public function Start()
{
if (jf::CurrentUser() && jf::Check(self::PERMISSION_NAME)) {
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) || empty($password)) {
echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE));
} else {
if (jf::$User->UserExists($username)) {
// If user already exists
echo json_encode(array('status' => false, 'message' => self::USER_EXISTS_MESSAGE));
} else {
// Everything OK. Create a new user and assign the role
$userId = jf::$User->CreateUser($username, $password);
// Create user
$roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME);
jf::$RBAC->Users->Assign($roleId, $userId);
// Assign role to the newly created user
echo json_encode(array('status' => true, 'message' => self::SUCCESS_MESSAGE, 'id' => $userId));
}
}
} else {
// Required parameters are missing
echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE));
}
} else {
// User is not authorized
echo json_encode(array('status' => false, 'message' => self::UNAUTHORIZED_MESSAGE));
}
return true;
}
public function Start()
{
// If user is already logged in
if (jf::CurrentUser()) {
if (isset($_GET["return"])) {
$return = $_GET["return"];
} else {
$return = "";
}
$this->Redirect(SiteRoot . $return);
// Site root does not contain trailing '/'
}
// TODO: Implement a secure 'Remember Me'
if (isset($_POST["Username"]) && isset($_POST['Password'])) {
$this->Result = jf::Login($_POST['Username'], $_POST['Password']);
}
//Login Successful
if (isset($this->Result) && $this->Result) {
if (isset($_GET["return"])) {
$return = $_GET["return"];
} else {
$return = "";
}
$this->Redirect(SiteRoot . $return);
}
return $this->Present();
}
public function Start()
{
// Check if the user is logged in and
// have the required permissions
if (jf::CurrentUser() && jf::Check(self::PERMISSION_NAME)) {
// Check if POST parameter present
if (isset($_POST['username'])) {
$username = $_POST['username'];
if (jf::$User->UserExists($username)) {
// First remove the user role association
$userId = jf::$User->UserID($username);
$roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME);
jf::$RBAC->Users->Unassign($roleId, $userId);
// Delete the user
jf::$User->DeleteUser($username);
echo json_encode(array('status' => true, 'message' => self::SUCCESS_MESSAGE));
} else {
// User does not exists. Error!
echo json_encode(array('status' => false, 'message' => self::USER_NOT_EXISTS_MESSAGE));
}
} else {
echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE));
}
} else {
echo json_encode(array('status' => false, 'message' => self::UNAUTHORIZED_MESSAGE));
}
return true;
}
public function Start()
{
$request = jf::$BaseRequest;
if (jf::CurrentUser()) {
// User is logged in, check if the user is authorized
if (jf::Check("view_contest_chal")) {
if (($activeContest = \webgoat\ContestDetails::getActive()) !== null) {
$this->ContestName = $activeContest[0]['ContestName'];
$startTime = $activeContest[0]['StartTimestamp'];
$currentTime = time();
if ($currentTime < $startTime) {
$this->TimeRemaining = $startTime - $currentTime;
} else {
$challenges = \webgoat\ContestChallenges::getByContestID();
if (count($challenges) == 0) {
$this->Error = "Currently there are no challenges in this contest";
} else {
$this->Challenges = $challenges;
}
}
} else {
$this->Error = "Currently there is no active contest. Check back later!!";
}
return $this->Present();
} else {
// User is not authorized
$this->Redirect(SiteRoot);
}
} else {
// User is not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
function Insert()
{
if (jf::$RunMode->IsCLI()) {
return false;
}
