public function Handle($request)
{
// This gives complete request path
$request = jf::$BaseRequest;
if (jf::CurrentUser()) {
// Check if the user has permissions to view the challenges
if (jf::Check('view_contest_chal')) {
$relativePath = $this->getRelativePath($request);
$absolutePath = CONTEST_CHALLENGE_PATH . $relativePath;
$challengeName = $relativePath;
// FIXME: ONLY FOR TESTING, NOT ALWAYS TRUE
$challengeDetails = \webgoat\ContestChallenges::getByName($challengeName);
$this->ChallengeName = $challengeDetails[0]['ChallengeName'];
$fileContents = file_get_contents($absolutePath . "/index.html");
$this->Content = $fileContents;
if (isset($_POST['submit'])) {
$this->addSubmission($challengeName);
}
return $this->Present();
} else {
// Unauthorized
$this->Redirect(SiteRoot);
}
} else {
// User not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
public function Start()
{
$request = jf::$BaseRequest;
if (jf::CurrentUser()) {
// User is logged in, check if the user is authorized
if (jf::Check("view_contest_chal")) {
if (($activeContest = \webgoat\ContestDetails::getActive()) !== null) {
$this->ContestName = $activeContest[0]['ContestName'];
$startTime = $activeContest[0]['StartTimestamp'];
$currentTime = time();
if ($currentTime < $startTime) {
$this->TimeRemaining = $startTime - $currentTime;
} else {
$challenges = \webgoat\ContestChallenges::getByContestID();
if (count($challenges) == 0) {
$this->Error = "Currently there are no challenges in this contest";
} else {
$this->Challenges = $challenges;
}
}
} else {
$this->Error = "Currently there is no active contest. Check back later!!";
}
return $this->Present();
} else {
// User is not authorized
$this->Redirect(SiteRoot);
}
} else {
// User is not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
public function Start()
{
// Check if the user is logged in and
// have the required permissions
if (jf::CurrentUser() && jf::Check(self::PERMISSION_NAME)) {
// Check if POST parameter present
if (isset($_POST['username'])) {
$username = $_POST['username'];
if (jf::$User->UserExists($username)) {
// First remove the user role association
$userId = jf::$User->UserID($username);
$roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME);
jf::$RBAC->Users->Unassign($roleId, $userId);
// Delete the user
jf::$User->DeleteUser($username);
echo json_encode(array('status' => true, 'message' => self::SUCCESS_MESSAGE));
} else {
// User does not exists. Error!
echo json_encode(array('status' => false, 'message' => self::USER_NOT_EXISTS_MESSAGE));
}
} else {
echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE));
}
} else {
echo json_encode(array('status' => false, 'message' => self::UNAUTHORIZED_MESSAGE));
}
return true;
}
public function Start()
{
if (jf::CurrentUser() && jf::Check(self::PERMISSION_NAME)) {
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) || empty($password)) {
echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE));
} else {
if (jf::$User->UserExists($username)) {
// If user already exists
echo json_encode(array('status' => false, 'message' => self::USER_EXISTS_MESSAGE));
} else {
// Everything OK. Create a new user and assign the role
$userId = jf::$User->CreateUser($username, $password);
// Create user
$roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME);
jf::$RBAC->Users->Assign($roleId, $userId);
// Assign role to the newly created user
echo json_encode(array('status' => true, 'message' => self::SUCCESS_MESSAGE, 'id' => $userId));
}
}
} else {
// Required parameters are missing
echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE));
}
} else {
// User is not authorized
echo json_encode(array('status' => false, 'message' => self::UNAUTHORIZED_MESSAGE));
}
return true;
}
/**
* Test to check permissions of users
*/
public function testUserPermissions()
{
/**
* Store id of the user
*/
$userId = jf::$User->UserID('guest');
$this->assertTrue(jf::Check('view_single_chal', $userId));
$this->assertFalse(jf::Check('view_workshop_chal', $userId));
$this->assertFalse(jf::Check('view_contest_chal', $userId));
$this->assertFalse(jf::Check('edit_contest_chal', $userId));
$this->assertFalse(jf::Check('add_workshop_users', $userId));
}
public function Start()
{
if (jf::CurrentUser()) {
if (jf::Check("contest")) {
if (isset($_POST['challenge']) && isset($_POST['name']) && isset($_POST['points']) && isset($_POST['flag'])) {
