package org.owasp.webgoat.plugin;

import com.gargoylesoftware.htmlunit.html.HtmlForm;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import org.apache.commons.cli.HelpFormatter;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.Script;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.xalan.templates.Constants;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.WebSession;
import org.springframework.web.servlet.tags.form.AbstractHtmlInputElementTag;

/* loaded from: input_file:WebGoat.war:plugin_lessons/xml-injection-1.0.jar:org/owasp/webgoat/plugin/XMLInjection.class */
public class XMLInjection extends LessonAdapter {
    private static final String ACCOUNTID = "accountID";
    private static final Integer DEFAULT_RANKING = new Integer(20);
    public static HashMap<Integer, Reward> rewardsMap = new HashMap<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WebGoat.war:plugin_lessons/xml-injection-1.0.jar:org/owasp/webgoat/plugin/XMLInjection$Reward.class */
    public static class Reward {
        private String name;
        private int points;

        Reward() {
        }

        public String getName() {
            return this.name;
        }

        public void setName(String str) {
            this.name = str;
        }

        public int getPoints() {
            return this.points;
        }

        public void setPoints(int i) {
            this.points = i;
        }
    }

    protected static HashMap<Integer, Reward> init() {
        Reward reward = new Reward();
        reward.setName("WebGoat t-shirt");
        reward.setPoints(50);
        rewardsMap.put(1001, reward);
        Reward reward2 = new Reward();
        reward2.setName("WebGoat Secure Kettle");
        reward2.setPoints(30);
        rewardsMap.put(1002, reward2);
        Reward reward3 = new Reward();
        reward3.setName("WebGoat Mug");
        reward3.setPoints(20);
        rewardsMap.put(1003, reward3);
        Reward reward4 = new Reward();
        reward4.setName("WebGoat Core Duo Laptop");
        reward4.setPoints(2000);
        rewardsMap.put(1004, reward4);
        Reward reward5 = new Reward();
        reward5.setName("WebGoat Hawaii Cruise");
        reward5.setPoints(3000);
        rewardsMap.put(1005, reward5);
        return rewardsMap;
    }

    @Override // org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        try {
            if (webSession.getParser().getRawParameter(Constants.ATTRNAME_FROM, "").equals("ajax") && webSession.getParser().getRawParameter(ACCOUNTID, "").equals("836239")) {
                String property = System.getProperty("line.separator");
                String str = "<root>" + property + "<reward>WebGoat Mug 20 Pts</reward>" + property + "<reward>WebGoat t-shirt 50 Pts</reward>" + property + "<reward>WebGoat Secure Kettle 30 Pts</reward>" + property + "</root>";
                webSession.getResponse().setContentType("text/xml");
                webSession.getResponse().setHeader("Cache-Control", "no-cache");
                PrintWriter printWriter = new PrintWriter(webSession.getResponse().getOutputStream());
                printWriter.print(str);
                printWriter.flush();
                printWriter.close();
                return;
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        Form encType = new Form(getFormAction(), "POST").setName(HtmlForm.TAG_NAME).setEncType("");
        encType.addElement(createContent(webSession));
        setContent(encType);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        init();
        if (!(webSession.getParser().getRawParameter("done", "").equals("yes"))) {
            elementContainer.addElement(new Script().setSrc(LessonUtil.buildJsPath(webSession, this, "xmlInjection.js")));
        }
        elementContainer.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat-Miles Reward Miles Program.")));
        elementContainer.addElement(new BR());
        elementContainer.addElement(new BR().addElement(new H3().addElement("Rewards available through the program:")));
        elementContainer.addElement(new BR());
        Table align = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
        for (int i = 1001; i < 1001 + rewardsMap.size(); i++) {
            TR tr = new TR();
            Reward reward = rewardsMap.get(Integer.valueOf(i));
            tr.addElement(new TD(HelpFormatter.DEFAULT_OPT_PREFIX + reward.getName()));
            tr.addElement(new TD(reward.getPoints() + " Pts"));
            align.addElement(tr);
        }
        elementContainer.addElement(align);
        elementContainer.addElement(new BR());
        elementContainer.addElement(new H3().addElement("Redeem your points:"));
        elementContainer.addElement(new BR());
        Table align2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
        TR tr2 = new TR();
        tr2.addElement(new TD("Please enter your account ID:"));
        Input input = new Input("TEXT", ACCOUNTID, "");
        input.addAttribute(AbstractHtmlInputElementTag.ONBLUR_ATTRIBUTE, "getRewards('" + LessonUtil.getXHRLink(webSession, this) + "');");
        input.addAttribute("id", ACCOUNTID);
        tr2.addElement(new TD(input));
        align2.addElement(tr2);
        elementContainer.addElement(align2);
        elementContainer.addElement(new BR());
        elementContainer.addElement(new BR());
        elementContainer.addElement(new BR());
        Div div = new Div();
        div.addAttribute("name", "rewardsDiv");
        div.addAttribute("id", "rewardsDiv");
        elementContainer.addElement(div);
        Input input2 = new Input();
        input2.setType(Input.SUBMIT);
        input2.setValue("Submit");
        input2.setName(Input.SUBMIT);
        elementContainer.addElement(input2);
        if (webSession.getParser().getRawParameter(Input.SUBMIT, "") != "") {
            if (webSession.getParser().getRawParameter("check1004", "") != "") {
                makeSuccess(webSession);
            } else {
                StringBuffer stringBuffer = new StringBuffer();
                for (int i2 = 1001; i2 < 1001 + rewardsMap.size(); i2++) {
                    if (webSession.getParser().getRawParameter("check" + i2, "") != "") {
                        stringBuffer.append(rewardsMap.get(Integer.valueOf(i2)).getName() + "<br>");
                    }
                }
                stringBuffer.insert(0, "<br><br><b>The following items will be shipped to your address:</b><br>");
                elementContainer.addElement(new StringElement(stringBuffer.toString()));
            }
        }
        return elementContainer;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter
    public Element makeSuccess(WebSession webSession) {
        getLessonTracker(webSession).setCompleted(true);
        webSession.setMessage("Congratulations. You have successfully completed this lesson.");
        return null;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.AJAX_SECURITY;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("This page is using XMLHTTP to comunicate with the server.");
        arrayList.add("Try to intercept the reply and check the reply.");
        arrayList.add("Intercept the reply and try to inject some XML to add more rewards to yourself.");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "XML Injection";
    }
}
