package org.owasp.webgoat.plugin;

import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/forced-browsing-1.0.jar:org/owasp/webgoat/plugin/ForcedBrowsing.class */
public class ForcedBrowsing extends LessonAdapter {
    private static final String SUCCEEDED = "succeeded";
    private static final Integer DEFAULT_RANKING = new Integer(15);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        String str = new String(webSession.getParser().getStringParameter(SUCCEEDED, ""));
        if (str.length() == 0 || !str.equals("yes")) {
            elementContainer.addElement("Can you try to force browse to the config page which should only be accessed by maintenance personnel.");
        } else {
            elementContainer.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Configuration Page")));
            elementContainer.addElement(new BR());
            Table align = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
            TR tr = new TR();
            tr.addElement(new TD(new StringElement("Set Admin Privileges for: ")));
            tr.addElement(new TD(new Input("TEXT", "", "")));
            align.addElement(tr);
            TR tr2 = new TR();
            tr2.addElement(new TD(new StringElement("Set Admin Password:")));
            tr2.addElement(new TD(new Input(Input.PASSWORD, "", "")));
            align.addElement(tr2);
            align.addElement(new TR(new TD(ECSFactory.makeButton("Submit")).setColSpan(2).setAlign("right")));
            elementContainer.addElement(align);
            makeSuccess(webSession);
        }
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.INSECURE_CONFIGURATION;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Try to guess the URL for the config page");
        arrayList.add("The config page is guessable and hackable");
        arrayList.add("Play with the URL and try to guess what you can replace 'attack' with.");
        arrayList.add("Try to navigate to http://localhost/WebGoat/conf");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Forced Browsing";
    }
}
