedal = Integer.parseInt(scoreRowJson.get("goldMedalCount").toString()) > 0; - break; - } - } - if (!goldMedal) { - TestProperties.failAndPrint("User " + otherUserName - + " should have a gold medal and does not. They were first in their class to complete challenge " - + moduleId); - } - } - } - } else { - fail("Could not Mark First level as complete for Second User"); - } - } else { - fail("Could not Mark First level as complete"); - } - - } - - } - - @Test - public void testUserDelete() { - String testUsername = "testuserdelete"; - String testPassword = "testuserpassword"; - - String testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); - - if (testuserId == null || testuserId.isEmpty()) { - boolean userCreated = false; - try { - userCreated = Setter.userCreate(applicationRoot, null, testUsername, testUsername, "player", - testUsername + "@test.com", false); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not create test user " + testUsername + " with password " - + testPassword + ": " + e.toString()); - } - assert (userCreated); - - } - - testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); - assert (testuserId != null && !testuserId.isEmpty()); - - boolean userDeleted = false; - try { - userDeleted = Setter.userDelete(applicationRoot, testuserId); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not delete test user " + testUsername + ": " + e.toString()); - } - assert (userDeleted); - - testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); - assert (testuserId == null || testuserId.isEmpty()); - - } - - @Test - public void testSSOUserDelete() { - String testUsername = "testSSOuserdelete"; - String testSSOName = "testSSOuserdelete@example.com"; - - String testuserId; - - String user[]; - - user = Getter.authUserSSO(applicationRoot, null, testUsername, testSSOName, "player"); - - if (user == null || user[0].isEmpty()) { - TestProperties.failAndPrint("Could not authenticate as newly created SSO user"); - } else { - log.debug("PASS: User Could Authenticate after being created"); - } - - boolean userDeleted = false; - try { - userDeleted = Setter.userDelete(applicationRoot, user[0]); - } catch (SQLException e) { - TestProperties.failAndPrint("Could not delete test user " + testUsername + ": " + e.toString()); - } - assert (userDeleted); - - testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); - assert (testuserId == null || testuserId.isEmpty()); - - } - - @Test - public void testCreateDuplicateUser() { - String userName = new String("duplicateUser"); - - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); - try { - Setter.userCreate(applicationRoot, null, userName, userName, "player", userName + "@test.com", false); - } catch (SQLException e) { - TestProperties.failAndPrint("SQL error when creating user " + userName + ": " + e.toString()); - } - user = Getter.authUser(applicationRoot, userName, userName); - } - if (user != null && !user[0].isEmpty()) { - log.debug("User " + userName + " exists. Checking what happens if duplicate user is added"); - try { - - // Should fail here - Setter.userCreate(applicationRoot, null, userName, userName, "player", userName + "@test.com", false); - - // If we're still here - TestProperties.failAndPrint("No error when creating duplicate user " + userName); - } catch (SQLException e) { - log.debug("PASS: Could not add duplicate user " + userName); - } - - } else { - TestProperties.failAndPrint("Couldn't verify " + userName + " could authenticate at all"); - } - - } - - @Test - public void testDisableAdminCheatSheetSetting() throws SQLException { - - Setter.setAdminCheatStatus(applicationRoot, false); - assertFalse(Getter.getAdminCheatStatus(applicationRoot)); - - } - - @Test - public void testDisablePlayerCheatSheetSetting() throws SQLException { - - Setter.setPlayerCheatStatus(applicationRoot, false); - assertFalse(Getter.getPlayerCheatStatus(applicationRoot)); - - } - - @Test - public void testEnableAdminCheatSheetSetting() throws SQLException { - - Setter.setAdminCheatStatus(applicationRoot, true); - assertTrue(Getter.getAdminCheatStatus(applicationRoot)); - - } - - @Test - public void testEnablePlayerCheatSheetSetting() throws SQLException { - - Setter.setPlayerCheatStatus(applicationRoot, true); - assertTrue(Getter.getPlayerCheatStatus(applicationRoot)); - - } - - @Test - public void testSetOpenFloorLayout() throws SQLException { - - Setter.setModuleLayout(applicationRoot, "tournament"); - Setter.setModuleLayout(applicationRoot, "open"); - - assertEquals(Getter.getModuleLayout(applicationRoot), "open"); - - } - - @Test - public void testSetCTFLayout() throws SQLException { - - Setter.setModuleLayout(applicationRoot, "open"); - Setter.setModuleLayout(applicationRoot, "ctf"); - assertEquals(Getter.getModuleLayout(applicationRoot), "ctf"); - - } - - @Test - public void testSetTournamentLayout() throws SQLException { - - Setter.setModuleLayout(applicationRoot, "ctf"); - Setter.setModuleLayout(applicationRoot, "tournament"); - - assertEquals(Getter.getModuleLayout(applicationRoot), "tournament"); - - } - - @Test(expected = IllegalArgumentException.class) - public void testEmptyModuleLayouts() throws SQLException { - - Setter.setModuleLayout(applicationRoot, ""); - - } - - @Test(expected = IllegalArgumentException.class) - public void testInvalidModuleLayouts() throws SQLException { - - Setter.setModuleLayout(applicationRoot, "strangeLayout"); - - } - - @Test(expected = IllegalArgumentException.class) - public void testInvalidCaseCTFModuleLayouts() throws SQLException { - - Setter.setModuleLayout(applicationRoot, "CTF"); - - } - @Test(expected = IllegalArgumentException.class) - public void testInvalidCaseOpenModuleLayouts() throws SQLException { + private static final Logger log = LogManager.getLogger(SetterTest.class); + private static String applicationRoot = new String(); + + /** Creates DB or Restores DB to Factory Defaults before running tests */ + @BeforeClass + public static void resetDatabase() throws IOException, SQLException { + TestProperties.setTestPropertiesFileDirectory(log); + + TestProperties.createMysqlResource(); + + TestProperties.executeSql(log); + } + + /** + * Test to ensure class's can be created with this method. Other Unit Tests use this method, but + * not nessisarily every time, as a class may already exist. This Method creates a random class + * name so it can run every time without failure + * + * @throws SQLException + */ + @Test + public void testClassCreate() throws SQLException { + Random rand = new Random(); + String className = "newC" + rand.nextInt(50) + rand.nextInt(50) + rand.nextInt(50); + if (!Setter.classCreate(applicationRoot, className, "2015")) { + TestProperties.failAndPrint("Could not Create Class"); + } else { + + boolean pass = false; + ResultSet rs = Getter.getClassInfo(applicationRoot); + while (rs.next()) { + if (rs.getString(2).equalsIgnoreCase(className)) { + pass = true; + break; + } + } + if (!pass) { + TestProperties.failAndPrint("Could not find class in DB"); + } else { + return; // PASS + } + } + } + + @Test + public void testIncrementBadSubmission() throws SQLException { + String moduleId = "853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"; // CSRF7 + String userName = new String("BadSubUser"); + + if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + if (!Setter.openAllModules(applicationRoot, false) + && !Setter.openAllModules(applicationRoot, true)) { + TestProperties.failAndPrint("Could not mark all modules as open"); + } else { + // Simulate user Opening Level + if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { + TestProperties.failAndPrint("Could not Simulate Opening First Level for User"); + } else { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, moduleId, userId, "Feedback is Disabled", 1, 1, 1); + if (markLevelCompleteTest != null) { + // Giving the User a Score Bump in case they have already completed CSRF7 and + // this is the 20th time the unit test has run + if (!Setter.updateUserPoints(applicationRoot, userId, 20)) { + TestProperties.failAndPrint("Could not give user extra points"); + } + + int scoreBefore = 0; + ScoreboardStatus.setScoreboardOpen(); + String scoreboardData = Getter.getJsonScore(applicationRoot, ""); + if (scoreboardData.isEmpty()) { + TestProperties.failAndPrint( + "Could not detect user in scoreboard before bad submission test"); + } else { + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + log.debug("Looping through Array " + i); + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + log.debug("Found user with score: " + scoreRowJson.get("score")); + scoreBefore = Integer.parseInt(scoreRowJson.get("score").toString()); + break; + } + } + if (scoreBefore == 0) { + log.fatal("Could not find user " + userName + " with score > 0: " + scoreboardData); + TestProperties.failAndPrint("User has score of 0 before BadSubmission Emulation"); + } + + // Resetting resetBadSubmission count back to 0 + if (!Setter.resetBadSubmission(applicationRoot, userId)) { + TestProperties.failAndPrint("Could not Reset bad submission count"); + } + // Simulating 41 bad submissions + for (int i = 0; i <= 40; i++) { + Setter.incrementBadSubmission(applicationRoot, userId); + } + + // Check Score again + int scoreAfter = 0; + scoreboardData = Getter.getJsonScore(applicationRoot, ""); + scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + log.debug("Looping through Array " + i); + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + log.debug("Found user with score: " + scoreRowJson.get("score")); + scoreAfter = Integer.parseInt(scoreRowJson.get("score").toString()); + break; + } + } + + int expectedAfter = scoreBefore - (scoreBefore / 10); + log.debug("expected score: " + expectedAfter); + if (scoreAfter + != expectedAfter) // Checking exact number should be equal to and number + // below as well incase rounded d + { + log.debug("score before: " + scoreBefore); + log.debug("score after : " + scoreAfter); + log.debug("Expected After: " + expectedAfter); + int roundedUp = scoreAfter + 1; + if (roundedUp != expectedAfter) { + TestProperties.failAndPrint("Invalid Score Deduction Detected"); + } else { + return; // PASS + } + } else { + return; // Pass + } + } + } else { + TestProperties.failAndPrint("Could not Mark First level as complete"); + } + } + } + } else { + TestProperties.failAndPrint("Could not Create/Verify User"); + } + } + + @Test + public void testOpenOnlyMobileCategories() { + if (!Setter.openOnlyMobileCategories(applicationRoot)) { + TestProperties.failAndPrint("Could not Open Only Mobile Categories"); + } + } + + @Test + public void testOpenOnlyWebCategories() { + if (!Setter.openOnlyWebCategories(applicationRoot, 0)) { + TestProperties.failAndPrint("Could not Open Only Web Categories"); + } + } + + @Test + public void testResetBadSubmission() throws SQLException { + String moduleId = "853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"; // CSRF7 + String userName = new String("BadSubResetUser"); + + if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + if (!Setter.openAllModules(applicationRoot, false) + && !Setter.openAllModules(applicationRoot, true)) { + TestProperties.failAndPrint("Could not mark all modules as open"); + } else { + // Simulate user Opening Level + if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { + TestProperties.failAndPrint("Could not Simulate Opening First Level for User"); + } else { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, moduleId, userId, "Feedback is Disabled", 1, 1, 1); + if (markLevelCompleteTest != null) { + int scoreBefore = 0; + ScoreboardStatus.setScoreboardOpen(); + String scoreboardData = Getter.getJsonScore(applicationRoot, ""); + if (scoreboardData.isEmpty()) { + fail("Could not detect user in scoreboard before bad submission test"); + } else { + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + log.debug("Found user with score: " + scoreRowJson.get("score")); + scoreBefore = Integer.parseInt(scoreRowJson.get("score").toString()); + break; + } + } + if (scoreBefore == 0) { + log.fatal("Could not find user " + userName + " with score > 0: " + scoreboardData); + TestProperties.failAndPrint("User has score of 0 before BadSubmission Emulation"); + } + + // Resetting resetBadSubmission count back to 0 + if (!Setter.resetBadSubmission(applicationRoot, userId)) { + TestProperties.failAndPrint("Could not Reset bad submission count"); + } + // Simulating 40 bad submissions + for (int i = 0; i < 40; i++) { + if (!Setter.incrementBadSubmission(applicationRoot, userId)) { + TestProperties.failAndPrint("Could not Increment Bad Submission Counter"); + } + } + // Resetting Bad Submission Count back to 0 again + if (!Setter.resetBadSubmission(applicationRoot, userId)) { + TestProperties.failAndPrint("Could not Reset bad submission count"); + } + // Incrementing one more time (Should set user bad submission counter to 1) + if (!Setter.incrementBadSubmission(applicationRoot, userId)) { + TestProperties.failAndPrint("Could not Increment Bad Submission Counter"); + } + + // Check Score again + int scoreAfter = 0; + scoreboardData = Getter.getJsonScore(applicationRoot, ""); + scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our user + for (int i = 0; i < scoreboardJson.size(); i++) { + log.debug("Looping through Array " + i); + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + log.debug("Found user with score: " + scoreRowJson.get("score")); + scoreAfter = Integer.parseInt(scoreRowJson.get("score").toString()); + break; + } + } + + if (scoreAfter != scoreBefore) // Checking exact number should be equal to and number + // below as well incase rounded d + { + log.debug("score before: " + scoreBefore); + log.debug("score after : " + scoreAfter); + TestProperties.failAndPrint("Invalid Score Deduction Detected"); + } else { + return; // Pass + } + } + } else { + TestProperties.failAndPrint("Could not Mark First level as complete"); + } + } + } + } else { + TestProperties.failAndPrint("Could not Create/Verify User"); + } + } + + @Test + public void testSetCsrfChallengeFourCsrfToken() throws SQLException { + String userName = new String("csrfFourUser"); + + if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String csrfTokenValue = new String("CsrfTokenTest"); + String csrfToken = + Setter.setCsrfChallengeFourCsrfToken(userId, csrfTokenValue, applicationRoot); + if (csrfToken.compareTo(csrfTokenValue) != 0) { + fail("Retrieved CSRF token did not Match the Set Value"); + } + } else { + fail("Could not Verify User"); + } + } + + @Test + public void testSetCsrfChallengeSevenCsrfToken() throws SQLException { + String userName = new String("csrfSevenUser"); + + if (GetterTest.verifyTestUser(applicationRoot, userName, userName)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String csrfToken = new String("CsrfTokenTest"); + if (!Setter.setCsrfChallengeSevenCsrfToken(userId, csrfToken, applicationRoot)) { + fail("Could not Set CSRF Chalenge 7 Token"); + } + } else { + fail("Could not Verify User"); + } + } + + @Test + public void testSetModuleCategoryStatusOpen() throws SQLException { + String moduleCategory = new String("Injection"); + if (!Setter.closeAllModules(applicationRoot)) { + fail("Could not Mark all modules as closed"); + } else if (!Setter.setModuleCategoryStatusOpen(applicationRoot, moduleCategory, "open")) { + fail("Could not Open module Category"); + } else { + Connection conn = Database.getCoreConnection(applicationRoot); + + log.debug("Getting Number of Mobile Levels From DB"); + PreparedStatement prepStatement = + conn.prepareStatement( + "SELECT DISTINCT moduleCategory FROM modules WHERE moduleStatus = 'open';"); + ResultSet rs = prepStatement.executeQuery(); + while (rs.next()) { + if (rs.getString(1).compareTo(moduleCategory) != 0) { + log.debug("Found Category that wa snot injection: " + rs.getString(1)); + fail("Detected Category that was not Injection Open"); + } + } + } + } + + @Test + public void testSetModuleCategoryStatusClosed() throws SQLException { + String moduleCategory = new String("Injection"); + if (!Setter.openAllModules(applicationRoot, false) + && !Setter.openAllModules(applicationRoot, true)) { + fail("Could not Mark all modules as open"); + } else if (!Setter.setModuleCategoryStatusOpen(applicationRoot, moduleCategory, "closed")) { + fail("Could not close module Category"); + } else { + Connection conn = Database.getCoreConnection(applicationRoot); + + log.debug("Getting Number of Mobile Levels From DB"); + PreparedStatement prepStatement = + conn.prepareStatement( + "SELECT DISTINCT moduleCategory FROM modules WHERE moduleStatus = 'closed';"); + ResultSet rs = prepStatement.executeQuery(); + while (rs.next()) { + if (rs.getString(1).compareTo(moduleCategory) != 0) { + log.debug("Found Category that wa snot injection: " + rs.getString(1)); + fail("Detected Category that was not Injection Closed"); + } + } + } + } + + @Test + public void testSetModuleStatusClosed() throws SQLException { + String moduleId = new String("853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"); // CSRF 7 + if (!Setter.openAllModules(applicationRoot, false)) { + fail("Could not Mark all modules as open"); + } else if (!Setter.setModuleStatusClosed(applicationRoot, moduleId)) { + fail("Could not close CSRF 7 Module"); + } else { + Connection conn = Database.getCoreConnection(applicationRoot); + + log.debug("Getting Number of Mobile Levels From DB"); + PreparedStatement prepStatement = + conn.prepareStatement("SELECT moduleStatus FROM modules WHERE moduleId = ?"); + prepStatement.setString(1, moduleId); + ResultSet rs = prepStatement.executeQuery(); + if (rs.next()) { + if (rs.getString(1).compareTo("closed") != 0) { + log.debug("Module was not closed by method"); + fail("Module was not closed by method"); + } + } + } + } + + @Test + public void testSetModuleStatusOpen() throws SQLException { + String moduleId = new String("853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"); // CSRF 7 + if (!Setter.closeAllModules(applicationRoot)) { + fail("Could not Mark all modules as closed"); + } else if (!Setter.setModuleStatusOpen(applicationRoot, moduleId)) { + fail("Could not close CSRF 7 Module"); + } else { + Connection conn = Database.getCoreConnection(applicationRoot); + + log.debug("Getting Number of Mobile Levels From DB"); + PreparedStatement prepStatement = + conn.prepareStatement("SELECT moduleStatus FROM modules WHERE moduleId = ?"); + prepStatement.setString(1, moduleId); + ResultSet rs = prepStatement.executeQuery(); + if (rs.next()) { + if (rs.getString(1).compareTo("open") != 0) { + log.debug("Module was not opened by method"); + fail("Module was not opened by method"); + } + } + } + } + + @Test + public void testSetStoredMessage() throws SQLException { + log.debug("Testing Set Stored message"); + String userName = new String("storedMessageUser"); + String className = new String("sMessageClass"); + String moduleId = new String("853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"); // CSRF 7 + String message = new String("TestStoredMessage"); + + log.debug("Getting class id"); + String classId = GetterTest.findCreateClassId(className, applicationRoot); + log.debug("Checking User Name in DB"); + if (GetterTest.verifyTestUser(applicationRoot, userName, userName, classId)) { + // Open all Modules First so that the Module Can Be Opened + if (!Setter.openAllModules(applicationRoot, false)) { + fail("Could not open all modules"); + } + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Simulate user Opening Level + if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { + fail("Could not Simulate Opening First Level for User"); + } else { + Setter.setStoredMessage(applicationRoot, message, userId, moduleId); + Connection conn = Database.getCoreConnection(applicationRoot); + + CallableStatement callstmt = conn.prepareCall("call resultMessageByClass(?, ?)"); + log.debug("Gathering resultMessageByClass ResultSet"); + callstmt.setString(1, classId); + callstmt.setString(2, moduleId); + ResultSet resultSet = callstmt.executeQuery(); + log.debug("resultMessageByClass executed"); + while (resultSet.next()) { + if (resultSet.getString(1).compareTo(userName) == 0) { + if (resultSet.getString(2).compareTo(message) != 0) { + fail("Stored Message does not equal the one set"); + } else { + return; // Pass + } + } + } + fail("Could not find user stored message"); + } + } else { + fail("Could not verify test User"); + } + } + + @Test + public void testSuspendUser() throws SQLException { + String userName = new String("suspendedUser"); + + log.debug("Checking User Name in DB"); + boolean loggedIn = false; + try { + log.debug("Trying to Verify User"); + loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, userName); + } catch (SQLException e) { + log.debug("Could not verify. May be suspended. Unsuspending"); + // Might need to unsuspend player + Setter.unSuspendUser(applicationRoot, Getter.getUserIdFromName(applicationRoot, userName)); + // Gotta Sleep for a sec otherwise the time setting for suspension will fail + // test. Must be 1 sec after unsuspend function ran + try { + Thread.sleep(1000); + } catch (InterruptedException e1) { + // Ignore if we're interrupted + log.debug("Sleep was interrupted, continuing anyway..."); + } + loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, userName); + } + if (!loggedIn) { + fail("Could not Verify User"); + } else { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + if (!Setter.suspendUser(applicationRoot, userId, 10)) { + fail("Could not suspend User"); + } else { + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + return; // PASS: User Could not Authenticate after suspension + } else { + TestProperties.failAndPrint("Fail: could still authenticate as user after suspension"); + } + } + } + } + + @Test + public void testUnSuspendUser() throws SQLException { + String userName = new String("UnsuspendedUser"); + + log.debug("Checking User Name in DB"); + if (!GetterTest.verifyTestUser(applicationRoot, userName, userName)) { + fail("Could not Verify User"); + } else { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + if (!Setter.suspendUser(applicationRoot, userId, 10)) { + fail("Could not suspend User"); + } else { + if (!Setter.unSuspendUser(applicationRoot, userId)) { + fail("Could not unsusepend user"); + } else { + // Gotta Sleep for a sec, otherwise the time compair will round down and user + // auth will fail. User is unsuspended 1 second after unsuspend funciton + try { + Thread.sleep(1000); + } catch (InterruptedException e) { + // Ignore if we're interrupted + log.debug("Sleep was interrupted, continuing anyway..."); + } + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + fail("Could not Authenticate after unsuspension"); + } else { + return; // PASS: User Could not Authenticate after unsuspension + } + } + } + } + } + + @Test + public void testUpdateUsername() { + log.debug("Testing update Password"); + String userName = new String("updateUsernameTest"); + String newUsername = new String("newUpdatedUsernameTest"); + + String password = new String("justaTestingPassword"); + + boolean loggedIn = false; + + try { + log.debug("Logging in as test user " + userName); + loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, password); + } catch (SQLException e) { + loggedIn = false; + TestProperties.failAndPrint("Could not log in with default pass: " + e.toString()); + } + if (!loggedIn) { + TestProperties.failAndPrint("Could not sign in as the test user."); + } else { + log.debug("Logged in! Updating Username now"); + if (!Setter.updateUsername(applicationRoot, userName, newUsername)) { + TestProperties.failAndPrint("Could not update username."); + } else { + log.debug("Username Updated: " + newUsername + ", testing auth as new name"); + String user[]; + + log.debug("Logging in with new username"); + user = Getter.authUser(applicationRoot, newUsername, password); + + if (user != null && !user[0].isEmpty()) { + log.debug("Pass: Could log in with new username"); + + } else { + TestProperties.failAndPrint("Could not sign in as the test user."); + } + } + } + } + + @Test + public void testUpdatePassword() { + log.debug("Testing update Password"); + String userName = new String("updatePassword"); + String currentPass = new String(); + String newPass = new String(); + boolean loggedIn = false; + + try { + currentPass = userName; + newPass = userName + userName; + log.debug("Logging in with default Pass"); + loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, currentPass); + } catch (SQLException e) { + newPass = userName; + currentPass = userName + userName; + log.debug("Could not log in with default pass: " + e.toString()); + log.debug("Logging in with alternative pass: " + currentPass); + String[] auth = Getter.authUser(applicationRoot, userName, currentPass); + loggedIn = auth != null; + } + if (!loggedIn) { + log.debug("Could not sign in with any pass."); + fail("Could not Verify User"); + } else { + log.debug("Logged in! Updating Password now"); + if (!Setter.updatePassword(applicationRoot, userName, currentPass, newPass)) { + log.debug("Could not update password"); + fail("Could not update password"); + } else { + log.debug("Password Updated. Authenticating with new pass: " + newPass); + String[] auth = Getter.authUser(applicationRoot, userName, newPass); + if (auth == null) { + fail("Could Not Auth With New Pass"); + } + + log.debug("Also attempting auth with old pass: " + currentPass); + auth = Getter.authUser(applicationRoot, userName, currentPass); + if (auth != null) { + fail("Could auth with old password!"); + } + } + } + } + + @Test + public void testUpdatePasswordAdmin() { + log.debug("Testing update Password"); + String userName = new String("adminPassUp"); + String currentPass = new String(); + String newPass = new String(); + boolean loggedIn = false; + + try { + currentPass = userName; + newPass = userName + userName; + log.debug("Logging in with default Pass"); + loggedIn = GetterTest.verifyTestUser(applicationRoot, userName, currentPass); + } catch (SQLException e) { + newPass = userName; + currentPass = userName + userName; + log.debug("Could not log in with default pass: " + e.toString()); + log.debug("Logging in with alternative pass: " + currentPass); + String[] auth = Getter.authUser(applicationRoot, userName, currentPass); + loggedIn = auth != null; + } + if (!loggedIn) { + log.debug("Could not sign in with any pass."); + fail("Could not Verify User"); + } else { + log.debug("Logged in! Updating Password now"); + if (!Setter.updatePasswordAdmin( + applicationRoot, Getter.getUserIdFromName(applicationRoot, userName), newPass)) { + log.debug("Could not update password"); + fail("Could not update password"); + } else { + log.debug("Password Updated. Authenticating with new pass: " + newPass); + String[] auth = Getter.authUser(applicationRoot, userName, newPass); + if (auth == null) { + fail("Could Not Auth With New Pass"); + } else { + return; // PASS: Authenticated With New Pass + } + } + } + } + + @Test + public void testUpdatePlayerClass() throws SQLException { + String userName = new String("UpdateClassUser"); + String className = new String("Old Class"); + String otherClassName = new String("Other Class"); + String classId = new String(); + String otherClassId = new String(); + String newClass = new