$hashedFlag = md5($_POST['flag']);
$activeContest = \webgoat\ContestDetails::getActive();
$activeContestID = $activeContest[0]['ID'];
$data = array('ContestID' => $activeContestID, 'ChallengeName' => $_POST['challenge'], 'NameToDisplay' => $_POST['name'], 'Points' => $_POST['points'], 'CorrectFlag' => $hashedFlag);
\webgoat\ContestChallenges::add($data);
echo json_encode(array('status' => true, 'message' => 'Challenge successfully added'));
return true;
}
}
}
}
/**
* Starting point of the lesson
*/
public function start()
{
$this->hints = array('Many sites attempt to restrict access to resources by role', 'Developers frequently make mistakes implementing this scheme', 'Attempt combinations of users, roles, and resources');
$this->htmlContent .= file_get_contents(__DIR__ . "/content.html");
if (isset($_POST['user'])) {
$userId = $this->getUserId($_POST['user']);
$resource = $_POST['resource'];
$userRole = \jf::$RBAC->Users->AllRoles($userId);
$userRoleTitle = $userRole[0]['Title'];
$string = "<h4>User {$_POST['user']} [" . $userRoleTitle . "] requested Resource {$resource} : ";
if (\jf::Check($resource, $userId)) {
$string .= "<span class='text-success'>Access Granted</span></h4>";
if ($resource == "account_manager" && $userId != $this->getUserId("Mark")) {
$this->setCompleted(true);
}
} else {
$string .= "<span class='text-danger'>Access Denied</span></h4>";
}
$this->htmlContent .= $string;
}
}
public function Start()
{
if (jf::CurrentUser()) {
if (jf::Check("contest")) {
// User is authorized
if (isset($_POST['contest_submit'])) {
// Request to store the contest in the database
$this->addContest();
}
if (\webgoat\ContestDetails::isActivePresent()) {
// If an active contest is present
$contestDetails = \webgoat\ContestDetails::getActive();
$contestChallenges = \webgoat\ContestChallenges::getByContestID($contestDetails[0]['ID']);
$contestUsers = \webgoat\ContestUsers::getAll();
$this->ContestName = $contestDetails[0]['ContestName'];
$this->ContestStart = date("d/m/Y h:i:s A", $contestDetails[0]['StartTimestamp']);
$this->ContestEnd = date("d/m/Y h:i:s A", $contestDetails[0]['EndTimestamp']);
$this->UserCount = count($contestUsers);
$this->ChallengeCount = count($contestChallenges);
$this->Challenges = $contestChallenges;
$this->insertNewChallenges();
} else {
// Show the option to start a contest
$this->noActiveContest = true;
}
return $this->Present();
} else {
// User is not authorized
$this->Redirect(SiteRoot);
// Redirect to home page
}
} else {
// User is not authenticated
$this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest);
}
}
<?php
echo "asdf";
//comment? >
echo "qwer";
// echo
echo "zxcv";
?>
<html>asdf</html>
<div class="container">
<?php
if (jf::Check("workshop")) {
?>
<li><a href="asdf">Dashboard</a></li>
<?php
}
?>
</div>
<p>
<?php
switch ($a) {
case 1:
// without semicolon
?>
<br>
<?php
break;
?>
public function Start()
{
if (jf::CurrentUser()) {
// Authorize the user
if (jf::Check('workshop')) {
$hiddenLessons = jf::LoadGeneralSetting("hiddenWorkshopLessons");
// If request to hide the lesson
if (isset($_POST['hide'])) {
if ($hiddenLessons === null) {
// If first request i.e settings not present
$hiddenLessons = array($_POST['hide']);
} else {
array_push($hiddenLessons, $_POST['hide']);
}
jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons);
echo json_encode(array('status' => true));
return true;
}
// If request to show the lesson
if (isset($_POST['show'])) {
if ($hiddenLessons !== null) {
$position = array_search($_POST['show'], $hiddenLessons);
if ($position !== false) {
unset($hiddenLessons[$position]);
}
}
jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons);
echo json_encode(array('status' => true));
return true;
}
// Get the list of all the lessons/categories
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
$this->hiddenLessons = $hiddenLessons;
// To generate 'overview' section of the dashboard
// Store all the stats
$obj = new \webgoat\WorkshopUsers();
if (($workshopUsers = $obj->getAll()) === null) {
// Will return 'null' if no users are present
$workshopUsers = array();
// Initialize it to empty array
}
$this->totalUsers = count($workshopUsers);
$this->totalCategories = count($this->allCategoryLesson);
$lessonCount = 0;
foreach ($this->allCategoryLesson as $category => $lessons) {
$lessonCount += count($lessons);
