package org.owasp.webgoat.plugin;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.H2;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/dos-login-1.0.jar:org/owasp/webgoat/plugin/DOS_Login.class */
public class DOS_Login extends LessonAdapter {
    protected static final String PASSWORD = "Password";
    protected static final String USERNAME = "Username";
    private static final Integer DEFAULT_RANKING = new Integer(90);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        String rawParameter;
        String rawParameter2;
        ElementContainer elementContainer = new ElementContainer();
        try {
            rawParameter = webSession.getParser().getRawParameter(USERNAME);
            rawParameter2 = webSession.getParser().getRawParameter("Password");
        } catch (ParameterNotFoundException e) {
        } catch (Exception e2) {
            webSession.setMessage("Error generating " + getClass().getName());
        }
        if (rawParameter.equals("jeff") || rawParameter.equals("dave")) {
            elementContainer.addElement(new H2("Login Failed: 'jeff' and 'dave' are not valid for this lesson"));
            return elementContainer.addElement(makeLogin(webSession));
        }
        Connection connection = DatabaseUtilities.getConnection(webSession);
        String str = "SELECT * FROM user_system_data WHERE user_name = '" + rawParameter + "' and password = '" + rawParameter2 + "'";
        elementContainer.addElement(new StringElement(str));
        try {
            Statement createStatement = connection.createStatement(1004, 1007);
            ResultSet executeQuery = createStatement.executeQuery(str);
            if (executeQuery == null || !executeQuery.first()) {
                elementContainer.addElement(new H2("Login Failed"));
                ResultSet executeQuery2 = createStatement.executeQuery("SELECT * FROM user_login WHERE webgoat_user = '" + webSession.getUserName() + "'");
                executeQuery2.last();
                elementContainer.addElement(new H2("Successfull login count: " + executeQuery2.getRow()));
            } else {
                elementContainer.addElement(DatabaseUtilities.writeTable(executeQuery, executeQuery.getMetaData()));
                executeQuery.last();
                if (executeQuery.getRow() >= 1) {
                    if (executeQuery.getString(2).equals(rawParameter) && executeQuery.getString(3).equals(rawParameter2)) {
                        createStatement.executeUpdate("INSERT INTO user_login VALUES ( '" + rawParameter + "', '" + webSession.getUserName() + "' )");
                    }
                    ResultSet executeQuery3 = createStatement.executeQuery("SELECT * FROM user_login WHERE webgoat_user = '" + webSession.getUserName() + "'");
                    executeQuery3.last();
                    if (executeQuery3.getRow() >= 3) {
                        makeSuccess(webSession);
                        createStatement.executeUpdate("DELETE from user_login WHERE webgoat_user = '" + webSession.getUserName() + "'");
                        return new H1("Congratulations! Lesson Completed");
                    }
                    elementContainer.addElement(new H2("Login Succeeded: Total login count: " + executeQuery3.getRow()));
                }
            }
        } catch (SQLException e3) {
            elementContainer.addElement(new P().addElement(e3.getMessage()));
            e3.printStackTrace();
        }
        return elementContainer.addElement(makeLogin(webSession));
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.DOS;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Use a SQL Injection to obtain the user names. ");
        arrayList.add("Try to generate this query: SELECT * FROM user_system_data WHERE user_name = 'goober' and password = 'dont_care' or '1' = '1'");
        arrayList.add("Try &quot;dont_care' or '1' = '1&quot; in the password field");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Denial of Service from Multiple Logins";
    }

    protected Element makeLogin(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        Table border = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
        if (webSession.isColor()) {
            border.setBorder(1);
        }
        TR tr = new TR();
        TR tr2 = new TR();
        tr.addElement(new TD(new StringElement("User Name: ")));
        tr2.addElement(new TD(new StringElement("Password: ")));
        Input input = new Input("TEXT", USERNAME, "");
        Input input2 = new Input(Input.PASSWORD, "Password", "");
        tr.addElement(new TD(input));
        tr2.addElement(new TD(input2));
        border.addElement(tr);
        border.addElement(tr2);
        border.addElement(new TR(new TD(ECSFactory.makeButton(GoatHillsFinancial.LOGIN_ACTION))));
        elementContainer.addElement(border);
        return elementContainer;
    }
}
