package org.owasp.webgoat.lessons;
import java.text.Format;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Properties;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.HR;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
public class UncheckedEmail extends LessonAdapter
{
private final String YOUR_REAL_GMAIL_PASSWORD = "password";
private final String YOUR_REAL_GMAIL_ID = "GMail id";
private final static String MESSAGE = "msg";
private final static String HIDDEN_TO = "to";
private final static String SUBJECT = "subject";
private final static String GMAIL_ID = "gId";
private final static String GMAIL_PASS = "gPass";
private static final String SMTP_HOST_NAME = "smtp.gmail.com";
private static final String SMTP_PORT = "465";
private static final String emailFromAddress = "webgoat@owasp.org";
private static final String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
/**
* Description of the Method
*
* @param s
* Description of the Parameter
* @return Description of the Return Value
*/
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
try
{
String to = s.getParser().getRawParameter(HIDDEN_TO, "");
String gId = s.getParser().getRawParameter(GMAIL_ID, "");
String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");
String message = s.getParser().getRawParameter(MESSAGE, "");
String subject = s.getParser().getRawParameter(SUBJECT, "");
boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));
ec.addElement(new HR());
createGoogleCredentials(s, ec);
ec.addElement(new HR());
ec.addElement(new BR());
createMailMessage(s, subject, message, ec);
ec.addElement(new HR());
if (to.length() > 0)
{
if (haveCredentials)
{
Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);
formatMail(ec, sentMessage);
}
else
{
sendSimulatedMail(ec, to, subject, message);
}
}
if (to.length() > 0 && "webgoat.admin@owasp.org".equals(to) && message.contains("<script"))
{
s.setMessage("The attack worked! Now try to attack another person than the admin.");
}
// only complete the lesson if they changed the "to" hidden field and they send a
// script tag in the message
if (to.length() > 0 && !"webgoat.admin@owasp.org".equals(to) && message.contains("<script"))
{
makeSuccess(s);
}
} catch (Exception e)
{
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return (ec);
}
private void formatMail(ElementContainer ec, Message sentMessage)
{
try
{
ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: "
+ Arrays.asList(sentMessage.getAllRecipients()))));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>MAIL FROM:</b> " + Arrays.asList(sentMessage.getReplyTo())));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>RCPT TO:</b> " + Arrays.asList(sentMessage.getAllRecipients())));
ec.addElement(new BR());
ec
.addElement(new StringElement("<b>Message-ID:</b> "
+ Arrays.asList(sentMessage.getHeader("Message-ID"))));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Date:</b> " + sentMessage.getSentDate()));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Subject:</b> " + sentMessage.getSubject()));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Message:</b> "));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(sentMessage.getContent().toString()));
} catch (Exception e)
{
// TODO Auto-generated catch block
ec.addElement(new StringElement("Fatal error while sending message"));
ec.addElement(new BR());
ec.addElement(new StringElement(e.getMessage()));
}
}
/**
* @param ec
* @param to
* @param message
*/
private void sendSimulatedMail(ElementContainer ec, String to, String subject, String message)
{
Format formatter;
// Get today's date
Date date = new Date();
formatter = new SimpleDateFormat("E, dd MMM yyyy HH:mm:ss Z");
String today = formatter.format(date);
// Tue, 09 Jan 2002 22:14:02 -0500
ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: " + to)));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Return-Path:</b> <webgoat@owasp.org>"));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Delivered-To:</b> " + to));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Received:</b> (qmail 614458 invoked by uid 239); " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("for <" + to + ">; " + today));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>To:</b> " + to));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>From:</b> Blame it on the Goat <webgoat@owasp.org>"));
ec.addElement(new BR());
ec.addElement(new StringElement("<b>Subject:</b> " + subject));
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new StringElement(message));
}
/**
* @param s
* @param ec
* @return
*/
private void createMailMessage(WebSession s, String subject, String message, ElementContainer ec)
{
TR tr;
Input input;
Table t = new Table().setCellSpacing(0).setCellPadding(1).setBorder(0).setWidth("90%").setAlign("center");
if (s.isColor())
{
t.setBorder(1);
}
tr = new TR();
tr.addElement(new TH().addElement("Send OWASP your Comments<BR>").setAlign("left").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TH().addElement(new H1("Contact Us")).setAlign("left").setWidth("55%").setVAlign("BOTTOM")
.setColSpan(2));
tr.addElement(new TH().addElement(new H3("Contact Information:")).setAlign("left").setVAlign("BOTTOM"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(