$res = jf::SQL("INSERT INTO {$this->TablePrefix()}stats (UserID,SessionID,Timestamp,Page,Query,IP,Host,Protocol,UserAgent) VALUES\n\t\t\t(?,?,?,?,?,?,?,?,?)", jf::CurrentUser() ?: 0, jf::$Session->SessionID(), jf::time(), HttpRequest::URI(), HttpRequest::QueryString(), HttpRequest::IP(), HttpRequest::Host(), HttpRequest::Protocol(), HttpRequest::UserAgent());
return $res;
}
function Start()
{
$this->Username = jf::$XUser->Username();
jf::$XUser->Logout(jf::CurrentUser());
setcookie("jframework_rememberme", null, null);
if (isset($_GET["return"])) {
$this->Return = $_GET["return"];
} else {
$this->Return = "./login";
}
return $this->Present();
}
function Start()
{
$this->Username = jf::$XUser->Username();
$Logged = false;
if (isset($_COOKIE["jframework_rememberme"])) {
$rememberMeToken = $_COOKIE["jframework_rememberme"];
$userID = jf::LoadGeneralSetting("rememberme_" . $rememberMeToken);
if ($userID > 0) {
$Result = jf::$XUser->ForceLogin($userID);
$Logged = true;
}
}
if (isset($_POST["Username"])) {
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$loginResult = jf::$XUser->Login($Username, $Password);
if ($loginResult == false) {
$UserID = jf::$XUser->UserID($Username);
$res = jf::$XUser->LastError;
if ($res == \jf\ExtendedUserErrors::Inactive) {
$ErrorString = "Your account is not activated.";
} elseif ($res == \jf\ExtendedUserErrors::InvalidCredentials or $res == \jf\ExtendedUserErrors::NotFound) {
$ErrorString = "Invalid Credentials.";
} elseif ($res == \jf\ExtendedUserErrors::Locked) {
$ErrorString = "Your account is locked. Try again in " . floor(jf::$XUser->LockTime($Username) / 60) . " minute(s).";
} elseif ($res == \jf\ExtendedUserErrors::PasswordExpired) {
$Link = "./reset?user={$UserID}";
$ErrorString = "Your password is expired. You should <a href='{$Link}'>change your password</a>.";
} elseif ($res == \jf\ExtendedUserErrors::TemporaryValidPassword) {
$Link = "./reset?user={$UserID}&temp={$Password}";
$ErrorString = "This is a temporary password. You should <a href='{$Link}'>reset your password</a> now.";
}
$Logged = false;
$this->Error = $ErrorString;
} else {
$Logged = true;
if (isset($_POST['Remember'])) {
$timeout = 60 * 60 * 24 * 30;
$rememberMeToken = jf::$Security->RandomToken();
jf::SaveGeneralSetting("rememberme_" . $rememberMeToken, jf::CurrentUser(), $timeout);
setcookie('jframework_rememberme', $rememberMeToken, jf::time() + $timeout);
}
}
}
if ($Logged == true) {
if (isset($_GET['return'])) {
$this->Redirect($_GET['return']);
}
$this->Success = true;
}
return $this->Present();
}
public function Start()
{
// If user is logged in
if (jf::CurrentUser()) {
jf::Logout();
}
if (isset($_GET["return"])) {
$Return = $_GET["return"];
} else {
$Return = "";
}
$this->Redirect(SiteRoot . $Return);
}
public function Start()
{
if (jf::CurrentUser()) {
if (jf::Check("contest")) {
if (isset($_POST['challenge']) && isset($_POST['name']) && isset($_POST['points']) && isset($_POST['flag'])) {
$hashedFlag = md5($_POST['flag']);
$activeContest = \webgoat\ContestDetails::getActive();
$activeContestID = $activeContest[0]['ID'];
$data = array('ContestID' => $activeContestID, 'ChallengeName' => $_POST['challenge'], 'NameToDisplay' => $_POST['name'], 'Points' => $_POST['points'], 'CorrectFlag' => $hashedFlag);
\webgoat\ContestChallenges::add($data);
echo json_encode(array('status' => true, 'message' => 'Challenge successfully added'));
return true;
}
}
}
}
private function addSubmission($challenge)
{
$challengeDetails = \webgoat\ContestChallenges::getByName($challenge);
$flag = $_POST['flag'];
$ip = \jf\HttpRequest::IP();
$challengeID = $challengeDetails[0]['ID'];
$userID = jf::CurrentUser();
