@@ -121,6 +121,8 @@ public class Challenge2Screen extends SequentialLessonAdapter
121121 private String pass = "goodbye" ;
122122
123123 private String user = "youaretheweakestlink" ;
124+
125+ private String instructions = "" ;
124126
125127 /**
126128 * Description of the Method
@@ -145,6 +147,9 @@ protected Element createContent(WebSession s)
145147 */
146148 protected Element doStage1 (WebSession s ) throws Exception
147149 {
150+
151+ instructions = "Your mission is to get the username and password from the WebGoat source code in order to authenticate." ;
152+
148153 setStage (s , 1 );
149154
150155 String username = s .getParser ().getRawParameter (USERNAME , "" );
@@ -189,6 +194,9 @@ protected Element doStage1(WebSession s) throws Exception
189194 */
190195 protected Element doStage2 (WebSession s ) throws Exception
191196 {
197+
198+ instructions = "Your mission is to steal all the credit cards from the database. " ;
199+
192200 // <START_OMIT_SOURCE>
193201
194202 Cookie newCookie = new Cookie (USER_COOKIE , Encoding .base64Encode (user ));
@@ -290,6 +298,10 @@ protected Element doStage2(WebSession s) throws Exception
290298 */
291299 protected Element doStage3 (WebSession s ) throws Exception
292300 {
301+ instructions = "Your mission is to deface this website. Your main website jsp, which is rendered below, is contained in "
302+ + "'webgoat_challenge_" + s .getUserName () + JSP + "'. To overwrite 'webgoat_challenge_" + s .getUserName () + JSP
303+ + "' you will need to use many of the techniques you have learned in the other lessons. " ;
304+
293305 // <START_OMIT_SOURCE>
294306
295307 ElementContainer ec = new ElementContainer ();
@@ -326,19 +338,20 @@ protected Element doStage3(WebSession s) throws Exception
326338 // Setup the screen content
327339 try
328340 {
329- ec .addElement (new H1 ("Current Network Status:" ));
341+ ec .addElement (new H1 ("Current Network Status (limited to 10 rows) :" ));
330342 ec .addElement (netstatResults );
331343
332344 Table t = new Table ().setCellSpacing (0 ).setCellPadding (2 ).setWidth ("90%" ).setAlign ("center" );
333345 if (s .isColor ())
334346 {
335347 t .setBorder (1 );
336348 }
337- String [] list = { "tcp" , "tcpv6" , "ip" , "ipv6" , "udp" , "udpv6" };
338-
349+ String [] list = { "tcp" , "udp" };
350+ //String[] list = { "inet", "inet6", "ax25", "netrom", "ipx", "ddp", "x25" };
351+
339352 TR tr = new TR ();
340353 tr .addElement (new TD ().addElement (ECSFactory .makeButton ("View Network" )));
341- tr .addElement (new TD ().setWidth ("35%" ).addElement (ECSFactory .makePulldown (PROTOCOL , list , "" , 5 )));
354+ tr .addElement (new TD ().setWidth ("35%" ).addElement (ECSFactory .makePulldown (PROTOCOL , list , "" , 2 )));
342355 t .addElement (tr );
343356
344357 ec .addElement (t );
@@ -404,7 +417,7 @@ private void resetWebPage(WebSession s)
404417 {
405418 try
406419 {
407- // get current text and compare to the new text
420+ // get current text and overwrite the potential defaced file
408421 String defacedpath = s .getContext ().getRealPath (WEBGOAT_CHALLENGE + "_" + s .getUserName () + JSP );
409422 String masterFilePath = s .getContext ().getRealPath (WEBGOAT_CHALLENGE_JSP );
410423
@@ -415,6 +428,7 @@ private void resetWebPage(WebSession s)
415428 fw .close ();
416429 // System.out.println("webgoat_guest replaced: " + getFileText( new
417430 // BufferedReader( new FileReader( defacedpath ) ), false ) );
431+
418432 } catch (Exception e )
419433 {
420434 e .printStackTrace ();
@@ -554,10 +568,7 @@ protected Element makeLogin(WebSession s)
554568 */
555569 public String getInstructions (WebSession s )
556570 {
557- String instructions = "Your mission is to break the authentication scheme, "