"We value your comments. " + "To send OWASP your questions or comments "
+ "regarding the WebGoat tool, please enter your "
+ "comments below. The information you provide will be "
+ "handled according to our <U>Privacy Policy</U>.").setColSpan(2));
tr.addElement(new TD().addElement(
"<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
+ "Columbia, MD. 21046").setVAlign("top"));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setColSpan(3));
t.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("Subject:"));
input = new Input(Input.TEXT, SUBJECT, "Comment for WebGoat");
tr.addElement(new TD().setAlign("LEFT").addElement(input));
tr.addElement(new TD().addElement(" "));
t.addElement(tr);
input = new Input(Input.HIDDEN, HIDDEN_TO, "webgoat.admin@owasp.org");
tr = new TR();
tr.addElement(new TD().addElement("Questions or Comments:").setColSpan(2));
tr.addElement(new TD().setAlign("LEFT").addElement(input));
t.addElement(tr);
tr = new TR();
TextArea ta = new TextArea(MESSAGE, 5, 40);
ta.addElement(new StringElement(convertMetachars(message)));
tr.addElement(new TD().setAlign("LEFT").addElement(ta).setColSpan(2));
tr.addElement(new TD().setAlign("LEFT").setVAlign("MIDDLE").addElement(ECSFactory.makeButton("Send!")));
t.addElement(tr);
ec.addElement(t);
}
/**
* @param s
* @param ec
*/
private void createGoogleCredentials(WebSession s, ElementContainer ec)
{
// Allow the user to configure a real email interface using gmail
Table t1 = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
t1.setStyle("border-width:3px; border-style: solid;");
if (s.isColor())
{
t1.setBorder(1);
}
TR tr = new TR();
tr.addElement(new TH().addElement("Google Mail Configuration (Optional)").setAlign("center").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD()
.addElement(
"These configurations will enable WebGoat to send email on your "
+ "behalf using your gmail account. Leave them as the default value "
+ "to use WebGoat's simulated mail.").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement(" ").setAlign("left").setColSpan(2));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("GMail login id:"));
Input input = new Input(Input.TEXT, GMAIL_ID, YOUR_REAL_GMAIL_ID);
tr.addElement(new TD().addElement(input));
t1.addElement(tr);
tr = new TR();
tr.addElement(new TD().addElement("GMail password:"));
input = new Input(Input.PASSWORD, GMAIL_PASS, YOUR_REAL_GMAIL_PASSWORD);
tr.addElement(new TD().addElement(input));
t1.addElement(tr);
ec.addElement(t1);
}
private Message sendGoogleMail(String recipients, String subject, String message, String from,
final String mailAccount, final String mailPassword) throws MessagingException
{
boolean debug = false;
Properties props = new Properties();
props.put("mail.smtp.host", SMTP_HOST_NAME);
props.put("mail.smtp.auth", "true");
props.put("mail.debug", "false");
props.put("mail.smtp.port", SMTP_PORT);
props.put("mail.smtp.socketFactory.port", SMTP_PORT);
props.put("mail.smtp.socketFactory.class", SSL_FACTORY);
props.put("mail.smtp.socketFactory.fallback", "false");
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator()
{
protected PasswordAuthentication getPasswordAuthentication()
{
return new PasswordAuthentication(mailAccount, mailPassword);
}
});
session.setDebug(debug);
Message msg = new MimeMessage(session);
InternetAddress addressFrom = new InternetAddress(from);
msg.setFrom(addressFrom);
InternetAddress[] addressTo = new InternetAddress[1];
// for (int i = 0; i < recipients.length; i++)
// {
addressTo[0] = new InternetAddress(recipients);
// }
msg.setRecipients(Message.RecipientType.TO, addressTo);
// Setting the Subject and Content Type
msg.setSubject(subject);
msg.setContent(message, "text/plain");
Transport.send(msg);
return msg;
}
/**
* DOCUMENT ME!
*
* @return DOCUMENT ME!
*/
protected Category getDefaultCategory()
{
return Category.PARAMETER_TAMPERING;
}
/**
* Gets the hints attribute of the EmailScreen object
*
* @return The hints value
*/
protected List<String> getHints(WebSession s)
{
List<String> hints = new ArrayList<String>();
hints.add("Try sending an anonymous message to yourself.");
hints.add("Try inserting some html or javascript code in the message field");
hints.add("Look at the hidden fields in the HTML.");
hints
.add("Insert <A href=\"http://code.google.com/p/webgoat/\">Click here for the WebGoat Project</A> in the message field");
hints.add("Insert <script>alert(\"Bad Stuff\");</script> in the message field");
return hints;
}
/**
* Gets the instructions attribute of the UncheckedEmail object
*
* @return The instructions value
*/
public String getInstructions(WebSession s)
{
String instructions = "This form is an example of a customer support page. Using the form below try to:<br>"
+ "1) Send a malicious script to the website admin.<br>"
+ "2) Send a malicious script to a 'friend' from OWASP.<br>";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(55);
protected Integer getDefaultRanking()
{
return DEFAULT_RANKING;
}
/**
* Gets the title attribute of the EmailScreen object
*
* @return The title value
*/
public String getTitle()
{
return ("Exploit Unchecked Email");
}
}