String(); + + log.debug("Getting class ids"); + classId = GetterTest.findCreateClassId(className, applicationRoot); + otherClassId = GetterTest.findCreateClassId(otherClassName, applicationRoot); + log.debug("Verifying User"); + if (!GetterTest.verifyTestUser(applicationRoot, userName, userName, classId)) { + fail("Could not verify user"); + } else { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String currentClass = Getter.getUserClassFromName(applicationRoot, userName); + newClass = otherClassId; + + log.debug("Current Class: " + currentClass); + log.debug("New Class: " + newClass); + if (!Setter.updatePlayerClass(applicationRoot, newClass, userId).equalsIgnoreCase(userName)) { + fail("Could not update player class"); + } else { + String latestClass = Getter.getUserClassFromName(applicationRoot, userName); + if (latestClass.compareTo(newClass) != 0) { + log.debug("Latest Class: " + latestClass); + log.debug("New Class: " + newClass); + fail("Retrieved Class is not the Set Class"); + } else { + return; // PASS + } + } + } + } + + @Test + public void testUpdatePlayerClassToNull() throws SQLException { + String userName = new String("UpdateClassUserFromNull"); + String className = new String("WutClass"); + String classId = new String(); + + log.debug("Getting class ids"); + try { + classId = GetterTest.findCreateClassId(className, applicationRoot); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Could not find or create class ID from name " + className + ": " + e.toString()); + } + if (!GetterTest.verifyTestUser(applicationRoot, userName, userName, classId)) { + fail("Could not verify user"); + } else { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String currentClass = Getter.getUserClassFromName(applicationRoot, userName); + log.debug("Current Class: " + currentClass); + if (!Setter.updatePlayerClassToNull(applicationRoot, userId).equalsIgnoreCase(userName)) { + fail("Could not update player class to null"); + } else { + String latestClass = Getter.getUserClassFromName(applicationRoot, userName); + if (latestClass == null || latestClass.isEmpty()) { + return; // PASS + } else { + log.debug("Latest Class: " + latestClass); + fail("Retrieved Class is not null"); + } + } + } + } + + @Test + public void testUpdateUserRole() throws SQLException { + String userName = new String("WasUserNowAdmin"); + String currentRole = new String(); + String newRole = new String(); + boolean testUserVerified = false; + + try { + testUserVerified = GetterTest.verifyTestUser(applicationRoot, userName, userName); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not create test user " + userName + ": " + e.toString()); + } + + assertTrue(testUserVerified); + + Connection conn = Database.getCoreConnection(applicationRoot); + PreparedStatement ps = null; + try { + ps = conn.prepareStatement("SELECT userRole FROM users WHERE userName = ?"); + } catch (SQLException e) { + TestProperties.failAndPrint("Could prepare DB statement : " + e.toString()); + } + + assertNotEquals(ps, null); + + try { + ps.setString(1, userName); + } catch (SQLException e) { + TestProperties.failAndPrint("Could set statement username " + userName + ": " + e.toString()); + } + + ResultSet rs = null; + try { + rs = ps.executeQuery(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could execute DB Query : " + e.toString()); + } + + assertNotEquals(rs, null); + + boolean couldAdvance = false; + + try { + couldAdvance = rs.next(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not advance in result set : " + e.toString()); + } + + assertTrue(couldAdvance); + + if (couldAdvance) { + try { + currentRole = rs.getString(1); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not get currentRole from result set: " + e.toString()); + } + if (currentRole.equalsIgnoreCase("admin")) { + log.debug("User is currently an admin. Changing to player"); + newRole = new String("player"); + } else { + log.debug("User is currently a player. Changing to admin"); + newRole = new String("admin"); + } + } else { + fail("User not found in DB after it was created"); + } + try { + rs.close(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not close result set: " + e.toString()); + } + try { + conn.close(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not close db connection: " + e.toString()); + } + String userId = Getter.getUserIdFromName(applicationRoot, userName); + if (!Setter.updateUserRole(applicationRoot, userId, newRole).equalsIgnoreCase(userName)) { + fail("Could not update user role from " + currentRole + " to " + newRole); + } else { + log.debug("Checking if change occurred"); + conn = Database.getCoreConnection(applicationRoot); + try { + ps = conn.prepareStatement("SELECT userRole FROM users WHERE userName = ?"); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not prepare DB statement: " + e.toString()); + } + try { + ps.setString(1, userName); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not set string in DB statement: " + e.toString()); + } + try { + rs = ps.executeQuery(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not execute DB query: " + e.toString()); + } + + couldAdvance = false; + + try { + couldAdvance = rs.next(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not advance in result set: " + e.toString()); + } + + assertTrue(couldAdvance); + String returnedRole = ""; + + try { + returnedRole = rs.getString(1); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Could not get returned string from db result: " + e.toString()); + } + + assertNotEquals(returnedRole, ""); + + if (!newRole.equalsIgnoreCase(returnedRole)) { + fail("User Role was not updated in DB"); + } + + try { + rs.close(); + conn.close(); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not close DB connection: " + e.toString()); + } + } + } + + @Test + public void testMutipleClassMedals() { + String moduleId = "853c98bd070fe0d31f1ec8b4f2ada9d7fd1784c5"; // CSRF7 + String userName = new String("classUserOne"); + String otherUserName = new String("difClassUserTwo"); + + String classOne = ""; + try { + classOne = TestProperties.findCreateClassId(log, "classA2737", applicationRoot); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not create class classA2737: " + e.toString()); + } + + assertNotEquals(classOne, ""); + + String classTwo = ""; + try { + classTwo = TestProperties.findCreateClassId(log, "classB2737", applicationRoot); + } catch (SQLException e) { + TestProperties.failAndPrint("Could not create class classB2737: " + e.toString()); + } + assertNotEquals(classTwo, ""); + + log.debug("classOne: " + classOne); + log.debug("classTwo: " + classTwo); + + boolean firstTestUserVerified = false; + try { + firstTestUserVerified = + TestProperties.verifyTestUser(log, applicationRoot, userName, userName, classOne); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Unhandled exception when verifying test user " + userName + ": " + e.toString()); + } + + assertTrue(firstTestUserVerified); + + boolean secondTestUserVerified = false; + try { + secondTestUserVerified = + TestProperties.verifyTestUser( + log, applicationRoot, otherUserName, otherUserName, classTwo); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Unhandled exception when verifying test user " + otherUserName + ": " + e.toString()); + } + + assertTrue(secondTestUserVerified); + + String userId = Getter.getUserIdFromName(applicationRoot, userName); + String otherUserId = Getter.getUserIdFromName(applicationRoot, otherUserName); + + boolean modulesOpened = Setter.openAllModules(applicationRoot, false); + + if (!modulesOpened) { + TestProperties.failAndPrint("Could not mark all modules as open"); + } + + // Simulate user Opening Level + if (Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty() + || Getter.getModuleAddress(applicationRoot, moduleId, otherUserId).isEmpty()) { + fail("Could not Simulate Opening Level for Users"); + } else { + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, moduleId, userId, "Feedback is Disabled", 1, 1, 1); + if (markLevelCompleteTest != null) { + String markLevelCompleteTestOtherUser = + Setter.updatePlayerResult( + applicationRoot, moduleId, otherUserId, "Feedback is Disabled", 1, 1, 1); + // Do both Users have a gold medal? + if (markLevelCompleteTestOtherUser != null) { + ScoreboardStatus.setScoreboardOpen(); + String scoreboardData = Getter.getJsonScore(applicationRoot, ""); + if (scoreboardData.isEmpty()) { + fail("Could not detect user in scoreboard before bad submission test"); + } else { + JSONArray scoreboardJson = (JSONArray) JSONValue.parse(scoreboardData); + // Loop through array to find Our first user + boolean goldMedal = false; + for (int i = 0; i < scoreboardJson.size(); i++) { + // log.debug("Looping through Array " + i); + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(userName) == 0) { + log.debug("Found user with goldMedalCount: " + scoreRowJson.get("goldMedalCount")); + goldMedal = Integer.parseInt(scoreRowJson.get("goldMedalCount").toString()) > 0; + break; + } + } + if (!goldMedal) { + TestProperties.failAndPrint( + "User " + + userName + + " should have a gold medal and does not. They were first in their class to" + + " complete module " + + moduleId); + } else { + // Search for the other user + goldMedal = false; + for (int i = 0; i < scoreboardJson.size(); i++) { + // log.debug("Looping through Array " + i); + JSONObject scoreRowJson = (JSONObject) scoreboardJson.get(i); + if (scoreRowJson.get("username").toString().compareTo(otherUserName) == 0) { + log.debug( + "Found user with goldMedalCount: " + scoreRowJson.get("goldMedalCount")); + goldMedal = Integer.parseInt(scoreRowJson.get("goldMedalCount").toString()) > 0; + break; + } + } + if (!goldMedal) { + TestProperties.failAndPrint( + "User " + + otherUserName + + " should have a gold medal and does not. They were first in their class" + + " to complete challenge " + + moduleId); + } + } + } + } else { + fail("Could not Mark First level as complete for Second User"); + } + } else { + fail("Could not Mark First level as complete"); + } + } + } + + @Test + public void testUserDelete() { + String testUsername = "testuserdelete"; + String testPassword = "testuserpassword"; + + String testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); + + if (testuserId == null || testuserId.isEmpty()) { + boolean userCreated = false; + try { + userCreated = + Setter.userCreate( + applicationRoot, + null, + testUsername, + testUsername, + "player", + testUsername + "@test.com", + false); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Could not create test user " + + testUsername + + " with password " + + testPassword + + ": " + + e.toString()); + } + assert (userCreated); + } + + testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); + assert (testuserId != null && !testuserId.isEmpty()); + + boolean userDeleted = false; + try { + userDeleted = Setter.userDelete(applicationRoot, testuserId); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Could not delete test user " + testUsername + ": " + e.toString()); + } + assert (userDeleted); + + testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); + assert (testuserId == null || testuserId.isEmpty()); + } + + @Test + public void testSSOUserDelete() { + String testUsername = "testSSOuserdelete"; + String testSSOName = "testSSOuserdelete@example.com"; + + String testuserId; + + String user[]; + + user = Getter.authUserSSO(applicationRoot, null, testUsername, testSSOName, "player"); + + if (user == null || user[0].isEmpty()) { + TestProperties.failAndPrint("Could not authenticate as newly created SSO user"); + } else { + log.debug("PASS: User Could Authenticate after being created"); + } + + boolean userDeleted = false; + try { + userDeleted = Setter.userDelete(applicationRoot, user[0]); + } catch (SQLException e) { + TestProperties.failAndPrint( + "Could not delete test user " + testUsername + ": " + e.toString()); + } + assert (userDeleted); + + testuserId = Getter.getUserIdFromName(applicationRoot, testUsername); + assert (testuserId == null || testuserId.isEmpty()); + } + + @Test + public void testCreateDuplicateUser() { + String userName = new String("duplicateUser"); + + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); + try { + Setter.userCreate( + applicationRoot, null, userName, userName, "player", userName + "@test.com", false); + } catch (SQLException e) { + TestProperties.failAndPrint( + "SQL error when creating user " + userName + ": " + e.toString()); + } + user = Getter.authUser(applicationRoot, userName, userName); + } + if (user != null && !user[0].isEmpty()) { + log.debug("User " + userName + " exists. Checking what happens if duplicate user is added"); + try { + + // Should fail here + Setter.userCreate( + applicationRoot, null, userName, userName, "player", userName + "@test.com", false); + + // If we're still here + TestProperties.failAndPrint("No error when creating duplicate user " + userName); + } catch (SQLException e) { + log.debug("PASS: Could not add duplicate user " + userName); + } + + } else { + TestProperties.failAndPrint("Couldn't verify " + userName + " could authenticate at all"); + } + } + + @Test + public void testDisableAdminCheatSheetSetting() throws SQLException { + + Setter.setAdminCheatStatus(applicationRoot, false); + assertFalse(Getter.getAdminCheatStatus(applicationRoot)); + } + + @Test + public void testDisablePlayerCheatSheetSetting() throws SQLException { - Setter.setModuleLayout(applicationRoot, "Open"); + Setter.setPlayerCheatStatus(applicationRoot, false); + assertFalse(Getter.getPlayerCheatStatus(applicationRoot)); + } - } + @Test + public void testEnableAdminCheatSheetSetting() throws SQLException { - @Test - public void testEnableFeedbackStatus() throws SQLException { + Setter.setAdminCheatStatus(applicationRoot, true); + assertTrue(Getter.getAdminCheatStatus(applicationRoot)); + } - Setter.setFeedbackStatus(applicationRoot, false); - Setter.setFeedbackStatus(applicationRoot, true); + @Test + public void testEnablePlayerCheatSheetSetting() throws SQLException { - assertTrue(Getter.getFeedbackStatus(applicationRoot)); + Setter.setPlayerCheatStatus(applicationRoot, true); + assertTrue(Getter.getPlayerCheatStatus(applicationRoot)); + } - } + @Test + public void testSetOpenFloorLayout() throws SQLException { - @Test - public void testDisableFeedbackStatus() throws SQLException { + Setter.setModuleLayout(applicationRoot, "tournament"); + Setter.setModuleLayout(applicationRoot, "open"); - Setter.setFeedbackStatus(applicationRoot, true); - Setter.setFeedbackStatus(applicationRoot, false); + assertEquals(Getter.getModuleLayout(applicationRoot), "open"); + } - assertFalse(Getter.getFeedbackStatus(applicationRoot)); + @Test + public void testSetCTFLayout() throws SQLException { - } + Setter.setModuleLayout(applicationRoot, "open"); + Setter.setModuleLayout(applicationRoot, "ctf"); + assertEquals(Getter.getModuleLayout(applicationRoot), "ctf"); + } - @Test - public void testEnableRegistrationStatus() throws SQLException { + @Test + public void testSetTournamentLayout() throws SQLException { - Setter.setRegistrationStatus(applicationRoot, false); - Setter.setRegistrationStatus(applicationRoot, true); + Setter.setModuleLayout(applicationRoot, "ctf"); + Setter.setModuleLayout(applicationRoot, "tournament"); - assertTrue(Getter.getRegistrationStatus(applicationRoot)); + assertEquals(Getter.getModuleLayout(applicationRoot), "tournament"); + } - } + @Test(expected = IllegalArgumentException.class) + public void testEmptyModuleLayouts() throws SQLException { - @Test - public void testDisableRegistrationStatus() throws SQLException { + Setter.setModuleLayout(applicationRoot, ""); + } - Setter.setRegistrationStatus(applicationRoot, true); - Setter.setRegistrationStatus(applicationRoot, false); + @Test(expected = IllegalArgumentException.class) + public void testInvalidModuleLayouts() throws SQLException { - assertFalse(Getter.getRegistrationStatus(applicationRoot)); + Setter.setModuleLayout(applicationRoot, "strangeLayout"); + } - } + @Test(expected = IllegalArgumentException.class) + public void testInvalidCaseCTFModuleLayouts() throws SQLException { - @Test - public void testSetClosedScoreboard() throws SQLException { + Setter.setModuleLayout(applicationRoot, "CTF"); + } - Setter.setScoreboardStatus(applicationRoot, "closed"); + @Test(expected = IllegalArgumentException.class) + public void testInvalidCaseOpenModuleLayouts() throws SQLException { - assertEquals(Getter.getScoreboardStatus(applicationRoot), "closed"); + Setter.setModuleLayout(applicationRoot, "Open"); + } - } + @Test + public void testEnableFeedbackStatus() throws SQLException { - @Test - public void testSetAdminOnlyScoreboard() throws SQLException { + Setter.setFeedbackStatus(applicationRoot, false); + Setter.setFeedbackStatus(applicationRoot, true); - Setter.setScoreboardStatus(applicationRoot, "adminOnly"); + assertTrue(Getter.getFeedbackStatus(applicationRoot)); + } - assertEquals(Getter.getScoreboardStatus(applicationRoot), "adminOnly"); + @Test + public void testDisableFeedbackStatus() throws SQLException { - } + Setter.setFeedbackStatus(applicationRoot, true); + Setter.setFeedbackStatus(applicationRoot, false); - @Test - public void testSetClassSpecificScoreboard() throws SQLException { + assertFalse(Getter.getFeedbackStatus(applicationRoot)); + } - Setter.setScoreboardStatus(applicationRoot, "classSpecific"); + @Test + public void testEnableRegistrationStatus() throws SQLException { - assertEquals(Getter.getScoreboardStatus(applicationRoot), "classSpecific"); + Setter.setRegistrationStatus(applicationRoot, false); + Setter.setRegistrationStatus(applicationRoot, true); - } + assertTrue(Getter.getRegistrationStatus(applicationRoot)); + } - @Test - public void testSetOpenScoreboard() throws SQLException { + @Test + public void testDisableRegistrationStatus() throws SQLException { - Setter.setScoreboardStatus(applicationRoot, "open"); + Setter.setRegistrationStatus(applicationRoot, true); + Setter.setRegistrationStatus(applicationRoot, false); - assertEquals(Getter.getScoreboardStatus(applicationRoot), "open"); + assertFalse(Getter.getRegistrationStatus(applicationRoot)); + } - } + @Test + public void testSetClosedScoreboard() throws SQLException { - @Test - public void testSetPublicScoreboard() throws SQLException { + Setter.setScoreboardStatus(applicationRoot, "closed"); - Setter.setScoreboardStatus(applicationRoot, "public"); + assertEquals(Getter.getScoreboardStatus(applicationRoot), "closed"); + } - assertEquals(Getter.getScoreboardStatus(applicationRoot), "public"); + @Test + public void testSetAdminOnlyScoreboard() throws SQLException { - } + Setter.setScoreboardStatus(applicationRoot, "adminOnly"); - @Test(expected = IllegalArgumentException.class) - public void testEmptyScoreboardStatus() throws SQLException { + assertEquals(Getter.getScoreboardStatus(applicationRoot), "adminOnly"); + } - Setter.setScoreboardStatus(applicationRoot, ""); + @Test + public void testSetClassSpecificScoreboard() throws SQLException { - } + Setter.setScoreboardStatus(applicationRoot, "classSpecific"); - @Test(expected = IllegalArgumentException.class) - public void testInvalidScoreboardStatus() throws SQLException { + assertEquals(Getter.getScoreboardStatus(applicationRoot), "classSpecific"); + } - Setter.setScoreboardStatus(applicationRoot, "invalidStatus"); + @Test + public void testSetOpenScoreboard() throws SQLException { - } + Setter.setScoreboardStatus(applicationRoot, "open"); - @Test - public void testSetScoreboardClass() throws SQLException { + assertEquals(Getter.getScoreboardStatus(applicationRoot), "open"); + } - Setter.setScoreboardClass(applicationRoot, ""); + @Test + public void testSetPublicScoreboard() throws SQLException { - assertEquals(Getter.getScoreboardClass(applicationRoot), ""); + Setter.setScoreboardStatus(applicationRoot, "public"); - Setter.setScoreboardClass(applicationRoot, "class1"); + assertEquals(Getter.getScoreboardStatus(applicationRoot), "public"); + } - assertEquals(Getter.getScoreboardClass(applicationRoot), "class1"); + @Test(expected = IllegalArgumentException.class) + public void testEmptyScoreboardStatus() throws SQLException { - Setter.setScoreboardClass(applicationRoot, "class2"); + Setter.setScoreboardStatus(applicationRoot, ""); + } - assertEquals(Getter.getScoreboardClass(applicationRoot), "class2"); + @Test(expected = IllegalArgumentException.class) + public void testInvalidScoreboardStatus() throws SQLException { - Setter.setScoreboardClass(applicationRoot, "class3"); + Setter.setScoreboardStatus(applicationRoot, "invalidStatus"); + } - assertEquals(Getter.getScoreboardClass(applicationRoot), "class3"); + @Test + public void testSetScoreboardClass() throws SQLException { - } + Setter.setScoreboardClass(applicationRoot, ""); - @Test - public void testSetStartTimeStatus() throws SQLException { + assertEquals(Getter.getScoreboardClass(applicationRoot), ""); - Setter.setStartTimeStatus(applicationRoot, false); - Setter.setStartTimeStatus(applicationRoot, true); + Setter.setScoreboardClass(applicationRoot, "class1"); - assertTrue(Getter.getStartTimeStatus(applicationRoot)); + assertEquals(Getter.getScoreboardClass(applicationRoot), "class1"); - Setter.setStartTimeStatus(applicationRoot, true); - Setter.setStartTimeStatus(applicationRoot, false); + Setter.setScoreboardClass(applicationRoot, "class2"); - assertFalse(Getter.getStartTimeStatus(applicationRoot)); + assertEquals(Getter.getScoreboardClass(applicationRoot), "class2"); - } + Setter.setScoreboardClass(applicationRoot, "class3"); - @Test - public void testSetStartTime() throws SQLException { + assertEquals(Getter.getScoreboardClass(applicationRoot), "class3"); + } - Setter.setStartTime(applicationRoot, LocalDateTime.parse("2018-11-03T12:45:30")); - assertEquals(Getter.getStartTime(applicationRoot), LocalDateTime.parse("2018-11-03T12:45:30")); + @Test + public void testSetStartTimeStatus() throws SQLException { - Setter.setStartTime(applicationRoot, LocalDateTime.parse("2118-11-03T12:45:30")); - assertEquals(Getter.getStartTime(applicationRoot), LocalDateTime.parse("2118-11-03T12:45:30")); + Setter.setStartTimeStatus(applicationRoot, false); + Setter.setStartTimeStatus(applicationRoot, true); - } + assertTrue(Getter.getStartTimeStatus(applicationRoot)); - @Test - public void testSetLockTimeStatus() throws SQLException { + Setter.setStartTimeStatus(applicationRoot, true); + Setter.setStartTimeStatus(applicationRoot, false); - Setter.setLockTimeStatus(applicationRoot, false); - Setter.setLockTimeStatus(applicationRoot, true); + assertFalse(Getter.getStartTimeStatus(applicationRoot)); + } - assertTrue(Getter.getLockTimeStatus(applicationRoot)); + @Test + public void testSetStartTime() throws SQLException { - Setter.setLockTimeStatus(applicationRoot, true); - Setter.setLockTimeStatus(applicationRoot, false); + Setter.setStartTime(applicationRoot, LocalDateTime.parse("2018-11-03T12:45:30")); + assertEquals(Getter.getStartTime(applicationRoot), LocalDateTime.parse("2018-11-03T12:45:30")); - assertFalse(Getter.getLockTimeStatus(applicationRoot)); + Setter.setStartTime(applicationRoot, LocalDateTime.parse("2118-11-03T12:45:30")); + assertEquals(Getter.getStartTime(applicationRoot), LocalDateTime.parse("2118-11-03T12:45:30")); + } - } + @Test + public void testSetLockTimeStatus() throws SQLException { - @Test - public void testSetLockTime() throws SQLException { + Setter.setLockTimeStatus(applicationRoot, false); + Setter.setLockTimeStatus(applicationRoot, true); - Setter.setLockTime(applicationRoot, LocalDateTime.parse("2018-11-03T12:45:30")); - assertEquals(Getter.getLockTime(applicationRoot), LocalDateTime.parse("2018-11-03T12:45:30")); + assertTrue(Getter.getLockTimeStatus(applicationRoot)); - Setter.setLockTime(applicationRoot, LocalDateTime.parse("2118-11-03T12:45:30")); - assertEquals(Getter.getLockTime(applicationRoot), LocalDateTime.parse("2118-11-03T12:45:30")); + Setter.setLockTimeStatus(applicationRoot, true); + Setter.setLockTimeStatus(applicationRoot, false); - } + assertFalse(Getter.getLockTimeStatus(applicationRoot)); + } - @Test - public void testSetEndTimeStatus() throws SQLException { + @Test + public void testSetLockTime() throws SQLException { - Setter.setEndTimeStatus(applicationRoot, false); - Setter.setEndTimeStatus(applicationRoot, true); + Setter.setLockTime(applicationRoot, LocalDateTime.parse("2018-11-03T12:45:30")); + assertEquals(Getter.getLockTime(applicationRoot), LocalDateTime.parse("2018-11-03T12:45:30")); - assertTrue(Getter.getEndTimeStatus(applicationRoot)); + Setter.setLockTime(applicationRoot, LocalDateTime.parse("2118-11-03T12:45:30")); + assertEquals(Getter.getLockTime(applicationRoot), LocalDateTime.parse("2118-11-03T12:45:30")); + } - Setter.setEndTimeStatus(applicationRoot, true); - Setter.setEndTimeStatus(applicationRoot, false); + @Test + public void testSetEndTimeStatus() throws SQLException { - assertFalse(Getter.getEndTimeStatus(applicationRoot)); + Setter.setEndTimeStatus(applicationRoot, false); + Setter.setEndTimeStatus(applicationRoot, true); - } + assertTrue(Getter.getEndTimeStatus(applicationRoot)); - @Test - public void testSetEndTime() throws SQLException { + Setter.setEndTimeStatus(applicationRoot, true); + Setter.setEndTimeStatus(applicationRoot, false); - Setter.setEndTime(applicationRoot, LocalDateTime.parse("2018-11-03T12:45:30")); + assertFalse(Getter.getEndTimeStatus(applicationRoot)); + } - assertEquals(Getter.getEndTime(applicationRoot), LocalDateTime.parse("2018-11-03T12:45:30")); + @Test + public void testSetEndTime() throws SQLException { - Setter.setEndTime(applicationRoot, LocalDateTime.parse("2118-11-03T12:45:30")); + Setter.setEndTime(applicationRoot, LocalDateTime.parse("2018-11-03T12:45:30")); - assertEquals(Getter.getEndTime(applicationRoot), LocalDateTime.parse("2118-11-03T12:45:30")); + assertEquals(Getter.getEndTime(applicationRoot), LocalDateTime.parse("2018-11-03T12:45:30")); - } + Setter.setEndTime(applicationRoot, LocalDateTime.parse("2118-11-03T12:45:30")); + assertEquals(Getter.getEndTime(applicationRoot), LocalDateTime.parse("2118-11-03T12:45:30")); + } } diff --git a/src/test/java/testUtils/TestCountdownHandler.java b/src/test/java/testUtils/TestCountdownHandler.java index 014c4c478..6be8cb0fa 100644 --- a/src/test/java/testUtils/TestCountdownHandler.java +++ b/src/test/java/testUtils/TestCountdownHandler.java @@ -1,14 +1,5 @@ package testUtils; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; -import org.junit.BeforeClass; -import org.junit.jupiter.api.Test; - -import utils.CountdownHandler; -import utils.InvalidCountdownStateException; -import testUtils.TestProperties; - import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -17,390 +8,381 @@ import java.io.IOException; import java.sql.SQLException; import java.time.LocalDateTime; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.junit.BeforeClass; +import org.junit.jupiter.api.Test; +import utils.CountdownHandler; +import utils.InvalidCountdownStateException; public class TestCountdownHandler { - private static final Logger log = LogManager.getLogger(TestCountdownHandler.class); - - /** - * Creates DB or Restores DB to Factory Defaults before running tests - */ - @BeforeClass - public static void resetDatabase() throws IOException, SQLException { - TestProperties.setTestPropertiesFileDirectory(log); - - TestProperties.createMysqlResource(); - - TestProperties.executeSql(log); - } - - @Test - public void countdownHandler_SetCorrectStartTime() { - LocalDateTime testTime = LocalDateTime.now(); - - CountdownHandler.setStartTime(testTime); - - assertEquals(testTime, CountdownHandler.getStartTime()); - - testTime = LocalDateTime.parse("2020-01-01T12:00:00"); - - CountdownHandler.setStartTime(testTime); - - assertEquals(testTime, CountdownHandler.getStartTime()); - - testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - - CountdownHandler.setStartTime(testTime); - - assertEquals(testTime, CountdownHandler.getStartTime()); - } - - @Test - public void countdownHandler_SetCorrectLockTime() { - LocalDateTime testTime = LocalDateTime.now(); - - CountdownHandler.setLockTime(testTime); - - assertEquals(testTime, CountdownHandler.getLockTime()); - - testTime = LocalDateTime.parse("2020-01-01T12:00:00"); - - CountdownHandler.setLockTime(testTime); - - assertEquals(testTime, CountdownHandler.getLockTime()); - - testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - - CountdownHandler.setLockTime(testTime); - - assertEquals(testTime, CountdownHandler.getLockTime()); - } - - @Test - public void countdownHandler_SetCorrectEndTime() { - LocalDateTime testTime = LocalDateTime.now(); - - CountdownHandler.setEndTime(testTime); - - assertEquals(testTime, CountdownHandler.getEndTime()); - testTime = LocalDateTime.parse("2020-01-01T12:00:00"); + private static final Logger log = LogManager.getLogger(TestCountdownHandler.class); - CountdownHandler.setEndTime(testTime); + /** Creates DB or Restores DB to Factory Defaults before running tests */ + @BeforeClass + public static void resetDatabase() throws IOException, SQLException { + TestProperties.setTestPropertiesFileDirectory(log); - assertEquals(testTime, CountdownHandler.getEndTime()); + TestProperties.createMysqlResource(); - testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + TestProperties.executeSql(log); + } - CountdownHandler.setEndTime(testTime); + @Test + public void countdownHandler_SetCorrectStartTime() { + LocalDateTime testTime = LocalDateTime.now(); - assertEquals(testTime, CountdownHandler.getEndTime()); - } + CountdownHandler.setStartTime(testTime); - @Test - public void countdownHandler_compareStartTime() { + assertEquals(testTime, CountdownHandler.getStartTime()); - LocalDateTime testTime = LocalDateTime.now().minusMinutes(5); + testTime = LocalDateTime.parse("2020-01-01T12:00:00"); - CountdownHandler.setStartTime(testTime); - assertTrue(CountdownHandler.isStarted()); - CountdownHandler.disableStartTime(); - assertFalse(CountdownHandler.isStarted()); + CountdownHandler.setStartTime(testTime); - testTime = LocalDateTime.now().minusYears(5); + assertEquals(testTime, CountdownHandler.getStartTime()); - CountdownHandler.setStartTime(testTime); - assertTrue(CountdownHandler.isStarted()); - CountdownHandler.disableStartTime(); - assertFalse(CountdownHandler.isStarted()); + testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - testTime = LocalDateTime.now().plusMinutes(5); + CountdownHandler.setStartTime(testTime); - CountdownHandler.setStartTime(testTime); - assertFalse(CountdownHandler.isStarted()); - testTime = LocalDateTime.now().plusYears(5); - CountdownHandler.setStartTime(testTime); - assertFalse(CountdownHandler.isStarted()); + assertEquals(testTime, CountdownHandler.getStartTime()); + } - } + @Test + public void countdownHandler_SetCorrectLockTime() { + LocalDateTime testTime = LocalDateTime.now(); - @Test - public void countdownHandler_compareLockTime() { + CountdownHandler.setLockTime(testTime); - LocalDateTime testTime = LocalDateTime.now().minusMinutes(5); + assertEquals(testTime, CountdownHandler.getLockTime()); - CountdownHandler.setLockTime(testTime); - assertTrue(CountdownHandler.isLocked()); - CountdownHandler.disableLockTime(); - assertFalse(CountdownHandler.isLocked()); + testTime = LocalDateTime.parse("2020-01-01T12:00:00"); - testTime = LocalDateTime.now().minusYears(5); - CountdownHandler.setLockTime(testTime); - assertTrue(CountdownHandler.isLocked()); - CountdownHandler.disableLockTime(); - assertFalse(CountdownHandler.isLocked()); + CountdownHandler.setLockTime(testTime); - testTime = LocalDateTime.now().plusMinutes(5); + assertEquals(testTime, CountdownHandler.getLockTime()); - CountdownHandler.setLockTime(testTime); - assertFalse(CountdownHandler.isLocked()); - testTime = LocalDateTime.now().plusYears(5); - CountdownHandler.setLockTime(testTime); - assertFalse(CountdownHandler.isLocked()); + testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - } + CountdownHandler.setLockTime(testTime); - @Test - public void countdownHandler_compareEndTime() { + assertEquals(testTime, CountdownHandler.getLockTime()); + } - LocalDateTime testTime = LocalDateTime.now().minusMinutes(5); + @Test + public void countdownHandler_SetCorrectEndTime() { + LocalDateTime testTime = LocalDateTime.now(); - CountdownHandler.setEndTime(testTime); - assertTrue(CountdownHandler.hasEnded()); - CountdownHandler.disableEndTime(); - assertFalse(CountdownHandler.hasEnded()); + CountdownHandler.setEndTime(testTime); - testTime = LocalDateTime.now().minusYears(5); - CountdownHandler.setEndTime(testTime); - assertTrue(CountdownHandler.hasEnded()); - CountdownHandler.disableEndTime(); - assertFalse(CountdownHandler.hasEnded()); + assertEquals(testTime, CountdownHandler.getEndTime()); - testTime = LocalDateTime.now().plusMinutes(5); + testTime = LocalDateTime.parse("2020-01-01T12:00:00"); - CountdownHandler.setEndTime(testTime); - assertFalse(CountdownHandler.hasEnded()); - testTime = LocalDateTime.now().plusYears(5); - CountdownHandler.setEndTime(testTime); - assertFalse(CountdownHandler.hasEnded()); + CountdownHandler.setEndTime(testTime); - } + assertEquals(testTime, CountdownHandler.getEndTime()); - @Test - public void countdownHandler_TestIsOpen() throws InvalidCountdownStateException { + testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); - LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); - LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); - LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); + CountdownHandler.setEndTime(testTime); - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(shortFutureTime); - CountdownHandler.setEndTime(longFutureTime); + assertEquals(testTime, CountdownHandler.getEndTime()); + } - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.disableStartTime(); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.disableLockTime(); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.disableEndTime(); - assertTrue(CountdownHandler.isOpen()); + @Test + public void countdownHandler_compareStartTime() { - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(shortPastTime); - CountdownHandler.setEndTime(longFutureTime); + LocalDateTime testTime = LocalDateTime.now().minusMinutes(5); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.disableStartTime(); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.disableLockTime(); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.disableEndTime(); - assertTrue(CountdownHandler.isOpen()); + CountdownHandler.setStartTime(testTime); + assertTrue(CountdownHandler.isStarted()); + CountdownHandler.disableStartTime(); + assertFalse(CountdownHandler.isStarted()); - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(longPastTime); - CountdownHandler.setEndTime(shortPastTime); + testTime = LocalDateTime.now().minusYears(5); - assertFalse(CountdownHandler.isOpen()); - CountdownHandler.disableStartTime(); - assertFalse(CountdownHandler.isOpen()); - CountdownHandler.disableLockTime(); - assertFalse(CountdownHandler.isOpen()); - CountdownHandler.disableEndTime(); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.enableLockTime(); - assertTrue(CountdownHandler.isOpen()); - CountdownHandler.enableStartTime(); - assertTrue(CountdownHandler.isOpen()); + CountdownHandler.setStartTime(testTime); + assertTrue(CountdownHandler.isStarted()); + CountdownHandler.disableStartTime(); + assertFalse(CountdownHandler.isStarted()); - } + testTime = LocalDateTime.now().plusMinutes(5); - @Test - public void countdownHandler_TestIsOpenStartAfterEndInvalid() { + CountdownHandler.setStartTime(testTime); + assertFalse(CountdownHandler.isStarted()); + testTime = LocalDateTime.now().plusYears(5); + CountdownHandler.setStartTime(testTime); + assertFalse(CountdownHandler.isStarted()); + } - LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + @Test + public void countdownHandler_compareLockTime() { - CountdownHandler.setStartTime(testTime.plusMinutes(5)); - CountdownHandler.setEndTime(testTime.minusMinutes(5)); + LocalDateTime testTime = LocalDateTime.now().minusMinutes(5); - assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isOpen()); + CountdownHandler.setLockTime(testTime); + assertTrue(CountdownHandler.isLocked()); + CountdownHandler.disableLockTime(); + assertFalse(CountdownHandler.isLocked()); - } + testTime = LocalDateTime.now().minusYears(5); + CountdownHandler.setLockTime(testTime); + assertTrue(CountdownHandler.isLocked()); + CountdownHandler.disableLockTime(); + assertFalse(CountdownHandler.isLocked()); - @Test - public void countdownHandler_TestIsOpenStartAfterLockInvalid() { + testTime = LocalDateTime.now().plusMinutes(5); - LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + CountdownHandler.setLockTime(testTime); + assertFalse(CountdownHandler.isLocked()); + testTime = LocalDateTime.now().plusYears(5); + CountdownHandler.setLockTime(testTime); + assertFalse(CountdownHandler.isLocked()); + } - CountdownHandler.setStartTime(testTime.plusMinutes(5)); - CountdownHandler.setLockTime(testTime.minusMinutes(5)); + @Test + public void countdownHandler_compareEndTime() { - assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isOpen()); + LocalDateTime testTime = LocalDateTime.now().minusMinutes(5); - } + CountdownHandler.setEndTime(testTime); + assertTrue(CountdownHandler.hasEnded()); + CountdownHandler.disableEndTime(); + assertFalse(CountdownHandler.hasEnded()); - @Test - public void countdownHandler_TestIsOpenLockAfterEndInvalid() { + testTime = LocalDateTime.now().minusYears(5); + CountdownHandler.setEndTime(testTime); + assertTrue(CountdownHandler.hasEnded()); + CountdownHandler.disableEndTime(); + assertFalse(CountdownHandler.hasEnded()); - LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + testTime = LocalDateTime.now().plusMinutes(5); - CountdownHandler.setLockTime(testTime.plusMinutes(5)); - CountdownHandler.setEndTime(testTime.minusMinutes(5)); + CountdownHandler.setEndTime(testTime); + assertFalse(CountdownHandler.hasEnded()); + testTime = LocalDateTime.now().plusYears(5); + CountdownHandler.setEndTime(testTime); + assertFalse(CountdownHandler.hasEnded()); + } - assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isOpen()); + @Test + public void countdownHandler_TestIsOpen() throws InvalidCountdownStateException { - } + LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); + LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); + LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); + LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); - @Test - public void countdownHandler_TestIsRunning() throws InvalidCountdownStateException { + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(shortFutureTime); + CountdownHandler.setEndTime(longFutureTime); - LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); - LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); - LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); - LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.disableStartTime(); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.disableLockTime(); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.disableEndTime(); + assertTrue(CountdownHandler.isOpen()); + + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(shortPastTime); + CountdownHandler.setEndTime(longFutureTime); + + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.disableStartTime(); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.disableLockTime(); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.disableEndTime(); + assertTrue(CountdownHandler.isOpen()); + + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(longPastTime); + CountdownHandler.setEndTime(shortPastTime); + + assertFalse(CountdownHandler.isOpen()); + CountdownHandler.disableStartTime(); + assertFalse(CountdownHandler.isOpen()); + CountdownHandler.disableLockTime(); + assertFalse(CountdownHandler.isOpen()); + CountdownHandler.disableEndTime(); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.enableLockTime(); + assertTrue(CountdownHandler.isOpen()); + CountdownHandler.enableStartTime(); + assertTrue(CountdownHandler.isOpen()); + } + + @Test + public void countdownHandler_TestIsOpenStartAfterEndInvalid() { + + LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + + CountdownHandler.setStartTime(testTime.plusMinutes(5)); + CountdownHandler.setEndTime(testTime.minusMinutes(5)); + + assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isOpen()); + } - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(shortFutureTime); - CountdownHandler.setEndTime(longFutureTime); + @Test + public void countdownHandler_TestIsOpenStartAfterLockInvalid() { - assertTrue(CountdownHandler.isRunning()); - CountdownHandler.disableStartTime(); - assertTrue(CountdownHandler.isRunning()); - CountdownHandler.disableLockTime(); - assertTrue(CountdownHandler.isRunning()); - CountdownHandler.disableEndTime(); - assertTrue(CountdownHandler.isRunning()); + LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(shortPastTime); - CountdownHandler.setEndTime(longFutureTime); + CountdownHandler.setStartTime(testTime.plusMinutes(5)); + CountdownHandler.setLockTime(testTime.minusMinutes(5)); + + assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isOpen()); + } + + @Test + public void countdownHandler_TestIsOpenLockAfterEndInvalid() { - assertFalse(CountdownHandler.isRunning()); - CountdownHandler.disableStartTime(); - assertFalse(CountdownHandler.isRunning()); - CountdownHandler.disableLockTime(); - assertTrue(CountdownHandler.isRunning()); - CountdownHandler.enableLockTime(); - assertFalse(CountdownHandler.isRunning()); + LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(longPastTime); - CountdownHandler.setEndTime(shortPastTime); + CountdownHandler.setLockTime(testTime.plusMinutes(5)); + CountdownHandler.setEndTime(testTime.minusMinutes(5)); + + assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isOpen()); + } - assertFalse(CountdownHandler.isRunning()); - CountdownHandler.disableStartTime(); - assertFalse(CountdownHandler.isRunning()); - CountdownHandler.disableLockTime(); - assertFalse(CountdownHandler.isRunning()); - CountdownHandler.disableEndTime(); - assertTrue(CountdownHandler.isRunning()); + @Test + public void countdownHandler_TestIsRunning() throws InvalidCountdownStateException { - } + LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); + LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); + LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); + LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); - @Test - public void countdownHandler_TestIsRunningStartAfterEndInvalid() { + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(shortFutureTime); + CountdownHandler.setEndTime(longFutureTime); - LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + assertTrue(CountdownHandler.isRunning()); + CountdownHandler.disableStartTime(); + assertTrue(CountdownHandler.isRunning()); + CountdownHandler.disableLockTime(); + assertTrue(CountdownHandler.isRunning()); + CountdownHandler.disableEndTime(); + assertTrue(CountdownHandler.isRunning()); - CountdownHandler.setStartTime(testTime.plusMinutes(5)); - CountdownHandler.setEndTime(testTime.minusMinutes(5)); + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(shortPastTime); + CountdownHandler.setEndTime(longFutureTime); - assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isRunning()); + assertFalse(CountdownHandler.isRunning()); + CountdownHandler.disableStartTime(); + assertFalse(CountdownHandler.isRunning()); + CountdownHandler.disableLockTime(); + assertTrue(CountdownHandler.isRunning()); + CountdownHandler.enableLockTime(); + assertFalse(CountdownHandler.isRunning()); - } + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(longPastTime); + CountdownHandler.setEndTime(shortPastTime); - @Test - public void countdownHandler_TestIsRunningStartAfterLockInvalid() { + assertFalse(CountdownHandler.isRunning()); + CountdownHandler.disableStartTime(); + assertFalse(CountdownHandler.isRunning()); + CountdownHandler.disableLockTime(); + assertFalse(CountdownHandler.isRunning()); + CountdownHandler.disableEndTime(); + assertTrue(CountdownHandler.isRunning()); + } - LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + @Test + public void countdownHandler_TestIsRunningStartAfterEndInvalid() { - CountdownHandler.setStartTime(testTime.plusMinutes(5)); - CountdownHandler.setLockTime(testTime.minusMinutes(5)); + LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isRunning()); + CountdownHandler.setStartTime(testTime.plusMinutes(5)); + CountdownHandler.setEndTime(testTime.minusMinutes(5)); - } + assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isRunning()); + } - @Test - public void countdownHandler_TestIsRunningLockAfterEndInvalid() { + @Test + public void countdownHandler_TestIsRunningStartAfterLockInvalid() { - LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); + LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - CountdownHandler.setLockTime(testTime.plusMinutes(5)); - CountdownHandler.setEndTime(testTime.minusMinutes(5)); + CountdownHandler.setStartTime(testTime.plusMinutes(5)); + CountdownHandler.setLockTime(testTime.minusMinutes(5)); - assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isRunning()); + assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isRunning()); + } - } + @Test + public void countdownHandler_TestIsRunningLockAfterEndInvalid() { - @Test - public void countdownHandler_TestIsRunningEqualTimes() throws InvalidCountdownStateException { + LocalDateTime testTime = LocalDateTime.parse("1980-01-01T12:00:00"); - // These equal-time edge cases should work even though they don't make much - // sense... - LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); - LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); - LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); - LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); + CountdownHandler.setLockTime(testTime.plusMinutes(5)); + CountdownHandler.setEndTime(testTime.minusMinutes(5)); - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(longPastTime); - CountdownHandler.setEndTime(longFutureTime); + assertThrows(InvalidCountdownStateException.class, () -> CountdownHandler.isRunning()); + } - CountdownHandler.isRunning(); + @Test + public void countdownHandler_TestIsRunningEqualTimes() throws InvalidCountdownStateException { - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(shortFutureTime); - CountdownHandler.setEndTime(shortFutureTime); + // These equal-time edge cases should work even though they don't make much + // sense... + LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); + LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); + LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); + LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); - CountdownHandler.isRunning(); + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(longPastTime); + CountdownHandler.setEndTime(longFutureTime); - CountdownHandler.setStartTime(shortPastTime); - CountdownHandler.setLockTime(shortPastTime); - CountdownHandler.setEndTime(shortPastTime); + CountdownHandler.isRunning(); - CountdownHandler.isRunning(); + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(shortFutureTime); + CountdownHandler.setEndTime(shortFutureTime); - } + CountdownHandler.isRunning(); - @Test - public void countdownHandler_TestIsOpenEqualTimes() throws InvalidCountdownStateException { + CountdownHandler.setStartTime(shortPastTime); + CountdownHandler.setLockTime(shortPastTime); + CountdownHandler.setEndTime(shortPastTime); - // These equal-time edge cases should work even though they don't make much - // sense... - LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); - LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); - LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); - LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); + CountdownHandler.isRunning(); + } - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(longPastTime); - CountdownHandler.setEndTime(longFutureTime); + @Test + public void countdownHandler_TestIsOpenEqualTimes() throws InvalidCountdownStateException { - CountdownHandler.isOpen(); + // These equal-time edge cases should work even though they don't make much + // sense... + LocalDateTime longPastTime = LocalDateTime.now().minusMinutes(10); + LocalDateTime shortPastTime = LocalDateTime.now().minusMinutes(5); + LocalDateTime shortFutureTime = LocalDateTime.now().plusMinutes(5); + LocalDateTime longFutureTime = LocalDateTime.now().plusMinutes(10); - CountdownHandler.setStartTime(longPastTime); - CountdownHandler.setLockTime(shortFutureTime); - CountdownHandler.setEndTime(shortFutureTime); + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(longPastTime); + CountdownHandler.setEndTime(longFutureTime); - CountdownHandler.isOpen(); + CountdownHandler.isOpen(); - CountdownHandler.setStartTime(shortPastTime); - CountdownHandler.setLockTime(shortPastTime); - CountdownHandler.setEndTime(shortPastTime); + CountdownHandler.setStartTime(longPastTime); + CountdownHandler.setLockTime(shortFutureTime); + CountdownHandler.setEndTime(shortFutureTime); - CountdownHandler.isOpen(); + CountdownHandler.isOpen(); - } + CountdownHandler.setStartTime(shortPastTime); + CountdownHandler.setLockTime(shortPastTime); + CountdownHandler.setEndTime(shortPastTime); + CountdownHandler.isOpen(); + } } diff --git a/src/test/java/testUtils/TestProperties.java b/src/test/java/testUtils/TestProperties.java index 1b7418416..ccea32b74 100644 --- a/src/test/java/testUtils/TestProperties.java +++ b/src/test/java/testUtils/TestProperties.java @@ -2,6 +2,11 @@ import static org.junit.Assert.fail; +import dbProcs.Constants; +import dbProcs.Database; +import dbProcs.Getter; +import dbProcs.Setter; +import io.github.cdimascio.dotenv.Dotenv; import java.io.BufferedWriter; import java.io.File; import java.io.FileInputStream; @@ -14,459 +19,473 @@ import java.sql.SQLException; import java.sql.Statement; import java.util.Properties; - import javax.servlet.ServletException; - import org.apache.commons.io.FileUtils; -import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockServletConfig; - -import io.github.cdimascio.dotenv.Dotenv; - -import dbProcs.Constants; -import dbProcs.Database; -import dbProcs.Getter; -import dbProcs.Setter; import servlets.Login; import utils.InstallationException; public class TestProperties { - private static final Logger log = LogManager.getLogger(TestProperties.class); - - public static void failAndPrint(String message) { - log.fatal(message); - fail(message); - } - - public static void executeSql(Logger log) throws IOException, SQLException { - - File file = new File(System.getProperty("user.dir") + "/src/main/resources/database/coreSchema.sql"); - String data = FileUtils.readFileToString(file, Charset.defaultCharset()); - - Connection databaseConnection = Database.getDatabaseConnection(null, true); - Statement psProcToexecute = databaseConnection.createStatement(); - psProcToexecute.executeUpdate(data); - - file = new File(System.getProperty("user.dir") + "/src/main/resources/database/moduleSchemas.sql"); - data = FileUtils.readFileToString(file, Charset.defaultCharset()); - psProcToexecute = databaseConnection.createStatement(); - psProcToexecute.executeUpdate(data); - - } - - public static void createFileSystemKey(Logger log, String fileProp, String solutionProp) - throws InstallationException { - - String userDir = System.getProperty("user.dir"); - String propFile = userDir + "/src/main/resources/fileSystemKeys.properties"; - - Properties prop = new Properties(); - - // Pull Driver and DB URL out of database.properties - - try (InputStream mysql_input = new FileInputStream(propFile)) { - - prop.load(mysql_input); - - } catch (IOException e) { - log.error("Could not load properties file: " + e.toString()); - throw new RuntimeException(e); - } - - String errorBase = "Missing property :"; - - String filename = prop.getProperty(fileProp); - if (filename == null) { - throw new RuntimeException(errorBase + fileProp); - } - String solution = prop.getProperty(solutionProp); - if (solution == null) { - throw new RuntimeException(errorBase + solutionProp); - } - - File lessonFile = null; - - lessonFile = new File(filename); - try { - FileUtils.write(lessonFile, solution, "UTF-8"); - } catch (IOException e) { - log.error("Can't write to lesson file " + lessonFile + ": " + e.toString()); - throw new RuntimeException(e); - } - - } - - /** - * Bit of a Hack to get JUnits to run inside of - * - * @param log - */ - public static void setTestPropertiesFileDirectory(Logger log) { - if (System.getProperty("catalina.base") == null) { - String userDir = System.getProperty("user.dir"); - log.debug("catalina.base returns null. Creating it with base of user.dir; " + userDir + File.separator - + "target" + File.separator + "test-classes"); - System.setProperty("catalina.base", userDir + File.separator + "target" + File.separator + "test-classes"); - } - } - - /** - * Method to simulate login servlet interaction. Can't seem to recyle the method - * in LoginTest with the MockRequests - * - * @param userName User to Sign in - * @param password User Password to use to Sign in - * @param theClass Class of the User - */ - public static void loginDoPost(Logger log, MockHttpServletRequest request, - MockHttpServletResponse response, String userName, String password, String theClass, String lang) { - - int expectedResponseCode = 302; - - log.debug("Creating Login Servlet Instance"); - Login servlet = new Login(); - try { - servlet.init(new MockServletConfig("Login")); - } catch (ServletException e) { - failAndPrint("Could not create login Servlet instance: " + e.toString()); - throw new RuntimeException(e); - } - - // Setup Servlet Parameters and Attributes - log.debug("Setting Up Params and Atrributes"); - request.addParameter("login", userName); - request.addParameter("pwd", password); - request.getSession().setAttribute("lang", lang); - - log.debug("Running doPost"); - try { - servlet.doPost(request, response); - } catch (ServletException | IOException e) { - failAndPrint("Could not post Servlet: " + e.toString()); - throw new RuntimeException(e); - } - - if (response.getStatus() != expectedResponseCode) { - failAndPrint("Login Servlet returned " + response.getStatus() + " instead of expected code 302."); - } else if (response.getHeader("Location").endsWith("login.jsp")) { - log.debug("User \"" + userName + "\" is unauthenticated"); - } else { - log.debug("302 OK Detected"); - String location = response.getHeader("Location"); - log.debug("302 