SameOriginPolicyProtection.java

package org.owasp.webgoat.lessons;

import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.A;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Script;
import org.apache.ecs.html.TextArea;
import org.apache.ecs.xhtml.button;
import org.owasp.webgoat.session.WebSession;


public class SameOriginPolicyProtection extends LessonAdapter
{
    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
            .addElement(
                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
                                .setVspace(0));

    /**
     * Description of the Method
     * 
     * @param s
     *            Description of the Parameter
     * @return Description of the Return Value
     */
    protected Element createContent(WebSession s)
    {
        ElementContainer ec = new ElementContainer();

        try
        {

            ec.addElement(new Script().setSrc("lessonJS/sameOrigin.js"));

            Input hiddenWGStatus = new Input(Input.HIDDEN, "hiddenWGStatus", 0);
            hiddenWGStatus.setID("hiddenWGStatus");
            ec.addElement(hiddenWGStatus);

            Input hiddenGoogleStatus = new Input(Input.HIDDEN, "hiddenGoogleStatus", 0);
            hiddenGoogleStatus.setID("hiddenGoogleStatus");
            ec.addElement(hiddenGoogleStatus);

            ec.addElement(new StringElement("Enter a URL: "));
            ec.addElement(new BR());

            TextArea urlArea = new TextArea();
            urlArea.setID("requestedURL");
            urlArea.setRows(1);
            urlArea.setCols(60);
            urlArea.setWrap("SOFT");
            ec.addElement(urlArea);

            button b = new button();
            b.setValue("Go!");
            b.setType(button.button);
            b.setName("Go!");
            b.setOnClick("submitXHR();");
            b.addElement("Go!");
            ec.addElement(b);

            ec.addElement(new BR());
            ec.addElement(new BR());

            H3 reponseTitle = new H3("Response: ");
            reponseTitle.setID("responseTitle");

            ec.addElement(reponseTitle);
            // ec.addElement(new BR());

            TextArea ta = new TextArea();
            ta.setName("responseArea");
            ta.setID("responseArea");
            ta.setCols(60);
            ta.setRows(4);
            ec.addElement(ta);
            ec.addElement(new BR());

            String webGoatURL = "lessons/Ajax/sameOrigin.jsp";
            String googleURL = "http://www.google.com/search?q=aspect+security";

            ec.addElement(new BR());

            A webGoat = new A();
            webGoat.setHref("javascript:populate(\"" + webGoatURL + "\")");
            webGoat.addElement("Click here to try a Same Origin request:<BR/> " + webGoatURL);
            ec.addElement(webGoat);

            ec.addElement(new BR());
            ec.addElement(new BR());

            A google = new A();
            google.setHref("javascript:populate(\"" + googleURL + "\")");
            google.addElement("Click here to try a Different Origin request:<BR/> " + googleURL);
            ec.addElement(google);

        } catch (Exception e)
        {
            s.setMessage("Error generating " + this.getClass().getName());
            e.printStackTrace();
        }

        int hiddenWGStatusInt = s.getParser().getIntParameter("hiddenWGStatus", 0);
        int hiddenGoogleStatusInt = s.getParser().getIntParameter("hiddenGoogleStatus", 0);

        // System.out.println("hiddenWGStatus:" + hiddenWGStatusInt);
        // System.out.println("hiddenGoogleStatusInt:" + hiddenGoogleStatusInt);

        if (hiddenWGStatusInt == 1 && hiddenGoogleStatusInt == 1)
        {
            makeSuccess(s);
        }

        return (ec);
    }

    /**
     * Gets the hints attribute of the HelloScreen object
     * 
     * @return The hints value
     */
    public List<String> getHints(WebSession s)
    {
        List<String> hints = new ArrayList<String>();
        hints.add("Enter a URL to see if it is allowed.");
        hints.add("Click both of the links below to complete the lesson");

        return hints;
    }

    /**
     * Gets the ranking attribute of the HelloScreen object
     * 
     * @return The ranking value
     */
    private final static Integer DEFAULT_RANKING = new Integer(10);

    protected Integer getDefaultRanking()
    {
        return DEFAULT_RANKING;
    }

    protected Category getDefaultCategory()
    {
        return Category.AJAX_SECURITY;
    }

    /**
     * Gets the title attribute of the HelloScreen object
     * 
     * @return The title value
     */
    public String getTitle()
    {
        return ("Same Origin Policy Protection");
    }

    public Element getCredits()
    {
        return super.getCustomCredits("", ASPECT_LOGO);
    }

    public String getInstructions(WebSession s)
    {
        String instructions = "This exercise demonstrates the "
                + "Same Origin Policy Protection.  XHR requests can only be passed back to "
                + " the originating server.  Attempts to pass data to a non-originating server " + " will fail.";

        return (instructions);
    }
}