Resolve HttpOnly Test bug WEB-161

juliadotter · juliadotter · commit e0da681402ac · 2014-12-09T20:52:35.000+11:00
diff --git a/src/main/java/org/owasp/webgoat/lessons/HttpOnly.java b/src/main/java/org/owasp/webgoat/lessons/HttpOnly.java
@@ -61,6 +61,8 @@ public class HttpOnly extends LessonAdapter
 
     private final static String HTTPONLY = "httponly";
 
+    private final static String HTTPONLY_VALUE = "httponly_value";
+
     private final static String ACTION = "action";
 
     private final static String READ = "Read Cookie";
@@ -239,6 +241,7 @@ private ElementContainer makeContent(WebSession s)
     {
         ElementContainer ec = new ElementContainer();
         Element r = null;
+        Element hidden_r = null;
         Table t = null;
         TR tr = null;
         Form f = null;
@@ -266,11 +269,12 @@ private ElementContainer makeContent(WebSession s)
 
         if (httpOnly == true)
         {
-            r = new Input(Input.RADIO, HTTPONLY, "True").addAttribute("Checked", "true");
+            r = new Input(Input.RADIO, HTTPONLY_VALUE, "True").addAttribute("Checked", "true");
         }
         else
         {
-            r = new Input(Input.RADIO, HTTPONLY, "True").addAttribute("onClick", "document.form.submit()");
+            r = new Input(Input.RADIO, HTTPONLY_VALUE, "True").addAttribute("onClick", "document.form.httponly.click();");
+            hidden_r = new Input(Input.SUBMIT, HTTPONLY, "True").addAttribute("style", "visibility:hidden");
         }
 
         tr.addElement(new TD(r));
@@ -279,14 +283,16 @@ private ElementContainer makeContent(WebSession s)
 
         if (httpOnly == false)
         {
-            r = new Input(Input.RADIO, HTTPONLY, "False").addAttribute("Checked", "True");
+            r = new Input(Input.RADIO, HTTPONLY_VALUE, "False").addAttribute("Checked", "false");
         }
         else
         {
-            r = new Input(Input.RADIO, HTTPONLY, "False").addAttribute("onClick", "document.form.submit()");
+            r = new Input(Input.RADIO, HTTPONLY_VALUE, "False").addAttribute("onClick", "document.form.httponly.click();");
+            hidden_r = new Input(Input.SUBMIT, HTTPONLY, "False").addAttribute("style", "visibility:hidden");
         }
 
         tr.addElement(new TD(r));
+        tr.addElement(hidden_r);
 
         r = new Input(Input.HIDDEN, READ_RESULT, "");
         tr.addElement(r);

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,8 @@ public class HttpOnly extends LessonAdapter`
`61`	`61`
`62`	`62`	`private final static String HTTPONLY = "httponly";`
`63`	`63`
	`64`	`+ private final static String HTTPONLY_VALUE = "httponly_value";`
	`65`	`+`
`64`	`66`	`private final static String ACTION = "action";`
`65`	`67`
`66`	`68`	`private final static String READ = "Read Cookie";`
`@@ -239,6 +241,7 @@ private ElementContainer makeContent(WebSession s)`
`239`	`241`	`{`
`240`	`242`	`ElementContainer ec = new ElementContainer();`
`241`	`243`	`Element r = null;`
	`244`	`+ Element hidden_r = null;`
`242`	`245`	`Table t = null;`
`243`	`246`	`TR tr = null;`
`244`	`247`	`Form f = null;`
`@@ -266,11 +269,12 @@ private ElementContainer makeContent(WebSession s)`
`266`	`269`
`267`	`270`	`if (httpOnly == true)`
`268`	`271`	`{`
`269`		`- r = new Input(Input.RADIO, HTTPONLY, "True").addAttribute("Checked", "true");`
	`272`	`+ r = new Input(Input.RADIO, HTTPONLY_VALUE, "True").addAttribute("Checked", "true");`
`270`	`273`	`}`
`271`	`274`	`else`
`272`	`275`	`{`
`273`		`- r = new Input(Input.RADIO, HTTPONLY, "True").addAttribute("onClick", "document.form.submit()");`
	`276`	`+ r = new Input(Input.RADIO, HTTPONLY_VALUE, "True").addAttribute("onClick", "document.form.httponly.click();");`
	`277`	`+ hidden_r = new Input(Input.SUBMIT, HTTPONLY, "True").addAttribute("style", "visibility:hidden");`
`274`	`278`	`}`
`275`	`279`
`276`	`280`	`tr.addElement(new TD(r));`
`@@ -279,14 +283,16 @@ private ElementContainer makeContent(WebSession s)`
`279`	`283`
`280`	`284`	`if (httpOnly == false)`
`281`	`285`	`{`
`282`		`- r = new Input(Input.RADIO, HTTPONLY, "False").addAttribute("Checked", "True");`
	`286`	`+ r = new Input(Input.RADIO, HTTPONLY_VALUE, "False").addAttribute("Checked", "false");`
`283`	`287`	`}`
`284`	`288`	`else`
`285`	`289`	`{`
`286`		`- r = new Input(Input.RADIO, HTTPONLY, "False").addAttribute("onClick", "document.form.submit()");`
	`290`	`+ r = new Input(Input.RADIO, HTTPONLY_VALUE, "False").addAttribute("onClick", "document.form.httponly.click();");`
	`291`	`+ hidden_r = new Input(Input.SUBMIT, HTTPONLY, "False").addAttribute("style", "visibility:hidden");`
`287`	`292`	`}`
`288`	`293`
`289`	`294`	`tr.addElement(new TD(r));`
	`295`	`+ tr.addElement(hidden_r);`
`290`	`296`
`291`	`297`	`r = new Input(Input.HIDDEN, READ_RESULT, "");`
`292`	`298`	`tr.addElement(r);`