pointing at: " + location); - if (!location.endsWith("index.jsp")) { - failAndPrint("Login not Redirecting to index.jsp. Login Proceedure Failed"); - } - } - } - - /** - * This method will sign in as a User, or create the user and sign in as them. - * If this fails it will throw an Exception - * - * @param applicationRoot Context of running application - * @param userName The user name of the user you want to create or sign - * in as - * @param password The password of the user you want to create or sign in - * as - * @return Boolean value depicting if the user exists and can be authenticated - * - */ - public static boolean verifyTestUser(Logger log, String applicationRoot, String userName, - String password) throws SQLException { - boolean result = false; - - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); - Setter.userCreate(applicationRoot, null, userName, userName, "player", userName + "@test.com", false); - user = Getter.authUser(applicationRoot, userName, userName); - } - if (user != null && !user[0].isEmpty()) { - log.debug(userName + " could authenticate. returning true"); - result = true; - } else { - failAndPrint("Could not Verify User " + userName + " could authenticate at all."); - } - - return result; - } - - /** - * This method will sign in as a User, or create the user and sign in as them. - * If this fails it will throw an Exception - * - * @param applicationRoot Context of running application - * @param userName The user name of the user you want to create or sign - * in as - * @param password The password of the user you want to create or sign in - * as - * @param classId Class to create the user in - * @return Boolean value depicting if the user exists and can be authenticated - */ - public static boolean verifyTestUser(Logger log, String applicationRoot, String userName, - String password, String classId) throws SQLException { - boolean result = false; - - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - log.debug("User not found in DB. Adding user to DB"); - Setter.userCreate(applicationRoot, classId, userName, userName, "player", userName + "@test.com", false); - user = Getter.authUser(applicationRoot, userName, userName); - } - if (user != null && !user[0].isEmpty()) { - log.debug(userName + " could authenticate. returning true"); - result = true; - } else { - failAndPrint("Could not verify that " + userName + " could authenticate at all."); - } - - return result; - - } - - /** - * This method will sign in as a User, or create the user and sign in as them. - * If this fails it will throw an Exception - * - * @param applicationRoot Context of running application - * @param userName The user name of the user you want to create or sign - * in as - * @param password The password of the user you want to create or sign in - * as - * @param classId Class to create the user in - * @return Boolean value depicting if the user exists and can be authenticated - */ - public static boolean verifyTestAdmin(Logger log, String applicationRoot, String userName, - String password, String classId) throws SQLException { - boolean result = false; - - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); - Setter.userCreate(applicationRoot, classId, userName, userName, "admin", userName + "@test.com", false); - user = Getter.authUser(applicationRoot, userName, userName); - } - if (user != null && !user[0].isEmpty()) { - log.debug(userName + " could authenticate. returning true"); - result = true; - } else { - failAndPrint("Could not Verify User " + userName + " could authenticate at all."); - } - - return result; - } - - /** - * This method will sign in as an admin, or create the admin and sign in as - * them. If this fails it will throw an Exception - * - * @param applicationRoot Context of running application - * @param userName The user name of the user you want to create or sign - * in as - * @param password The password of the user you want to create or sign in - * as - * @return Boolean value depicting if the user exists and can be authenticated - * - */ - public static boolean verifyTestAdmin(Logger log, String applicationRoot, String userName, - String password) throws SQLException { - boolean result = false; - - String user[] = Getter.authUser(applicationRoot, userName, userName); - if (user == null || user[0].isEmpty()) { - log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); - Setter.userCreate(applicationRoot, null, userName, userName, "admin", userName + "@test.com", false); - user = Getter.authUser(applicationRoot, userName, userName); - } - if (user != null && !user[0].isEmpty()) { - log.debug(userName + " could authenticate. returning true"); - result = true; - } else { - failAndPrint("Could not Verify User " + userName + " could authenticate at all."); - } - - return result; - } - - /** - * Searches for class based on class name. If nothing is found, the class is - * created and the new class Id is returned - * - * @param className Name of the class you wish to search / create - * @return The Identifier of the class owning the name submitted - */ - public static String findCreateClassId(Logger log, String className, String applicationRoot) - throws SQLException { - String classId = new String(); - ResultSet rs = Getter.getClassInfo(applicationRoot); - while (rs.next()) { - if (rs.getString(2).compareTo(className) == 0) { - classId = rs.getString(1); - break; - } - } - rs.close(); - if (classId.isEmpty()) { - log.debug("Could not find class. Creating it"); - if (Setter.classCreate(applicationRoot, className, "2015")) { - log.debug("Class Created. Getting ID"); - classId = findCreateClassId(log, className, applicationRoot); - } else { - failAndPrint("Could not Create Class " + className); - } - } - return classId; - } - - /** - * This method will login/create a PLAYER, open all modules, Collect the Module - * Adddress and Mark the moduleId as complete - * - * @param log Logger - * @param userName Username to complete level with - * @param userPass Password to complete level with - * @param moduleId If of level to complete - * @param feedbackString Leave as null for default - * @param applicationRoot - */ - public static boolean completeModuleForUser(Logger log, String userName, String userPass, - String moduleId, String feedbackString, String applicationRoot) throws SQLException { - boolean result = false; - - if (verifyTestUser(log, applicationRoot, userName, userPass)) { - String userId = Getter.getUserIdFromName(applicationRoot, userName); - // Open all Modules First so that the Module Can Be Opened - if (Setter.openAllModules(applicationRoot, false) && Setter.openAllModules(applicationRoot, true)) { - // Simulate user Opening Level - if (!Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { - // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) - String feedbackSearchCode = "RwarUNiqueFeedbackCodeToSEARCHFor1182371723"; - String markLevelCompleteTest = Setter.updatePlayerResult(applicationRoot, moduleId, userId, - feedbackSearchCode, 1, 1, 1); - if (markLevelCompleteTest != null) { - String checkPlayerResultTest = Getter.checkPlayerResult(applicationRoot, moduleId, userId); - log.debug("checkPlayerResultTest" + checkPlayerResultTest); - if (checkPlayerResultTest == null) { - result = true; - } else { - fail("Function says user has not completed module"); // Even though this test just - // marked it as Completed - } - } else - fail("Could not mark data storage lesson as complete for user"); - } else - fail("Could not Mark Data Storage Lesson as Opened by Default admin"); - } else - fail("Could not Open All Modules"); - } else { - fail("Could not verify user (No Exception Failure)"); - } - - return result; - } - - /** - * Create a mysql database properties file - */ - public static void createMysqlResource(String dbHost, int dbPort, String dbSchema, String dbUsername, - String dbPassword) throws IOException { - - log.debug("Creating mysql db file at " + Constants.MYSQL_DB_PROP); - - File file = new File(Constants.MYSQL_DB_PROP); - file.getParentFile().mkdirs(); - FileWriter writer = new FileWriter(file); - BufferedWriter bw = new BufferedWriter(writer); - bw.write("databaseConnectionURL=jdbc:mysql://" + dbHost + ":" + dbPort + "/"); - bw.newLine(); - bw.write("DriverType=org.gjt.mm.mysql.Driver"); - bw.newLine(); - bw.write("databaseOptions=useUnicode=true&character_set_server=utf8mb4"); - bw.newLine(); - bw.write("databaseSchema=" + dbSchema); - bw.newLine(); - bw.write("databaseUsername=" + dbUsername); - bw.newLine(); - bw.write("databasePassword=" + dbPassword); - bw.close(); - - log.debug("Created mysql db file at " + Constants.MYSQL_DB_PROP); - - } - - /** - * Create a mysql database properties file - * - * @throws IOException - */ - public static void createMysqlResource() throws IOException { - Dotenv dotenv = Dotenv.load(); - createMysqlResource(dotenv.get("TEST_MYSQL_HOST"), - Integer.parseInt(dotenv.get("TEST_MYSQL_PORT")), - "core", - "root", - dotenv.get("TEST_MYSQL_PASSWORD")); - } - - /** - * Delete the mysql database properties file - * - * @throws IOException - */ - public static void deleteMysqlResource() { - FileUtils.deleteQuietly(new File(Constants.MYSQL_DB_PROP)); - } - - /** - * Create a mongo database properties file - */ - public static void createMongoResource(String dbHost, long dbPort, String dbName, long connectTimeout, - long socketTimeout, long serverSelectionTimeout) throws IOException { - - log.debug("Creating mongo db file at " + Constants.MONGO_DB_PROP); - - File file = new File(Constants.MONGO_DB_PROP); - file.getParentFile().mkdirs(); - FileWriter writer = new FileWriter(file); - BufferedWriter bw = new BufferedWriter(writer); - - bw.write("connectionHost=" + dbHost); - bw.newLine(); - bw.write("connectionPort=" + dbPort); - bw.newLine(); - bw.write("databaseName=" + dbName); - bw.newLine(); - bw.write("connectTimeout=" + connectTimeout); - bw.newLine(); - bw.write("socketTimeout=" + socketTimeout); - bw.newLine(); - bw.write("serverSelectionTimeout=" + serverSelectionTimeout); - bw.newLine(); - bw.close(); - - log.debug("Created mongo db file at " + Constants.MONGO_DB_PROP); - } - - /** - * Create a mongo database properties file - * - * @throws IOException - */ - public static void createMongoResource() throws IOException { - createMongoResource("0.0.0.0", 27017, "shepherdGames", 10000, 0, 30000); - } - - /** - * Delete the mongo database properties file - * - * @throws IOException - */ - public static void deleteMongoResource() { - FileUtils.deleteQuietly(new File(Constants.MONGO_DB_PROP)); - } + private static final Logger log = LogManager.getLogger(TestProperties.class); + + public static void failAndPrint(String message) { + log.fatal(message); + fail(message); + } + + public static void executeSql(Logger log) throws IOException, SQLException { + + File file = + new File(System.getProperty("user.dir") + "/src/main/resources/database/coreSchema.sql"); + String data = FileUtils.readFileToString(file, Charset.defaultCharset()); + + Connection databaseConnection = Database.getDatabaseConnection(null, true); + Statement psProcToexecute = databaseConnection.createStatement(); + psProcToexecute.executeUpdate(data); + + file = + new File(System.getProperty("user.dir") + "/src/main/resources/database/moduleSchemas.sql"); + data = FileUtils.readFileToString(file, Charset.defaultCharset()); + psProcToexecute = databaseConnection.createStatement(); + psProcToexecute.executeUpdate(data); + } + + public static void createFileSystemKey(Logger log, String fileProp, String solutionProp) + throws InstallationException { + + String userDir = System.getProperty("user.dir"); + String propFile = userDir + "/src/main/resources/fileSystemKeys.properties"; + + Properties prop = new Properties(); + + // Pull Driver and DB URL out of database.properties + + try (InputStream mysql_input = new FileInputStream(propFile)) { + + prop.load(mysql_input); + + } catch (IOException e) { + log.error("Could not load properties file: " + e.toString()); + throw new RuntimeException(e); + } + + String errorBase = "Missing property :"; + + String filename = prop.getProperty(fileProp); + if (filename == null) { + throw new RuntimeException(errorBase + fileProp); + } + String solution = prop.getProperty(solutionProp); + if (solution == null) { + throw new RuntimeException(errorBase + solutionProp); + } + + File lessonFile = null; + + lessonFile = new File(filename); + try { + FileUtils.write(lessonFile, solution, "UTF-8"); + } catch (IOException e) { + log.error("Can't write to lesson file " + lessonFile + ": " + e.toString()); + throw new RuntimeException(e); + } + } + + /** + * Bit of a Hack to get JUnits to run inside of + * + * @param log + */ + public static void setTestPropertiesFileDirectory(Logger log) { + if (System.getProperty("catalina.base") == null) { + String userDir = System.getProperty("user.dir"); + log.debug( + "catalina.base returns null. Creating it with base of user.dir; " + + userDir + + File.separator + + "target" + + File.separator + + "test-classes"); + System.setProperty( + "catalina.base", userDir + File.separator + "target" + File.separator + "test-classes"); + } + } + + /** + * Method to simulate login servlet interaction. Can't seem to recyle the method in LoginTest with + * the MockRequests + * + * @param userName User to Sign in + * @param password User Password to use to Sign in + * @param theClass Class of the User + */ + public static void loginDoPost( + Logger log, + MockHttpServletRequest request, + MockHttpServletResponse response, + String userName, + String password, + String theClass, + String lang) { + + int expectedResponseCode = 