$data = array('UserID' => $userID, 'ChallengeID' => $challengeID, 'Flag' => $flag, 'IP' => $ip, 'timestamp' => time());
\webgoat\ContestSubmissions::add($data);
\webgoat\ContestChallenges::incrementTotalAttempts($challenge);
if (\webgoat\ContestSubmissions::evaluate($challengeID, $flag)) {
$this->Submission = 1;
// Increment complete count
\webgoat\ContestChallenges::incrementCompletedCount($challenge);
} else {
$this->Submission = 0;
}
}
public function Start()
{
if (jf::CurrentUser()) {
$userName = jf::$XUser->Username();
$oldPass = $_POST['old_password'];
$newPass = $_POST['new_password'];
$cnfNewPass = $_POST['cnew_password'];
if ($newPass != $cnfNewPass) {
echo json_encode(array('status' => false, 'error' => 'Password and Confirm Password do not match'));
} elseif (!jf::Login($userName, $oldPass)) {
echo json_encode(array('status' => false, 'error' => 'Old Password is incorrect'));
} else {
jf::$User->EditUser($userName, $userName, $newPass);
echo json_encode(array('status' => true, 'message' => 'Password successfully updated'));
}
} else {
echo json_encode(array('status' => false, 'error' => 'You are not authorized for this action'));
}
return true;
}
public function Start()
{
if (jf::CurrentUser()) {
if (jf::Check("contest")) {
// User is authorized
if (isset($_POST['contest_submit'])) {
// Request to store the contest in the database
$this->addContest();
}
if (\webgoat\ContestDetails::isActivePresent()) {
// If an active contest is present
$contestDetails = \webgoat\ContestDetails::getActive();
$contestChallenges = \webgoat\ContestChallenges::getByContestID($contestDetails[0]['ID']);
$contestUsers = \webgoat\ContestUsers::getAll();
$this->ContestName = $contestDetails[0]['ContestName'];
$this->ContestStart = date("d/m/Y h:i:s A", $contestDetails[0]['StartTimestamp']);
$this->ContestEnd = date("d/m/Y h:i:s A", $contestDetails[0]['EndTimestamp']);
$this->UserCount = count($contestUsers);
$this->ChallengeCount = count($contestChallenges);
$this->Challenges = $contestChallenges;
$this->insertNewChallenges();
} else {
// Show the option to start a contest
$this->noActiveContest = true;
}
return $this->Present();
} else {
// User is not authorized
$this->Redirect(SiteRoot);
// Redirect to home page
}
} else {
// User is not authenticated
$this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest);
}
}
static function Log($Subject, $Content, $Severity = 0)
{
if (jf::$App) {
return jf::SQL("INSERT INTO " . jf::TablePrefix() . "logs (Subject,Data,Severity,UserID,SessionID,Timestamp) \n\t\t" . "VALUES (?,?,?,?,?,?)", $Subject, $Content, $Severity, jf::CurrentUser(), jf::$Session->SessionID(), jf::time());
}
}
/**
* Enforce a permission on current user
* @param string|integer $Permission path or title or ID of permission
*/
function Enforce($Permission)
{
if (jf::CurrentUser() === null) {
jf::run("view/_internal/error/401", array("Permission" => $Permission));
exit;
}
if (!$this->Check($Permission)) {
jf::run("view/_internal/error/403", array("Permission" => $Permission));
exit;
}
}
/**
* Return count of roles for a user
*
* @param integer $UserID
* optional
* @return integer
*/
function RoleCount($UserID = null)
{
if ($UserID === null) {
$UserID = jf::CurrentUser();
}
$Res = jf::SQL("SELECT COUNT(*) AS Result FROM {$this->TablePrefix()}rbac_userroles WHERE UserID=?", $UserID);
return $Res[0]['Result'];
}
/**
* returns Username of a user
*
* @param Integer $UserID
* @return String
*/
function Username($UserID = null)
{
if ($UserID === null) {
$UserID = jf::CurrentUser();
}
$Result = jf::SQL("SELECT Username FROM {$this->TablePrefix()}users WHERE ID=?", $UserID);
if ($Result) {
return $Result[0]['Username'];
} else {