558- + "steal all the credit cards from the database, and then deface the website. "
559- + "You will have to use many of the techniques you have learned in the other lessons. "
560- + "The main webpage to deface for this site is 'webgoat_challenge_" + s .getUserName () + ".jsp'" ;
571+ // each stage will load it's instructions
561572
562573 return (instructions );
563574 }
@@ -629,27 +640,49 @@ protected ElementContainer getNetstatResults(WebSession s)
629640 t .setBorder (1 );
630641 }
631642
632- String [] colWidths = new String [] { "55" , "110" , "260" , "70" , "50" };
643+ String [] colWidths = new String [] { "55" , "110" , "260" , "70" };
633644 TR tr = new TR ();
634645 tr .addElement (new TH ().addElement ("Protocol" ).setWidth (colWidths [0 ]));
635646 tr .addElement (new TH ().addElement ("Local Address" ).setWidth (colWidths [1 ]));
636647 tr .addElement (new TH ().addElement ("Foreign Address" ).setWidth (colWidths [2 ]));
637648 tr .addElement (new TH ().addElement ("State" ).setWidth (colWidths [3 ]));
638- tr .addElement (new TH ().addElement ("Offload State" ).setWidth (colWidths [4 ]));
639649 t .addElement (tr );
640650
641651 String protocol = s .getParser ().getRawParameter (PROTOCOL , "tcp" );
642652
643653 String osName = System .getProperty ("os.name" );
654+ // System.out.println("os.name= " + osName);
655+
656+ if (protocol .indexOf ("rm" ) != -1 || protocol .indexOf ("webgoat_challenge.jsp" ) != -1 )
657+ {
658+ s .setMessage ("Play nice - please don't try to hack the environment" );
659+ protocol = "tcp" ;
660+ }
661+
644662 ExecResults er = null ;
645663 if (osName .indexOf ("Windows" ) != -1 )
646664 {
647665 String cmd = "cmd.exe /c netstat -ant -p " + protocol ;
648666 er = Exec .execSimple (cmd );
649667 }
668+ else if (osName .indexOf ("Mac OS X" ) != -1 )
669+ {
670+ String [] macCmd = { "/bin/sh" , "-c" , "netstat -an -p " + protocol };
671+ er = Exec .execSimple (macCmd );
672+ }
650673 else
651674 {
652- String [] cmd = { "/bin/sh" , "-c" , "netstat -ant -p " + protocol };
675+ // allows for command injection by defaulting to user input
676+ if ( protocol .startsWith ("tcp" ))
677+ {
678+ protocol = protocol .replace ("tcp" , "-t" );
679+ }
680+ else if (protocol .startsWith ("udp" ))
681+ {
682+ protocol = protocol .replace ("udp" , "-u" );
683+ }
684+
685+ String [] cmd = { "/bin/sh" , "-c" , "netstat -an " + protocol };
653686 er = Exec .execSimple (cmd );
654687 }
655688
@@ -669,7 +702,16 @@ protected ElementContainer getNetstatResults(WebSession s)
669702 line = lines .nextToken ();
670703 }
671704 }
672- while (start > 0 && lines .hasMoreTokens ())
705+
706+ // This is what is being parsed
707+ //
708+ // Active Internet connections (servers and established)
709+ // Proto Recv-Q Send-Q Local Address Foreign Address State
710+ // tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
711+ // tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
712+
713+ int read10 = 10 ;
714+ while (start > 0 && lines .hasMoreTokens () && read10 -- > 0 )
673715 {
674716 // in order to avoid a ill-rendered screen when the user performs
675717 // command injection, we will wrap the screen at 4 columns
@@ -681,6 +723,12 @@ protected ElementContainer getNetstatResults(WebSession s)
681723 {
682724 td = new TD ().setWidth (colWidths [columnCount ++]);
683725 tr .addElement (td .addElement (tokens .nextToken ()));
726+ // throw away token 1 and 2
727+ if (columnCount == 1 )
728+ {
729+ if (tokens .hasMoreTokens () ) tokens .nextToken ();
730+ if (tokens .hasMoreTokens () ) tokens .nextToken ();
731+ }
684732 }
685733 t .addElement (tr );
686734 }
0 commit comments