package org.owasp.webgoat.plugin;

import com.gargoylesoftware.htmlunit.html.HtmlForm;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.xalan.templates.Constants;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.WebSession;
import org.springframework.web.servlet.tags.form.AbstractHtmlElementTag;

/* loaded from: input_file:WebGoat.war:plugin_lessons/dom-injection-1.0.jar:org/owasp/webgoat/plugin/DOMInjection.class */
public class DOMInjection extends LessonAdapter {
    private static final Integer DEFAULT_RANKING = new Integer(10);
    private static final String ACTIVATE = "Activate!";
    private static final String KEY = "key";
    private static final String key = "K1JFWP8BSO8HI52LNPQS8F5L01N";

    @Override // org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        try {
            String rawParameter = webSession.getParser().getRawParameter("key", "");
            if (webSession.getParser().getRawParameter(Constants.ATTRNAME_FROM, "").equalsIgnoreCase("ajax") && rawParameter.length() != 0 && rawParameter.equals(key)) {
                webSession.getResponse().setContentType("text/html");
                webSession.getResponse().setHeader("Cache-Control", "no-cache");
                PrintWriter printWriter = new PrintWriter(webSession.getResponse().getOutputStream());
                printWriter.print("document.form.SUBMIT.disabled = false;");
                printWriter.flush();
                printWriter.close();
                return;
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        Form encType = new Form(getFormAction(), "POST").setName(HtmlForm.TAG_NAME).setEncType("");
        encType.addElement(createContent(webSession));
        setContent(encType);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        if (checkSuccess(webSession)) {
            makeSuccess(webSession);
        }
        elementContainer.addElement("<script src='" + LessonUtil.buildJsPath(webSession, this, "dom_injection.js") + "'> </script>");
        elementContainer.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Registration Page:")));
        elementContainer.addElement(new BR().addElement("Please enter the license key that was emailed to you to start using the application."));
        elementContainer.addElement(new BR());
        elementContainer.addElement(new BR());
        Form form = new Form(getLink(), "POST");
        Table align = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("70%").setAlign("center");
        TR tr = new TR();
        tr.addElement(new TD(new StringElement("License Key: ")));
        Input input = new Input("TEXT", "key", "");
        input.setID("key");
        input.addAttribute(AbstractHtmlElementTag.ONKEYUP_ATTRIBUTE, "validate('" + getLink() + "');");
        tr.addElement(new TD(input));
        align.addElement(tr);
        TR tr2 = new TR();
        tr2.addElement(new TD("&nbsp;").setColSpan(2));
        align.addElement(tr2);
        TR tr3 = new TR();
        Input input2 = new Input();
        input2.setType(Input.SUBMIT);
        input2.setValue(ACTIVATE);
        input2.setName(Input.SUBMIT);
        input2.setID(Input.SUBMIT);
        input2.setDisabled(true);
        tr3.addElement(new TD("&nbsp;"));
        tr3.addElement(new TD(input2));
        align.addElement(tr3);
        form.addElement(align);
        elementContainer.addElement(form);
        Div div = new Div();
        div.addAttribute("name", "MessageDiv");
        div.addAttribute("id", "MessageDiv");
        elementContainer.addElement(div);
        return elementContainer;
    }

    private boolean checkSuccess(WebSession webSession) {
        String parameter = webSession.getRequest().getParameter(Input.SUBMIT);
        return parameter != null && parameter.equals(ACTIVATE);
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.AJAX_SECURITY;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("This page is using XMLHTTP to comunicate with the server.");
        arrayList.add("Try to find a way to inject the DOM to enable the Activate button.");
        arrayList.add("Intercept the reply and replace the body with document.form.SUBMIT.disabled = false;");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "DOM Injection";
    }
}
