package org.owasp.webgoat.plugin.crosssitescripting;

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.plugin.GoatHillsFinancial.DeleteProfile;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.plugin.GoatHillsFinancial.ListStaff;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Login;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Logout;
import org.owasp.webgoat.plugin.GoatHillsFinancial.SearchStaff;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;

/* loaded from: input_file:WebGoat.war:plugin_lessons/cross-site-scripting-1.0.jar:org/owasp/webgoat/plugin/crosssitescripting/CrossSiteScripting.class */
public class CrossSiteScripting extends GoatHillsFinancial {
    private static final Integer DEFAULT_RANKING = new Integer(100);
    public static final String STAGE1 = "Stored XSS";
    public static final String STAGE2 = "Block Stored XSS using Input Validation";
    public static final String STAGE3 = "Stored XSS Revisited";
    public static final String STAGE4 = "Block Stored XSS using Output Encoding";
    public static final String STAGE5 = "Reflected XSS";
    public static final String STAGE6 = "Block Reflected XSS";

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial
    protected void registerActions(String str) {
        registerAction(new ListStaff(this, str, GoatHillsFinancial.LISTSTAFF_ACTION));
        registerAction(new SearchStaff(this, str, GoatHillsFinancial.SEARCHSTAFF_ACTION));
        registerAction(new ViewProfileCrossSiteScripting(this, str, GoatHillsFinancial.VIEWPROFILE_ACTION));
        registerAction(new EditProfileCrossSiteScripting(this, str, GoatHillsFinancial.EDITPROFILE_ACTION));
        registerAction(new EditProfileCrossSiteScripting(this, str, GoatHillsFinancial.CREATEPROFILE_ACTION));
        registerAction(new Login(this, str, GoatHillsFinancial.LOGIN_ACTION, getAction(GoatHillsFinancial.LISTSTAFF_ACTION)));
        registerAction(new Logout(this, str, "Logout", getAction(GoatHillsFinancial.LOGIN_ACTION)));
        registerAction(new FindProfileCrossSiteScripting(this, str, GoatHillsFinancial.FINDPROFILE_ACTION, getAction(GoatHillsFinancial.VIEWPROFILE_ACTION)));
        registerAction(new UpdateProfileCrossSiteScripting(this, str, GoatHillsFinancial.UPDATEPROFILE_ACTION, getAction(GoatHillsFinancial.VIEWPROFILE_ACTION)));
        registerAction(new DeleteProfile(this, str, GoatHillsFinancial.DELETEPROFILE_ACTION, getAction(GoatHillsFinancial.LISTSTAFF_ACTION)));
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public Category getDefaultCategory() {
        return Category.XSS;
    }

    public String getLessonSolutionFileName(WebSession webSession) {
        return "/lesson_solutions_1/Lab XSS/Lab " + getStage(webSession) + ".html";
    }

    @Override // org.owasp.webgoat.lessons.AbstractLesson
    public String getSolution(WebSession webSession) {
        String str;
        try {
            str = readFromFile(new BufferedReader(new FileReader(webSession.getWebResource(getLessonSolutionFileName(webSession)))), false);
        } catch (IOException e) {
            webSession.setMessage("Could not find the solution file");
            str = "Could not find the solution file";
        }
        return str;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Stage1: You can put HTML tags in form input fields.");
        arrayList.add("Stage1: Bury a SCRIPT tag in the field to attack anyone who reads it.");
        arrayList.add("Stage1: Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
        arrayList.add("Stage1: Enter this: &lt;script&gt;alert(\"document.cookie\");&lt;/script&gt; in message fields.");
        arrayList.add("Stage2: Many scripts rely on the use of special characters such as: &lt;");
        arrayList.add("Stage2: Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
        arrayList.add("Stage2: The java.util.regex package is useful for filtering string values.");
        arrayList.add("Stage3: Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags.");
        arrayList.add("Stage3: An HTML entity encoder is provided in the ParameterParser class.");
        arrayList.add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
        arrayList.add("Stage4: There is a class called HtmlEncoder in org.owasp.webgoat.util");
        arrayList.add("Stage5: Validate early.  Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");");
        return arrayList;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        String str = "";
        if (!getLessonTracker(webSession).getCompleted()) {
            String stage = getStage(webSession);
            if ("Stored XSS".equals(stage)) {
                str = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  Verify that 'Jerry' is affected by the attack. <br/>The passwords for the accounts are the lower-case versions of their given names (e.g. the password for Tom Cat is \"tom\").";
            } else if (STAGE2.equals(stage)) {
                str = "Stage 2: Block Stored XSS using Input Validation.<br><br><b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>Implement a fix to block the stored XSS before it can be written to the database. Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
            } else if (STAGE3.equals(stage)) {
                str = "Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.<br>The 'Bruce' employee profile is pre-loaded with a stored XSS attack. Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
            } else if (STAGE4.equals(stage)) {
                str = "Stage 4: Block Stored XSS using Output Encoding.<br><br><b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>Implement a fix to block XSS after it is read from the database. Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
            } else if (STAGE5.equals(stage)) {
                str = "Stage 5: Execute a Reflected XSS attack.<br>Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack.  Verify that another employee using the link is affected by the attack.";
            } else if (STAGE6.equals(stage)) {
                str = "Stage 6: Block Reflected XSS using Input Validation.<br><br><b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>Implement a fix to block this reflected XSS attack. Repeat step 5.  Verify that the attack URL is no longer effective.";
            }
        }
        return str;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.RandomLessonAdapter
    public String[] getStages() {
        return getWebgoatContext().isCodingExercises() ? new String[]{"Stored XSS", STAGE2, STAGE3, STAGE4, STAGE5, STAGE6} : new String[]{"Stored XSS", STAGE3, STAGE5};
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        String str;
        if (webSession.getLessonSession(this) == null) {
            webSession.openLessonSession(this);
        }
        try {
            str = webSession.getParser().getStringParameter("action");
        } catch (ParameterNotFoundException e) {
            str = GoatHillsFinancial.LOGIN_ACTION;
        }
        if (str != null) {
            try {
                LessonAction action = getAction(str);
                if (action == null) {
                    setCurrentAction(webSession, "error");
                } else if (!action.requiresAuthentication() || action.isAuthenticated(webSession)) {
                    action.handleRequest(webSession);
                }
            } catch (ParameterNotFoundException e2) {
                e2.printStackTrace();
                setCurrentAction(webSession, "error");
            } catch (UnauthenticatedException e3) {
                webSession.setMessage("Login failed");
                e3.printStackTrace();
            } catch (UnauthorizedException e4) {
                webSession.setMessage("You are not authorized to perform this function");
                e4.printStackTrace();
            } catch (ValidationException e5) {
                e5.printStackTrace();
                setCurrentAction(webSession, "error");
            } catch (Exception e6) {
                e6.printStackTrace();
                setCurrentAction(webSession, "error");
            }
        }
        setContent(new ElementContainer());
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "LAB: Cross Site Scripting";
    }

    public String htmlEncode(WebSession webSession, String str) {
        if (STAGE4.equals(getStage(webSession)) && str.indexOf("<script>") > -1 && str.indexOf("alert") > -1 && str.indexOf("</script>") > -1) {
            setStageComplete(webSession, STAGE4);
            webSession.setMessage("Welcome to stage 5 -- exploiting the data layer");
        }
        return HtmlEncoder.encode(str);
    }
}