return null;
}
}
/**
* delete all user settings
* @throws \Exception
* @return int, number of rows
*/
function DeleteAllUser($UserID = null)
{
if ($UserID === null) {
if (jf::CurrentUser() == null) {
throw new \Exception("Can not load user options without a logged in user.");
} else {
$UserID = jf::CurrentUser();
}
}
$r = jf::SQL("DELETE FROM {$this->TablePrefix()}options WHERE UserID=?", $UserID);
return $r;
}
public function Start()
{
if (jf::CurrentUser()) {
// Authorize the user
if (jf::Check('workshop')) {
$hiddenLessons = jf::LoadGeneralSetting("hiddenWorkshopLessons");
// If request to hide the lesson
if (isset($_POST['hide'])) {
if ($hiddenLessons === null) {
// If first request i.e settings not present
$hiddenLessons = array($_POST['hide']);
} else {
array_push($hiddenLessons, $_POST['hide']);
}
jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons);
echo json_encode(array('status' => true));
return true;
}
// If request to show the lesson
if (isset($_POST['show'])) {
if ($hiddenLessons !== null) {
$position = array_search($_POST['show'], $hiddenLessons);
if ($position !== false) {
unset($hiddenLessons[$position]);
}
}
jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons);
echo json_encode(array('status' => true));
return true;
}
// Get the list of all the lessons/categories
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
$this->hiddenLessons = $hiddenLessons;
// To generate 'overview' section of the dashboard
// Store all the stats
$obj = new \webgoat\WorkshopUsers();
if (($workshopUsers = $obj->getAll()) === null) {
// Will return 'null' if no users are present
$workshopUsers = array();
// Initialize it to empty array
}
$this->totalUsers = count($workshopUsers);
$this->totalCategories = count($this->allCategoryLesson);
$lessonCount = 0;
foreach ($this->allCategoryLesson as $category => $lessons) {
$lessonCount += count($lessons);
}
$this->totalLessons = $lessonCount;
$this->totalVisibleLessons = $lessonCount - count($this->hiddenLessons);
// For each lesson store a list of users
// who have completed it
$lessonsCompletedBy = array();
$lessonPrefix = "completed_webgoat\\";
foreach ($this->allCategoryLesson as $category => $lessons) {
foreach ($lessons as $lesson) {
$lessonsCompletedBy[$lesson[0]] = array();
// Index 0 is for name
foreach ($workshopUsers as $user) {
if (jf::LoadUserSetting($lessonPrefix . $lesson[0], $user['ID'])) {
array_push($lessonsCompletedBy[$lesson[0]], $user['Username']);
}
}
}
}
// To generate the reports page
$this->reports = $lessonsCompletedBy;
// To generate analytics
$noOfLessonsInCategories = array(array('Category', 'No of Lessons'));
// Initialize with heading
foreach ($this->allCategoryLesson as $category => $lessons) {
array_push($noOfLessonsInCategories, array($category, count($lessons)));
}
$this->analytics = $noOfLessonsInCategories;
return $this->Present();
} else {
// User not authorized
$this->Redirect(SiteRoot);
// Redirect to home page instead of Login Page
}
} else {
// User not authenticated
$this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest);
}
}
/**
* @depends testCreate
*/
function testLogin()
{
$userid = jf::$User->CreateUser("myUsername", "myPassword");
$this->assertFalse(jf::$User->IsLoggedIn($userid));
$this->assertFalse(jf::$User->Login("myUsernamE", "wrong_password"));
$this->assertFalse(jf::$User->IsLoggedIn($userid));
$this->assertFalse(jf::$User->Login("wrong_username", "myPassword"));
$this->assertFalse(jf::$User->IsLoggedIn($userid));
$this->assertTrue(jf::$User->Login("myUsernamE", "myPassword"));
$this->assertTrue(jf::$User->IsLoggedIn($userid));
jf::$User->Logout($userid);