302; + + log.debug("Creating Login Servlet Instance"); + Login servlet = new Login(); + try { + servlet.init(new MockServletConfig("Login")); + } catch (ServletException e) { + failAndPrint("Could not create login Servlet instance: " + e.toString()); + throw new RuntimeException(e); + } + + // Setup Servlet Parameters and Attributes + log.debug("Setting Up Params and Atrributes"); + request.addParameter("login", userName); + request.addParameter("pwd", password); + request.getSession().setAttribute("lang", lang); + + log.debug("Running doPost"); + try { + servlet.doPost(request, response); + } catch (ServletException | IOException e) { + failAndPrint("Could not post Servlet: " + e.toString()); + throw new RuntimeException(e); + } + + if (response.getStatus() != expectedResponseCode) { + failAndPrint( + "Login Servlet returned " + response.getStatus() + " instead of expected code 302."); + } else if (response.getHeader("Location").endsWith("login.jsp")) { + log.debug("User \"" + userName + "\" is unauthenticated"); + } else { + log.debug("302 OK Detected"); + String location = response.getHeader("Location"); + log.debug("302 pointing at: " + location); + if (!location.endsWith("index.jsp")) { + failAndPrint("Login not Redirecting to index.jsp. Login Proceedure Failed"); + } + } + } + + /** + * This method will sign in as a User, or create the user and sign in as them. If this fails it + * will throw an Exception + * + * @param applicationRoot Context of running application + * @param userName The user name of the user you want to create or sign in as + * @param password The password of the user you want to create or sign in as + * @return Boolean value depicting if the user exists and can be authenticated + */ + public static boolean verifyTestUser( + Logger log, String applicationRoot, String userName, String password) throws SQLException { + boolean result = false; + + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); + Setter.userCreate( + applicationRoot, null, userName, userName, "player", userName + "@test.com", false); + user = Getter.authUser(applicationRoot, userName, userName); + } + if (user != null && !user[0].isEmpty()) { + log.debug(userName + " could authenticate. returning true"); + result = true; + } else { + failAndPrint("Could not Verify User " + userName + " could authenticate at all."); + } + + return result; + } + + /** + * This method will sign in as a User, or create the user and sign in as them. If this fails it + * will throw an Exception + * + * @param applicationRoot Context of running application + * @param userName The user name of the user you want to create or sign in as + * @param password The password of the user you want to create or sign in as + * @param classId Class to create the user in + * @return Boolean value depicting if the user exists and can be authenticated + */ + public static boolean verifyTestUser( + Logger log, String applicationRoot, String userName, String password, String classId) + throws SQLException { + boolean result = false; + + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + log.debug("User not found in DB. Adding user to DB"); + Setter.userCreate( + applicationRoot, classId, userName, userName, "player", userName + "@test.com", false); + user = Getter.authUser(applicationRoot, userName, userName); + } + if (user != null && !user[0].isEmpty()) { + log.debug(userName + " could authenticate. returning true"); + result = true; + } else { + failAndPrint("Could not verify that " + userName + " could authenticate at all."); + } + + return result; + } + + /** + * This method will sign in as a User, or create the user and sign in as them. If this fails it + * will throw an Exception + * + * @param applicationRoot Context of running application + * @param userName The user name of the user you want to create or sign in as + * @param password The password of the user you want to create or sign in as + * @param classId Class to create the user in + * @return Boolean value depicting if the user exists and can be authenticated + */ + public static boolean verifyTestAdmin( + Logger log, String applicationRoot, String userName, String password, String classId) + throws SQLException { + boolean result = false; + + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); + Setter.userCreate( + applicationRoot, classId, userName, userName, "admin", userName + "@test.com", false); + user = Getter.authUser(applicationRoot, userName, userName); + } + if (user != null && !user[0].isEmpty()) { + log.debug(userName + " could authenticate. returning true"); + result = true; + } else { + failAndPrint("Could not Verify User " + userName + " could authenticate at all."); + } + + return result; + } + + /** + * This method will sign in as an admin, or create the admin and sign in as them. If this fails it + * will throw an Exception + * + * @param applicationRoot Context of running application + * @param userName The user name of the user you want to create or sign in as + * @param password The password of the user you want to create or sign in as + * @return Boolean value depicting if the user exists and can be authenticated + */ + public static boolean verifyTestAdmin( + Logger log, String applicationRoot, String userName, String password) throws SQLException { + boolean result = false; + + String user[] = Getter.authUser(applicationRoot, userName, userName); + if (user == null || user[0].isEmpty()) { + log.debug("User not found in DB. Adding user to DB and Retesting before giving up"); + Setter.userCreate( + applicationRoot, null, userName, userName, "admin", userName + "@test.com", false); + user = Getter.authUser(applicationRoot, userName, userName); + } + if (user != null && !user[0].isEmpty()) { + log.debug(userName + " could authenticate. returning true"); + result = true; + } else { + failAndPrint("Could not Verify User " + userName + " could authenticate at all."); + } + + return result; + } + + /** + * Searches for class based on class name. If nothing is found, the class is created and the new + * class Id is returned + * + * @param className Name of the class you wish to search / create + * @return The Identifier of the class owning the name submitted + */ + public static String findCreateClassId(Logger log, String className, String applicationRoot) + throws SQLException { + String classId = new String(); + ResultSet rs = Getter.getClassInfo(applicationRoot); + while (rs.next()) { + if (rs.getString(2).compareTo(className) == 0) { + classId = rs.getString(1); + break; + } + } + rs.close(); + if (classId.isEmpty()) { + log.debug("Could not find class. Creating it"); + if (Setter.classCreate(applicationRoot, className, "2015")) { + log.debug("Class Created. Getting ID"); + classId = findCreateClassId(log, className, applicationRoot); + } else { + failAndPrint("Could not Create Class " + className); + } + } + return classId; + } + + /** + * This method will login/create a PLAYER, open all modules, Collect the Module Adddress and Mark + * the moduleId as complete + * + * @param log Logger + * @param userName Username to complete level with + * @param userPass Password to complete level with + * @param moduleId If of level to complete + * @param feedbackString Leave as null for default + * @param applicationRoot + */ + public static boolean completeModuleForUser( + Logger log, + String userName, + String userPass, + String moduleId, + String feedbackString, + String applicationRoot) + throws SQLException { + boolean result = false; + + if (verifyTestUser(log, applicationRoot, userName, userPass)) { + String userId = Getter.getUserIdFromName(applicationRoot, userName); + // Open all Modules First so that the Module Can Be Opened + if (Setter.openAllModules(applicationRoot, false) + && Setter.openAllModules(applicationRoot, true)) { + // Simulate user Opening Level + if (!Getter.getModuleAddress(applicationRoot, moduleId, userId).isEmpty()) { + // Then, Mark the Challenge Complete for user (Insecure Data Storage Lesson) + String feedbackSearchCode = "RwarUNiqueFeedbackCodeToSEARCHFor1182371723"; + String markLevelCompleteTest = + Setter.updatePlayerResult( + applicationRoot, moduleId, userId, feedbackSearchCode, 1, 1, 1); + if (markLevelCompleteTest != null) { + String checkPlayerResultTest = + Getter.checkPlayerResult(applicationRoot, moduleId, userId); + log.debug("checkPlayerResultTest" + checkPlayerResultTest); + if (checkPlayerResultTest == null) { + result = true; + } else { + fail("Function says user has not completed module"); // Even though this test just + // marked it as Completed + } + } else { + fail("Could not mark data storage lesson as complete for user"); + } + } else { + fail("Could not Mark Data Storage Lesson as Opened by Default admin"); + } + } else { + fail("Could not Open All Modules"); + } + } else { + fail("Could not verify user (No Exception Failure)"); + } + + return result; + } + + /** Create a mysql database properties file */ + public static void createMysqlResource( + String dbHost, int dbPort, String dbSchema, String dbUsername, String dbPassword) + throws IOException { + + log.debug("Creating mysql db file at " + Constants.MYSQL_DB_PROP); + + File file = new File(Constants.MYSQL_DB_PROP); + file.getParentFile().mkdirs(); + FileWriter writer = new FileWriter(file); + BufferedWriter bw = new BufferedWriter(writer); + bw.write("databaseConnectionURL=jdbc:mysql://" + dbHost + ":" + dbPort + "/"); + bw.newLine(); + bw.write("DriverType=org.gjt.mm.mysql.Driver"); + bw.newLine(); + bw.write("databaseOptions=useUnicode=true&character_set_server=utf8mb4"); + bw.newLine(); + bw.write("databaseSchema=" + dbSchema); + bw.newLine(); + bw.write("databaseUsername=" + dbUsername); + bw.newLine(); + bw.write("databasePassword=" + dbPassword); + bw.close(); + + log.debug("Created mysql db file at " + Constants.MYSQL_DB_PROP); + } + + /** + * Create a mysql database properties file + * + * @throws IOException + */ + public static void createMysqlResource() throws IOException { + Dotenv dotenv = Dotenv.load(); + createMysqlResource( + dotenv.get("TEST_MYSQL_HOST"), + Integer.parseInt(dotenv.get("TEST_MYSQL_PORT")), + "core", + "root", + dotenv.get("TEST_MYSQL_PASSWORD")); + } + + /** + * Delete the mysql database properties file + * + * @throws IOException + */ + public static void deleteMysqlResource() { + FileUtils.deleteQuietly(new File(Constants.MYSQL_DB_PROP)); + } + + /** Create a mongo database properties file */ + public static void createMongoResource( + String dbHost, + long dbPort, + String dbName, + long connectTimeout, + long socketTimeout, + long serverSelectionTimeout) + throws IOException { + + log.debug("Creating mongo db file at " + Constants.MONGO_DB_PROP); + + File file = new File(Constants.MONGO_DB_PROP); + file.getParentFile().mkdirs(); + FileWriter writer = new FileWriter(file); + BufferedWriter bw = new BufferedWriter(writer); + + bw.write("connectionHost=" + dbHost); + bw.newLine(); + bw.write("connectionPort=" + dbPort); + bw.newLine(); + bw.write("databaseName=" + dbName); + bw.newLine(); + bw.write("connectTimeout=" + connectTimeout); + bw.newLine(); + bw.write("socketTimeout=" + socketTimeout); + bw.newLine(); + bw.write("serverSelectionTimeout=" + serverSelectionTimeout); + bw.newLine(); + bw.close(); + + log.debug("Created mongo db file at " + Constants.MONGO_DB_PROP); + } + + /** + * Create a mongo database properties file + * + * @throws IOException + */ + public static void createMongoResource() throws IOException { + createMongoResource("0.0.0.0", 27017, "shepherdGames", 10000, 0, 30000); + } + + /** + * Delete the mongo database properties file + * + * @throws IOException + */ + public static void deleteMongoResource() { + FileUtils.deleteQuietly(new File(Constants.MONGO_DB_PROP)); + } } diff --git a/src/test/java/testUtils/TestXmlDocumentBuilder.java b/src/test/java/testUtils/TestXmlDocumentBuilder.java index 9880fd3c1..95406a39c 100644 --- a/src/test/java/testUtils/TestXmlDocumentBuilder.java +++ b/src/test/java/testUtils/TestXmlDocumentBuilder.java @@ -1,36 +1,31 @@ package testUtils; -import org.apache.logging.log4j.Logger; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.core.IsInstanceOf.instanceOf; +import static org.junit.Assert.assertNotNull; + +import javax.xml.parsers.DocumentBuilder; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.DisplayName; import org.junit.jupiter.api.Test; import utils.XmlDocumentBuilder; -import testUtils.TestProperties; - -import javax.xml.parsers.DocumentBuilder; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.core.IsInstanceOf.instanceOf; -import static org.junit.Assert.assertNotNull; - public class TestXmlDocumentBuilder { - private static final Logger log = LogManager.getLogger(TestXmlDocumentBuilder.class); - @BeforeAll - public static void initAll() - { - TestProperties.setTestPropertiesFileDirectory(log); - } + private static final Logger log = LogManager.getLogger(TestXmlDocumentBuilder.class); - @Test - @DisplayName("Should Return Type DocumentBuilder") - public void xmlDocBuilder_ShouldReturnTypeDocumentBuilder() - { - DocumentBuilder db = XmlDocumentBuilder.xmlDocBuilder(true, true, true, true, true, true); - assertThat(db, instanceOf(DocumentBuilder.class)); - assertNotNull(db); - } + @BeforeAll + public static void initAll() { + TestProperties.setTestPropertiesFileDirectory(log); + } + @Test + @DisplayName("Should Return Type DocumentBuilder") + public void xmlDocBuilder_ShouldReturnTypeDocumentBuilder() { + DocumentBuilder db = XmlDocumentBuilder.xmlDocBuilder(true, true, true, true, true, true); + assertThat(db, instanceOf(DocumentBuilder.class)); + assertNotNull(db); + } }