public function Handle($request) { // This gives complete request path $request = jf::$BaseRequest; if (jf::CurrentUser()) { // Check if the user has permissions to view the challenges if (jf::Check('view_contest_chal')) { $relativePath = $this->getRelativePath($request); $absolutePath = CONTEST_CHALLENGE_PATH . $relativePath; $challengeName = $relativePath; // FIXME: ONLY FOR TESTING, NOT ALWAYS TRUE $challengeDetails = \webgoat\ContestChallenges::getByName($challengeName); $this->ChallengeName = $challengeDetails[0]['ChallengeName']; $fileContents = file_get_contents($absolutePath . "/index.html"); $this->Content = $fileContents; if (isset($_POST['submit'])) { $this->addSubmission($challengeName); } return $this->Present(); } else { // Unauthorized $this->Redirect(SiteRoot); } } else { // User not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
public function Start() { $request = jf::$BaseRequest; if (jf::CurrentUser()) { // User is logged in, check if the user is authorized if (jf::Check("view_contest_chal")) { if (($activeContest = \webgoat\ContestDetails::getActive()) !== null) { $this->ContestName = $activeContest[0]['ContestName']; $startTime = $activeContest[0]['StartTimestamp']; $currentTime = time(); if ($currentTime < $startTime) { $this->TimeRemaining = $startTime - $currentTime; } else { $challenges = \webgoat\ContestChallenges::getByContestID(); if (count($challenges) == 0) { $this->Error = "Currently there are no challenges in this contest"; } else { $this->Challenges = $challenges; } } } else { $this->Error = "Currently there is no active contest. Check back later!!"; } return $this->Present(); } else { // User is not authorized $this->Redirect(SiteRoot); } } else { // User is not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
public function Start() { // Check if the user is logged in and // have the required permissions if (jf::CurrentUser() && jf::Check(self::PERMISSION_NAME)) { // Check if POST parameter present if (isset($_POST['username'])) { $username = $_POST['username']; if (jf::$User->UserExists($username)) { // First remove the user role association $userId = jf::$User->UserID($username); $roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME); jf::$RBAC->Users->Unassign($roleId, $userId); // Delete the user jf::$User->DeleteUser($username); echo json_encode(array('status' => true, 'message' => self::SUCCESS_MESSAGE)); } else { // User does not exists. Error! echo json_encode(array('status' => false, 'message' => self::USER_NOT_EXISTS_MESSAGE)); } } else { echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE)); } } else { echo json_encode(array('status' => false, 'message' => self::UNAUTHORIZED_MESSAGE)); } return true; }
public function Start() { if (jf::CurrentUser() && jf::Check(self::PERMISSION_NAME)) { if (isset($_POST['username']) && isset($_POST['password'])) { $username = $_POST['username']; $password = $_POST['password']; if (empty($username) || empty($password)) { echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE)); } else { if (jf::$User->UserExists($username)) { // If user already exists echo json_encode(array('status' => false, 'message' => self::USER_EXISTS_MESSAGE)); } else { // Everything OK. Create a new user and assign the role $userId = jf::$User->CreateUser($username, $password); // Create user $roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME); jf::$RBAC->Users->Assign($roleId, $userId); // Assign role to the newly created user echo json_encode(array('status' => true, 'message' => self::SUCCESS_MESSAGE, 'id' => $userId)); } } } else { // Required parameters are missing echo json_encode(array('status' => false, 'message' => self::PARAMETER_MISSING_MESSAGE)); } } else { // User is not authorized echo json_encode(array('status' => false, 'message' => self::UNAUTHORIZED_MESSAGE)); } return true; }
/** * Test to check permissions of users */ public function testUserPermissions() { /** * Store id of the user */ $userId = jf::$User->UserID('guest'); $this->assertTrue(jf::Check('view_single_chal', $userId)); $this->assertFalse(jf::Check('view_workshop_chal', $userId)); $this->assertFalse(jf::Check('view_contest_chal', $userId)); $this->assertFalse(jf::Check('edit_contest_chal', $userId)); $this->assertFalse(jf::Check('add_workshop_users', $userId)); }