$this->assertFalse(jf::$User->IsLoggedIn($userid));
$this->assertTrue(jf::$User->Login("myUsername", "myPassword"));
//already logged in, default mode is overwrite
$this->assertTrue($r = jf::$User->Login("myUsername", "myPassword"));
jf::$User->Login("wrong_username", "myPassword");
$this->assertTrue(jf::$User->IsLoggedIn($userid));
$this->assertEquals($userid, jf::CurrentUser());
jf::$User->Logout();
$this->assertFalse(jf::$User->IsLoggedIn($userid));
}
</button>
<div class="collapse navbar-collapse navHeaderCollapse">
<ul class="nav navbar-nav navbar-right">
<li class="active"><a href="#">Home</a></li>
<li><a href="<?php
echo jf::url() . '/about';
?>
">About</a></li>
<li><a href="#">Documentation</a></li>
<li><a href="<?php
echo GITHUB_URL;
?>
" target="_blank">Github</a></li>
<li><a href="#contact" data-toggle="modal">Contact</a></li>
<?php
if (jf::CurrentUser()) {
?>
<li><a href="<?php
echo jf::url() . '/user/logout';
?>
">Logout</a></li>
<?php
}
?>
</ul>
</div>
</div>
</div>
<div class="container">
<div class="jumbotron">
public function Handle($request)
{
// This gives complete request path
$request = jf::$BaseRequest;
//FIXME: Fix JCatchControl so that this is not required
if (jf::CurrentUser()) {
// If user is logged in
// Check if the user has permissions
// to view the challenges
if (jf::Check('view_single_chal')) {
// Extract the relative request path
// i.e the path after the controller URL
// Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test
// $request will be mode/single/challenges/HTTPBasics/static/test
// $relativePath will be HTTPBasics/static/test
$relativePath = $this->getRelativePath($request);
$absolutePath = LESSON_PATH . $relativePath;
if (strpos($relativePath, "/static/") !== false) {
if (file_exists($absolutePath)) {
$FileMan = new \jf\DownloadManager();
return $FileMan->Feed($absolutePath);
}
} else {
$nameOfLesson = stristr($relativePath, "/", true);
\webgoat\LessonScanner::loadClasses();
if (strpos($relativePath, "reset/") !== false) {
$lessonNameWithNS = "\\webgoat\\" . $nameOfLesson;
$obj = new $lessonNameWithNS();
$obj->reset();
echo json_encode(array("status" => true));
return true;
} else {
if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) {
\webgoat\LessonScanner::run();
}
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
try {
$lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson);
$lessonObj->start();
$this->lessonTitle = $lessonObj->getTitle();
$this->hints = $lessonObj->getHints();
$this->htmlContent = $lessonObj->getContent();
$this->nameOfLesson = $nameOfLesson;
$secureCoding = $lessonObj->isSecureCodingAllowed();
$sourceCodeToDisplay = "";
if ($secureCoding['status'] === true) {
$sourceCode = file($absolutePath . "index.php");
$firstLine = $sourceCode[$secureCoding['start']];
$this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine));
for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) {
$sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n";
}
$this->sourceCode = $sourceCodeToDisplay;
}
// To show complete PHP Code
$sourceCode = file_get_contents($absolutePath . "index.php");
$this->completeSourceCode = htmlentities($sourceCode);
if (isset($_POST['sourceCode'])) {
// Code to handle source code evaluation
}
} catch (Exception $e) {
//$this->error = "Lesson Not found. Please select a lesson.";
$this->error = $e->getMessage();
}
header("X-XSS-Protection: 0");
// Disable XSS protection
return $this->Present();
}
}
} else {
// Not sufficient permissions, redirect
// to home page of the application
$this->Redirect(SiteRoot);
}
} else {
// User not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