}
$this->totalLessons = $lessonCount;
$this->totalVisibleLessons = $lessonCount - count($this->hiddenLessons);
// For each lesson store a list of users
// who have completed it
$lessonsCompletedBy = array();
$lessonPrefix = "completed_webgoat\\";
foreach ($this->allCategoryLesson as $category => $lessons) {
foreach ($lessons as $lesson) {
$lessonsCompletedBy[$lesson[0]] = array();
// Index 0 is for name
foreach ($workshopUsers as $user) {
if (jf::LoadUserSetting($lessonPrefix . $lesson[0], $user['ID'])) {
array_push($lessonsCompletedBy[$lesson[0]], $user['Username']);
}
}
}
}
// To generate the reports page
$this->reports = $lessonsCompletedBy;
// To generate analytics
$noOfLessonsInCategories = array(array('Category', 'No of Lessons'));
// Initialize with heading
foreach ($this->allCategoryLesson as $category => $lessons) {
array_push($noOfLessonsInCategories, array($category, count($lessons)));
}
$this->analytics = $noOfLessonsInCategories;
return $this->Present();
} else {
// User not authorized
$this->Redirect(SiteRoot);
// Redirect to home page instead of Login Page
}
} else {
// User not authenticated
$this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest);
}
}
public function Handle($request)
{
// This gives complete request path
$request = jf::$BaseRequest;
//FIXME: Fix JCatchControl so that this is not required
if (jf::CurrentUser()) {
// If user is logged in
// Check if the user has permissions
// to view the challenges
if (jf::Check('view_single_chal')) {
// Extract the relative request path
// i.e the path after the controller URL
// Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test
// $request will be mode/single/challenges/HTTPBasics/static/test
// $relativePath will be HTTPBasics/static/test
$relativePath = $this->getRelativePath($request);
$absolutePath = LESSON_PATH . $relativePath;
if (strpos($relativePath, "/static/") !== false) {
if (file_exists($absolutePath)) {
$FileMan = new \jf\DownloadManager();
return $FileMan->Feed($absolutePath);
}
} else {
$nameOfLesson = stristr($relativePath, "/", true);
\webgoat\LessonScanner::loadClasses();
if (strpos($relativePath, "reset/") !== false) {
$lessonNameWithNS = "\\webgoat\\" . $nameOfLesson;
$obj = new $lessonNameWithNS();
$obj->reset();
echo json_encode(array("status" => true));
return true;
} else {
if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) {
\webgoat\LessonScanner::run();
}
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
try {
$lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson);
$lessonObj->start();
$this->lessonTitle = $lessonObj->getTitle();
$this->hints = $lessonObj->getHints();
$this->htmlContent = $lessonObj->getContent();
$this->nameOfLesson = $nameOfLesson;
$secureCoding = $lessonObj->isSecureCodingAllowed();
$sourceCodeToDisplay = "";
if ($secureCoding['status'] === true) {
$sourceCode = file($absolutePath . "index.php");
$firstLine = $sourceCode[$secureCoding['start']];
$this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine));
for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) {
$sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n";
}
$this->sourceCode = $sourceCodeToDisplay;
}
// To show complete PHP Code
$sourceCode = file_get_contents($absolutePath . "index.php");
$this->completeSourceCode = htmlentities($sourceCode);
if (isset($_POST['sourceCode'])) {
// Code to handle source code evaluation
}
} catch (Exception $e) {
//$this->error = "Lesson Not found. Please select a lesson.";
$this->error = $e->getMessage();
}
header("X-XSS-Protection: 0");
// Disable XSS protection
return $this->Present();
}
}
} else {
// Not sufficient permissions, redirect
// to home page of the application
$this->Redirect(SiteRoot);
}
} else {
// User not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
</button>
<div class="collapse navbar-collapse navHeaderCollapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="<?php
echo jf::url();
?>
">Home</a></li>
<li><a href="<?php
echo jf::url() . '/about';
?>
">About</a></li>
<li><a href="#">Rules</a></li>
<li><a href="#">Leaderboard</a></li>
<li><a href="#contact" data-toggle="modal">Contact</a></li>
<?php
if (jf::Check("contest")) {
?>
<li><a href="<?php
echo CONTEST_ADMIN_URL;
?>
">Dashboard</a></li>
<?php
}
?>
<li><a href="<?php
echo jf::url() . '/user/logout';
?>
">Logout</a></li>
</ul>
</div>
</div>