public function Start() { if (jf::CurrentUser()) { if (jf::Check("contest")) { if (isset($_POST['challenge']) && isset($_POST['name']) && isset($_POST['points']) && isset($_POST['flag'])) { $hashedFlag = md5($_POST['flag']); $activeContest = \webgoat\ContestDetails::getActive(); $activeContestID = $activeContest[0]['ID']; $data = array('ContestID' => $activeContestID, 'ChallengeName' => $_POST['challenge'], 'NameToDisplay' => $_POST['name'], 'Points' => $_POST['points'], 'CorrectFlag' => $hashedFlag); \webgoat\ContestChallenges::add($data); echo json_encode(array('status' => true, 'message' => 'Challenge successfully added')); return true; } } } }
/** * Starting point of the lesson */ public function start() { $this->hints = array('Many sites attempt to restrict access to resources by role', 'Developers frequently make mistakes implementing this scheme', 'Attempt combinations of users, roles, and resources'); $this->htmlContent .= file_get_contents(__DIR__ . "/content.html"); if (isset($_POST['user'])) { $userId = $this->getUserId($_POST['user']); $resource = $_POST['resource']; $userRole = \jf::$RBAC->Users->AllRoles($userId); $userRoleTitle = $userRole[0]['Title']; $string = "<h4>User {$_POST['user']} [" . $userRoleTitle . "] requested Resource {$resource} : "; if (\jf::Check($resource, $userId)) { $string .= "<span class='text-success'>Access Granted</span></h4>"; if ($resource == "account_manager" && $userId != $this->getUserId("Mark")) { $this->setCompleted(true); } } else { $string .= "<span class='text-danger'>Access Denied</span></h4>"; } $this->htmlContent .= $string; } }
public function Start() { if (jf::CurrentUser()) { if (jf::Check("contest")) { // User is authorized if (isset($_POST['contest_submit'])) { // Request to store the contest in the database $this->addContest(); } if (\webgoat\ContestDetails::isActivePresent()) { // If an active contest is present $contestDetails = \webgoat\ContestDetails::getActive(); $contestChallenges = \webgoat\ContestChallenges::getByContestID($contestDetails[0]['ID']); $contestUsers = \webgoat\ContestUsers::getAll(); $this->ContestName = $contestDetails[0]['ContestName']; $this->ContestStart = date("d/m/Y h:i:s A", $contestDetails[0]['StartTimestamp']); $this->ContestEnd = date("d/m/Y h:i:s A", $contestDetails[0]['EndTimestamp']); $this->UserCount = count($contestUsers); $this->ChallengeCount = count($contestChallenges); $this->Challenges = $contestChallenges; $this->insertNewChallenges(); } else { // Show the option to start a contest $this->noActiveContest = true; } return $this->Present(); } else { // User is not authorized $this->Redirect(SiteRoot); // Redirect to home page } } else { // User is not authenticated $this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest); } }
<?php echo "asdf"; //comment? > echo "qwer"; // echo echo "zxcv"; ?> <html>asdf</html> <div class="container"> <?php if (jf::Check("workshop")) { ?> <li><a href="asdf">Dashboard</a></li> <?php } ?> </div> <p> <?php switch ($a) { case 1: // without semicolon ?> <br> <?php break; ?>
public function Start() { if (jf::CurrentUser()) { // Authorize the user if (jf::Check('workshop')) { $hiddenLessons = jf::LoadGeneralSetting("hiddenWorkshopLessons"); // If request to hide the lesson if (isset($_POST['hide'])) { if ($hiddenLessons === null) { // If first request i.e settings not present $hiddenLessons = array($_POST['hide']); } else { array_push($hiddenLessons, $_POST['hide']); } jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons); echo json_encode(array('status' => true)); return true; } // If request to show the lesson if (isset($_POST['show'])) { if ($hiddenLessons !== null) { $position = array_search($_POST['show'], $hiddenLessons); if ($position !== false) { unset($hiddenLessons[$position]); } } jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons); echo json_encode(array('status' => true)); return true; } // Get the list of all the lessons/categories $this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons"); $this->hiddenLessons = $hiddenLessons; // To generate 'overview' section of the dashboard // Store all the stats $obj = new \webgoat\WorkshopUsers(); if (($workshopUsers = $obj->getAll()) === null) { // Will return 'null' if no users are present $workshopUsers = array(); // Initialize it to empty array } $this->totalUsers = count($workshopUsers); $this->totalCategories = count($this->allCategoryLesson); $lessonCount = 0; foreach ($this->allCategoryLesson as $category => $lessons) { $lessonCount += count($lessons); } $this->totalLessons = $lessonCount; $this->totalVisibleLessons = $lessonCount - count($this->hiddenLessons); // For each lesson store a list of users // who have completed it $lessonsCompletedBy = array(); $lessonPrefix = "completed_webgoat\\"; foreach ($this->allCategoryLesson as $category => $lessons) { foreach ($lessons as $lesson) { $lessonsCompletedBy[$lesson[0]] = array(); // Index 0 is for name foreach ($workshopUsers as $user) { if (jf::LoadUserSetting($lessonPrefix . $lesson[0], $user['ID'])) { array_push($lessonsCompletedBy[$lesson[0]], $user['Username']); } } } } // To generate the reports page $this->reports = $lessonsCompletedBy; // To generate analytics $noOfLessonsInCategories = array(array('Category', 'No of Lessons')); // Initialize with heading foreach ($this->allCategoryLesson as $category => $lessons) { array_push($noOfLessonsInCategories, array($category, count($lessons))); } $this->analytics = $noOfLessonsInCategories; return $this->Present(); } else { // User not authorized $this->Redirect(SiteRoot); // Redirect to home page instead of Login Page } } else { // User not authenticated $this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest); } }
public function Handle($request) { // This gives complete request path $request = jf::$BaseRequest; //FIXME: Fix JCatchControl so that this is not required if (jf::CurrentUser()) { // If user is logged in // Check if the user has permissions // to view the challenges if (jf::Check('view_single_chal')) { // Extract the relative request path // i.e the path after the controller URL // Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test // $request will be mode/single/challenges/HTTPBasics/static/test // $relativePath will be HTTPBasics/static/test $relativePath = $this->getRelativePath($request); $absolutePath = LESSON_PATH . $relativePath; if (strpos($relativePath, "/static/") !== false) { if (file_exists($absolutePath)) { $FileMan = new \jf\DownloadManager(); return $FileMan->Feed($absolutePath); } } else { $nameOfLesson = stristr($relativePath, "/", true); \webgoat\LessonScanner::loadClasses(); if (strpos($relativePath, "reset/") !== false) { $lessonNameWithNS = "\\webgoat\\" . $nameOfLesson; $obj = new $lessonNameWithNS(); $obj->reset(); echo json_encode(array("status" => true)); return true; } else { if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) { \webgoat\LessonScanner::run(); } $this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons"); try { $lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson); $lessonObj->start(); $this->lessonTitle = $lessonObj->getTitle(); $this->hints = $lessonObj->getHints(); $this->htmlContent = $lessonObj->getContent(); $this->nameOfLesson = $nameOfLesson; $secureCoding = $lessonObj->isSecureCodingAllowed(); $sourceCodeToDisplay = ""; if ($secureCoding['status'] === true) { $sourceCode = file($absolutePath . "index.php"); $firstLine = $sourceCode[$secureCoding['start']]; $this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine)); for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) { $sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n"; } $this->sourceCode = $sourceCodeToDisplay; } // To show complete PHP Code $sourceCode = file_get_contents($absolutePath . "index.php"); $this->completeSourceCode = htmlentities($sourceCode); if (isset($_POST['sourceCode'])) { // Code to handle source code evaluation } } catch (Exception $e) { //$this->error = "Lesson Not found. Please select a lesson."; $this->error = $e->getMessage(); } header("X-XSS-Protection: 0"); // Disable XSS protection return $this->Present(); } } } else { // Not sufficient permissions, redirect // to home page of the application $this->Redirect(SiteRoot); } } else { // User not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
</button> <div class="collapse navbar-collapse navHeaderCollapse"> <ul class="nav navbar-nav navbar-right"> <li><a href="<?php echo jf::url(); ?> ">Home</a></li> <li><a href="<?php echo jf::url() . '/about'; ?> ">About</a></li> <li><a href="#">Rules</a></li> <li><a href="#">Leaderboard</a></li> <li><a href="#contact" data-toggle="modal">Contact</a></li> <?php if (jf::Check("contest")) { ?> <li><a href="<?php echo CONTEST_ADMIN_URL; ?> ">Dashboard</a></li> <?php } ?> <li><a href="<?php echo jf::url() . '/user/logout'; ?> ">Logout</a></li> </ul> </div> </div>