package org.owasp.webgoat.plugin;

import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.Cookie;
import org.apache.commons.cli.HelpFormatter;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.hsqldb.persist.LockFile;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/weak-session-id-1.0.jar:org/owasp/webgoat/plugin/WeakSessionID.class */
public class WeakSessionID extends LessonAdapter {
    protected static final String SESSIONID = "WEAKID";
    protected static final String PASSWORD = "Password";
    protected static final String USERNAME = "Username";
    protected static List<String> sessionList = new ArrayList();
    protected static long seq = Math.round(Math.random() * 10240.0d) + LockFile.HEARTBEAT_INTERVAL;
    protected static long lastTime = System.currentTimeMillis();
    private static final Integer DEFAULT_RANKING = new Integer(90);

    /* JADX WARN: Multi-variable type inference failed */
    protected String newCookie(WebSession webSession) {
        long currentTimeMillis = System.currentTimeMillis();
        seq++;
        if (seq % 29 == 0) {
            seq++;
            String encode = encode(this, lastTime + ((currentTimeMillis - lastTime) / 2));
            sessionList.add(encode);
            webSession.setMessage(encode);
            if (sessionList.size() > 100) {
                sessionList.remove(0);
            }
        }
        lastTime = currentTimeMillis;
        return encode(seq, currentTimeMillis);
    }

    private String encode(long j, long j2) {
        return new String(Long.toString(j) + HelpFormatter.DEFAULT_OPT_PREFIX + Long.toString(j2));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        try {
            String cookie = webSession.getCookie(SESSIONID);
            return (cookie == null || sessionList.indexOf(cookie) <= -1) ? makeLogin(webSession) : makeSuccess(webSession);
        } catch (Exception e) {
            webSession.setMessage("Error generating " + getClass().getName());
            e.printStackTrace();
            return null;
        }
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.SESSION_MANAGEMENT;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("The server skips authentication if you send the right cookie.");
        arrayList.add("Is the cookie value predictable? Can you see gaps where someone else has acquired a cookie?");
        arrayList.add("Try harder, you brute!");
        arrayList.add("The first part of the cookie is a sequential number, the second part is milliseconds.");
        arrayList.add("After the 29th try, the skipped identifier is printed to your screen. Use that to login.");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Hijack a Session";
    }

    protected Element makeLogin(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        String cookie = webSession.getCookie(SESSIONID);
        if (cookie == null) {
            cookie = newCookie(webSession);
            webSession.getResponse().addCookie(new Cookie(SESSIONID, cookie));
        }
        elementContainer.addElement(new H1().addElement("Sign In "));
        Table align = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
        if (webSession.isColor()) {
            align.setBorder(1);
        }
        String str = null;
        String str2 = null;
        try {
            str = webSession.getParser().getStringParameter(USERNAME);
        } catch (ParameterNotFoundException e) {
        }
        try {
            str2 = webSession.getParser().getStringParameter("Password");
        } catch (ParameterNotFoundException e2) {
        }
        if (str != null || str2 != null) {
            webSession.setMessage("Invalid username or password.");
        }
        TR tr = new TR();
        tr.addElement(new TH().addElement("Please sign in to your account.").setColSpan(2).setAlign("left"));
        align.addElement(tr);
        TR tr2 = new TR();
        tr2.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
        align.addElement(tr2);
        TR tr3 = new TR();
        tr3.addElement(new TD().addElement("&nbsp;").setColSpan(2));
        align.addElement(tr3);
        TR tr4 = new TR();
        TR tr5 = new TR();
        tr4.addElement(new TD(new B(new StringElement("*User Name: "))));
        tr5.addElement(new TD(new B(new StringElement("*Password: "))));
        Input input = new Input("TEXT", USERNAME, "");
        Input input2 = new Input(Input.PASSWORD, "Password", "");
        Input input3 = new Input(Input.HIDDEN, SESSIONID, cookie);
        tr4.addElement(new TD(input));
        tr5.addElement(new TD(input2));
        align.addElement(tr4);
        align.addElement(tr5);
        align.addElement(input3);
        align.addElement(new TR(new TD(ECSFactory.makeButton(GoatHillsFinancial.LOGIN_ACTION))));
        elementContainer.addElement(align);
        return elementContainer;
    }
}
