package org.owasp.webgoat.plugin.db_cross_site;

import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.ElementContainer;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.plugin.GoatHillsFinancial.DeleteProfile;
import org.owasp.webgoat.plugin.GoatHillsFinancial.EditProfile;
import org.owasp.webgoat.plugin.GoatHillsFinancial.FindProfile;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.plugin.GoatHillsFinancial.LessonAction;
import org.owasp.webgoat.plugin.GoatHillsFinancial.ListStaff;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Login;
import org.owasp.webgoat.plugin.GoatHillsFinancial.Logout;
import org.owasp.webgoat.plugin.GoatHillsFinancial.SearchStaff;
import org.owasp.webgoat.plugin.GoatHillsFinancial.ViewProfile;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.UnauthenticatedException;
import org.owasp.webgoat.session.UnauthorizedException;
import org.owasp.webgoat.session.ValidationException;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/db-cross-site-scripting-1.0.jar:org/owasp/webgoat/plugin/db_cross_site/DBCrossSiteScripting.class */
public class DBCrossSiteScripting extends GoatHillsFinancial {
    private static final Integer DEFAULT_RANKING = new Integer(100);
    public static final String STAGE1 = "Stored XSS";
    public static final String STAGE2 = "Block Stored XSS using DB Input Validation";

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial
    protected void registerActions(String str) {
        registerAction(new ListStaff(this, str, GoatHillsFinancial.LISTSTAFF_ACTION));
        registerAction(new SearchStaff(this, str, GoatHillsFinancial.SEARCHSTAFF_ACTION));
        registerAction(new ViewProfile(this, str, GoatHillsFinancial.VIEWPROFILE_ACTION));
        registerAction(new EditProfile(this, str, GoatHillsFinancial.EDITPROFILE_ACTION));
        registerAction(new EditProfile(this, str, GoatHillsFinancial.CREATEPROFILE_ACTION));
        registerAction(new Login(this, str, GoatHillsFinancial.LOGIN_ACTION, getAction(GoatHillsFinancial.LISTSTAFF_ACTION)));
        registerAction(new Logout(this, str, "Logout", getAction(GoatHillsFinancial.LOGIN_ACTION)));
        registerAction(new FindProfile(this, str, GoatHillsFinancial.FINDPROFILE_ACTION, getAction(GoatHillsFinancial.VIEWPROFILE_ACTION)));
        registerAction(new UpdateProfileDBCrossSiteScripting(this, str, GoatHillsFinancial.UPDATEPROFILE_ACTION, getAction(GoatHillsFinancial.VIEWPROFILE_ACTION)));
        registerAction(new DeleteProfile(this, str, GoatHillsFinancial.DELETEPROFILE_ACTION, getAction(GoatHillsFinancial.LISTSTAFF_ACTION)));
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public Category getDefaultCategory() {
        return Category.XSS;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("You can put HTML tags in form input fields.");
        arrayList.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
        arrayList.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
        arrayList.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
        arrayList.add("Many scripts rely on the use of special characters such as: &lt;");
        arrayList.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
        arrayList.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
        return arrayList;
    }

    /* JADX WARN: String concatenation convert failed
    jadx.core.utils.exceptions.JadxRuntimeException: Can't remove SSA var: r5v2 java.lang.String, still in use, count: 1, list:
      (r5v2 java.lang.String) from STR_CONCAT (r5v2 java.lang.String), ("Use the provided user-defined function RegexMatch to test the data against a pattern. ") A[MD:():java.lang.String (c), SYNTHETIC, WRAPPED]
    	at jadx.core.utils.InsnRemover.removeSsaVar(InsnRemover.java:151)
    	at jadx.core.utils.InsnRemover.unbindResult(InsnRemover.java:116)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:80)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.dex.visitors.SimplifyVisitor.removeStringBuilderInsns(SimplifyVisitor.java:495)
    	at jadx.core.dex.visitors.SimplifyVisitor.convertStringBuilderChain(SimplifyVisitor.java:422)
    	at jadx.core.dex.visitors.SimplifyVisitor.convertInvoke(SimplifyVisitor.java:314)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyInsn(SimplifyVisitor.java:145)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyBlock(SimplifyVisitor.java:86)
    	at jadx.core.dex.visitors.SimplifyVisitor.visit(SimplifyVisitor.java:71)
     */
    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        String str;
        String str2 = "";
        if (!getLessonTracker(webSession).getCompleted()) {
            String stage = getStage(webSession);
            if ("Stored XSS".equals(stage)) {
                str2 = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br><br><b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  Verify that 'Jerry' is affected by the attack. A sample JavaScript snippet you can use is: &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.";
            } else if (STAGE2.equals(stage)) {
                str2 = new StringBuilder().append(getWebgoatContext().getDatabaseDriver().contains("jtds") ? str + "Use the provided user-defined function RegexMatch to test the data against a pattern. " : "Stage 2: Block Stored XSS using Input Validation.<br>Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. ").append("A sample regular expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.").toString();
            }
        }
        return str2;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.RandomLessonAdapter
    public String[] getStages() {
        return getWebgoatContext().isCodingExercises() ? new String[]{"Stored XSS", STAGE2} : new String[]{"Stored XSS"};
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        String str;
        if (webSession.getLessonSession(this) == null) {
            webSession.openLessonSession(this);
        }
        try {
            str = webSession.getParser().getStringParameter("action");
        } catch (ParameterNotFoundException e) {
            str = GoatHillsFinancial.LOGIN_ACTION;
        }
        if (str != null) {
            try {
                LessonAction action = getAction(str);
                if (action == null) {
                    setCurrentAction(webSession, "error");
                } else if (!action.requiresAuthentication() || action.isAuthenticated(webSession)) {
                    action.handleRequest(webSession);
                }
            } catch (ParameterNotFoundException e2) {
                e2.printStackTrace();
                setCurrentAction(webSession, "error");
            } catch (UnauthenticatedException e3) {
                webSession.setMessage("Login failed");
                e3.printStackTrace();
            } catch (UnauthorizedException e4) {
                webSession.setMessage("You are not authorized to perform this function");
                e4.printStackTrace();
            } catch (ValidationException e5) {
                e5.printStackTrace();
                setCurrentAction(webSession, "error");
            } catch (Exception e6) {
                e6.printStackTrace();
                setCurrentAction(webSession, "error");
            }
        }
        setContent(new ElementContainer());
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "LAB: DB Cross Site Scripting (XSS)";
    }

    @Override // org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial, org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected boolean getDefaultHidden() {
        String databaseDriver = getWebgoatContext().getDatabaseDriver();
        return (databaseDriver.contains("oracle") || databaseDriver.contains("hsqldb")) ? false : true;
    }
}
